CISCO IOS SOFTWARE RELEASE 12.4 FEATURES AND HARDWAREcna.mamk.fi/Public/Cisco/Ohjeet/2852_pp.pdf ·...

Cisco Systems, Inc.All contents are Copyright © 1992–2005 Cisco Systems, Inc. All rights reserved. Import

Page 1 of 218

PRODUCT BULLETIN NO. 2852

CISCO IOS SOFTWARE RELEASE 12.4FEATURES AND HARDWARE

This Product Bulletin introduces

Cisco IOS Software Release 12.4T,

and includes the following sections:

1) INTRODUCTION: CISCO IOSSOFTWARE RELEASE 12.4

2) RELEASE 12.4 FEATURETECHNOLOGY HIGHLIGHTS

2.1) Hardware Support

2.2) Broadband

2.3) High Availability

2.4) Infrastructure

2.5) IP Mobility

2.6) IP Multicast

2.7) IP Routing

2.8) IP Services

2.9) IPv6

2.10) ManagementInstrumentation

2.11) Multiprotocol LabelSwitching

2.12) Quality of Service

2.13) Security and VPN

2.14) Voice

Last Updated: July 2006

1) INTRODUCTION: CISCO IOS SOFTWARE RELEASE 12.4

Cisco IOS® Software is the world’s leading network infrastructure software, delivering

a seamless integration of technology innovation, business-critical services, and hardware

support. Currently operating on millions of active systems, ranging from the small home

office router to the core systems of the world’s largest service provider networks, Cisco IOS

Software is the most widely leveraged network infrastructure software in the world.

One of the most significant delivery milestones for Cisco IOS Software is the introduction

of a new major release, which ships once every two years, delivers hundreds of advanced

capabilities, and aggregates multiple prior releases into a synergistic whole.

Developed for wide deployment in the world’s most demanding Enterprise, Access, and

Service Provider Aggregation networks, Major Release 12.4 is a comprehensive portfolio

of Cisco technologies, including the leading-edge functionality and hardware support

introduced in Release 12.3T, anchored by an intensive stability and testing program.

Major Release 12.4 introduces more than 700 industry-leading features across the widest

range of hardware in the industry. These key innovations span multiple technology areas,

including Security, Voice, High Availability, IP Routing, Quality of Service (QoS), IP

Multicast, IP Addressing, IP Mobility, Multiprotocol Label Switching (MPLS), and VPNs.

ant Notices and Privacy Statement.

All content

Figure 1Major and Technology Release Relationship

1.1) Migration Guide

Cisco recommends that customers who need to deploy Release 12.3T features upgrade to Cisco IOS Software Major

Release 12.4. Release 12.3T is scheduled for End of Sales in Q4CY’05.

While customers can no longer order software releases that reach End of Sales, they can download such releases from

Software Center if they have a maintenance contract.

The following Cisco IOS Software releases identify the current recommended migration into Release 12.4.

Figure 2Release 12.4 Migration Recommendation

Major Release 12.4 undergoes testing and review cycles to continuously improve and increase reliability and quality.

As per Cisco's policies, no new technologies or features are added. Cisco updates Release 12.4 via regular

maintenance releases to include minor improvements based upon customer experiences.

Maintenance for Release 12.3T ceases upon this introduction of Release 12.4. Users of Release 12.3T should migrate

to Major Release 12.4 in order to receive maintenance.

Release12.3T

Release12.4T

MajorRelease

12.4

Feature Set Frozen—Maintenance ONLY

New Features and Hardware Support

Software Fixes

Note: Technology releases are those Cisco IOS Software releases that introduce new features, functionality, and hardware support.

12.3(8)T 12.3(11)T

12.3 X Releases

Major Release 12.4(1)

12.3(14)T12.3(2)T 12.3(4)T 12.3(7)T

Cisco Systems, Inc.s are Copyright © 1992–2005 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.

Page 2 of 218

http://www.cisco.com/public/sw-center/sw-ios.shtml

All content

For additional information about Cisco IOS Software Product Lifecycle Dates & Milestones, please visit:

http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/prod_bulletin0900aecd801eda8a.html

1.2) Cisco IOS Packaging: Secure Management Access

Cisco IOS Software Release 12.4 will introduce support for management access using Secure Shell (SSH), HTTPS

and Simple Network Management Protocol version 3 (SNMPv3) on the Cisco 1800, 2800, and 3800 Series Access

Routers. These three features work with other device management features (ie: image verification, role-based CLI

views, user authentication, and VTY access control lists) to provide flexible and secure management access to any

remote router, regardless of which Release 12.4 feature set it is configured on the router.

• SSHv2 client and server functionality provides a secure, encrypted alternative to traditional telnet for router

configuration and administration.

• SSL Server functionality provides an HTTPS-based secure, encrypted complement to access graphical user

interfaces (ie: Router and Security Device Manager).

• SNMPv3 Server functionality includes authPriv mode, which provides authentication and encryption of SNMP

messages.

Note: Export controls on strong encryption vary according to type, strength, territory, end-use, and end-user. Visit

the Cisco Encryption Sales Support Tool to determine eligibility for Cisco strong encryption solutions. Send an email

to Export Compliance ([email protected]) for clarification. Encryption-free versions of IP Base, IP Voice, Enterprise

Base, and Enterprise Services feature sets will continue to be available.

1.3) Release 12.4T Additional Information

• Release 12.4

http://www.cisco.com/go/release124/

• Product Bulletin No. 2214, Cisco IOS Software Product Lifecycle Dates & Milestones


• Cisco IOS Software Center

Download Cisco IOS Software releases and access software upgrade planners.


• Cisco Feature Navigator

A web-based application that allows users to quickly match Cisco IOS Software releases to features to hardware.

http://www.cisco.com/go/fn/

• Cisco Software Advisor

Determine the minimum supported software for selected hardware.

http://www.cisco.com/pcgi-bin/front.x/Support/HWSWmatrix/hwswmatrix.cgi

• Cisco IOS Upgrade Planner

View all major releases, hardware, and software features from a single interface.

http://www.cisco.com/pcgi-bin/Software/Iosplanner/Planner-tool/iosplanner.cgi

• Cisco IOS Software Questions and Feedback

http://www.cisco.com/warp/public/732/feedback/release/


Page 3 of 218


http://www.cisco.com/wwl/export/crypto/tool/

mailto:[email protected]

http://www.cisco.com/go/release124/




http://www.cisco.com/pcgi-bin/front.x/Support/HWSWmatrix/hwswmatrix.cgi

http://www.cisco.com/pcgi-bin/Software/Iosplanner/Planner-tool/iosplanner.cgi


All content

2) RELEASE 12.4 FEATURE TECHNOLOGY HIGHLIGHTS

Table 1 Major Release 12.4 Technology Summary

Section Feature Highlights and Benefits

2.1) Hardware Support Coupled with industry-leading Cisco IOS Software, Cisco redefines best in class routingwith the industry's first portfolio engineered for secure, wire-speed delivery ofconcurrent data, voice and video services - Cisco Integrated Services Routers.

2.2) Broadband As Service Providers scale their offerings to meet growing demand for Broadbandsubscriptions, they must simplify operations and increase individual subscriber revenue.Broadband aggregation dynamically binds subscribers to critical, revenue-generatingservices that carriers must deliver. Cisco delivers Broadband Aggregation capabilities ona comprehensive set of routers and software to meet a variety of network requirements -from WiFi hot-spots to carrier-grade aggregation - for millions of Digital Subscriber Line(DSL) and Cable subscribers.

2.3) High Availability Cisco IOS High Availability enables network-wide resilience to increase IP networkavailability. Network applications must cross different network segments - from theEnterprise Backbone, Enterprise Edge, and Service Provider Edge, through the ServiceProvider Core. All segments must be resilient to recover quickly enough for faults to betransparent to users and network applications. A failure that is detected anywhere in thenetwork can result in termination, interruption or violation of service level agreementsfor business-critical applications such as, voice, e-commerce, storage area networking,work-flow, trading, and point of sales.

2.4) Infrastructure Cisco IOS Software Infrastructure includes the underlying foundation upon which allnetwork services are built. Cisco IOS Software features integrate the power andflexibility of the infrastructure to provide a complete set of network services. Cisco isenriching Cisco IOS Software in four key areas: High Availability, Security, Manageability,and Scalability. The changes augment and fortify the underlying network infrastructuresoftware and establish a new base for further delivery of advanced, intelligent networkservices.

2.5) IP Mobility The mobile workforce needs the ability to communicate with customers, partners, andfellow workers anywhere, anytime and have access to relevant business applications,tools to carryout business effectively. Enterprise mobility is about providing ubiquitousconnectivity to the mobile user, independent of the devices and access technologies.Mobile IP, an IETF standard (RFC 2002), allows a host device to be identified by a single IPaddress even though the device may move its physical point of attachment from onenetwork to another.

2.6) IP Multicast IP Multicast is a bandwidth-conserving technology that reduces traffic by simultaneouslydelivering a single stream of information to thousands of corporate recipients andhomes. Applications that take advantage of multicast technologies include videoconferencing, corporate communications, distance learning, and distribution ofsoftware, stock quotes, and news.

2.7) IP Routing Cisco IP Routing Protocols provide the fundamental infrastructure for the delivery ofadvanced IP services across all Cisco products. Whether based on Internet EngineeringTask Force standards or Cisco innovations, Cisco offers a broad portfolio of IP Routingtechnologies. All share common attributes and goals of scalability, availability,manageability, fast convergence, and high performance.

2.8) IP Services Cisco IOS Software contains a wide array of critical network services designed forflexibility, scalability, and reliability to help solve the most difficult problems facingenterprises and service providers. Customers can select the appropriate Cisco IOSSoftware feature sets to meet their evolving network requirements. Features such asNetwork Address Translation (NAT), Dynamic Host Configuration Protocol (DHCP), andHot Standby Router Protocol (HSRP) can be easily deployed individually or incombination with each other across a wide range of Cisco hardware.


Page 4 of 218


All content

2.9) IPv6 IPv6 is a new IP protocol designed to replace IPv4, the Internet protocol that ispredominantly deployed and extensively used throughout the world. IPv6 quadruplesthe number of network address bits from 32 bits (in IPv4) to 128 bits or approximately 3.4x 1038 addressable nodes, which provides more than enough globally unique IPaddresses for every network device on the planet.

2.10) ManagementInstrumentation

Cisco IOS Software provides a rich set of features that enable customers to efficientlymanage their networks. Benefits of this embedded instrumentation functionality include:lowered operating and maintenance costs, rapid incorporation of new network servicesand devices, management of the network as an integrated system, reduced downtime byadaptive fault management, and measurable and billable differentiated services.

2.11) Multiprotocol LabelSwitching

Cisco IOS Multiprotocol Label Switching (MPLS) enables Enterprises and ServiceProviders to build next-generation intelligent networks that deliver a wide variety ofadvanced, value-added services over a single infrastructure. This economical solutioncan be integrated seamlessly over any existing infrastructure, such as IP, Frame Relay,ATM, or Ethernet. Subscribers with differing access links can be aggregated on an MPLSedge without changing their current environments, as MPLS is independent of accesstechnologies.

2.12) Quality of Service A communications network forms the backbone of any successful organization. Thesenetworks transport a multitude of applications and data, including high-quality videoand delay-sensitive data such as real-time voice. The bandwidth-intensive applicationsstretch network capabilities and resources, but also complement, add value, andenhance every business process. Networks must provide secure, predictable,measurable, and sometimes guaranteed services. Achieving the required Quality ofService (QoS) by managing the delay, delay variation (jitter), bandwidth, and packet lossparameters on a network becomes the secret to a successful end-to-end businesssolution. Thus, QoS is the set of techniques to manage network resources.

2.13) Security and VPN Comprehensive network-security features in Cisco routers help companies protect theirinfrastructures, devices, and important information, while reducing costs.

2.14) Voice Cisco CallManager Express is a solution embedded in Cisco IOS Software that providescall processing for Cisco IP phones. This solution enables the large portfolio of Ciscoaccess routers to deliver telephony features similar to those that are commonly used bybusiness users to meet the requirements of the small office, thereby enablingdeployment of a cost-effective, highly reliable, IP Communications solution for the smalloffice.

Table 1 Major Release 12.4 Technology Summary (Continued)

Section Feature Highlights and Benefits


Page 5 of 218

All content

2.1) Hardware Support

Table 2 Hardware Highlights

2.1.1) Cisco 3800 Series Integrated Services Router

The integrated services routing architecture of the Cisco 3800 Series builds on the powerful Cisco 3700 Series routers

designed to embed and integrate security and voice processing with advanced services for rapid deployment of new

applications, including application layer functions, intelligent network services, and converged communications. The

Cisco 3800 Series supports the bandwidth requirements for multiple Fast Ethernet interfaces per slot, time-division

multiplexing (TDM) interconnections, and fully integrated power distribution to modules supporting 802.3af Power

over Ethernet (PoE), while still supporting the existing portfolio of modular interfaces. This ensures continuing

investment protection to accommodate network expansion or changes in technology as new services and applications

are deployed. By integrating the functions of multiple separate devices into a single compact unit, the Cisco 3800

Series dramatically reduces the cost and complexity of managing remote networks.

New models include the Cisco 3825 and the Cisco 3845, available with three optional configurations for AC power,

AC power with integrated IP phone power support, and DC power.

Figure 3Cisco 3800 Series Integrated Services Router

Sections




2.1.4) Cisco 1711 and 1712 Security Access Routers

2.1.5) Network Modules for Circuit Emulation Services over IP for the 2600, 3600, and 3700 Series Routers

2.1.6) Network Analysis Module for the 2600, 3660, and 3700 Series Routers

2.1.7) Cisco Unity Express

2.1.8) Cisco IDS Network Module


Page 6 of 218

All content

Benefits

• This high-performance architecture is optimized for concurrent service deployment and offers increased default

and maximum memory for future services growth.

• Cisco IOS Software features offer support for identifying, preventing, and adapting to security threats and

maintaining a self-defending network, including Cisco SDM 2.0, NAC (antivirus enforcement), Dynamic

Multipoint VPN, dynamic in-line IDS, Cisco IOS Firewall, and URL filtering capabilities.

• Onboard DSPs—Integrated PVDMs support analog voice, digital voice, conferencing, transcoding, and secure

Real-Time Transport Protocol (SRTP) media while enabling network-module or AIM slots for switching,

concurrent applications, content, and voice mail.

• Field-upgradable, modular components are supported on the Cisco 3800 Series, allowing customers to easily

change network interfaces without upgrading their entire branch-office network. The Cisco 3800 Series takes

advantage of the existing portfolio of WICs, VICs, network modules, and AIMs to reduce sparing, training,

configuration, installation, and maintenance costs.

• The Cisco 3800 Series minimizes downtime with availability features, including optional redundant power, Error

Checking and Correction (ECC) memory for improved fault isolation and correction, USB Flash memory for ease

of image recovery, advanced temperature monitoring and variable-speed cooling fans, Cisco IOS Software Warm

Reboot for improved bootup times, network-module online insertion and removal, and field-replaceable

components such as fan tray, motherboard, and power supplies (Cisco 3845 only).

Additional Information: http://www.cisco.com/en/US/products/ps5855/index.html

Product Management Contact: [email protected]


The Cisco 2800 Series comprises four new routers: Cisco 2801, 2811, 2821, and 2851 Routers. The Cisco 2800

Series provides significant additional value compared to prior generations of Cisco routers at similar price points by

offering up to a fivefold performance improvement, up to a tenfold increase in security and voice performance, new

embedded service options, and dramatically increased slot performance and density while maintaining support for

most of the more than 90 existing modules that are available today for the Cisco 1700 Series and Cisco 2600 Series.

The Cisco 2800 Series features the ability to deliver multiple high-quality simultaneous services at wire speed up

to multiple T1/E1/xDSL connections. The routers offer embedded encryption acceleration and motherboard voice

digital-signal-processor (DSP) slots; intrusion prevention system (IPS) and firewall functions; integrated call

processing and voice mail; high-density interfaces for a wide range of connectivity requirements; and sufficient

performance and slot density for future network expansion requirements and advanced applications.


Page 7 of 218

http://www.cisco.com/en/US/products/ps5855/index.html


All content

Figure 4Cisco 2800 Series

Benefits

• A wide variety of LAN and WAN options are available. Network interfaces can be upgraded in the field to

accommodate future technologies and several types of slots are available to add connectivity and services in

the future on an “integrate-as-yougrow” basis.

• Each of the Cisco 2800 Series routers comes standard with embedded hardware cryptography accelerators, which

when combined with an optional Cisco IOS Software upgrade help enable WAN link security and VPN services.

• The Cisco 2800 helps enable end-to-end solutions with full support for the latest Cisco IOS Software-based QoS,

bandwidth management, and security features.

• On the Cisco 2811, 2821, and 2851 there is a built in external power-supply connector that eases the addition

of external redundant power supply that can be shared with other Cisco products to decrease network downtime

by protecting the network components from downtime due to power failures.

Hardware




Cisco 1800 Series Integrated Services Routers are the next evolution of the award-winning Cisco 1700 Series modular

access routers. The Cisco 1841 Router is designed for secure data connectivity and provides significant additional

value compared to prior generations of Cisco 1700 Series routers by offering more than a fivefold performance

increase, integrated hardware-based encryption enabled by an optional Cisco IOS Software security image, and a

dramatic increase in interface card slot performance and density while maintaining support for more than 30 existing

WAN interface cards (WICs) and multiflex trunk cards (voice/WICs [VWICs]—for data only on the Cisco 1841

router) of the Cisco 1700 Series.

Routers • Cisco 2800 Series Integrated Services Routers


Page 8 of 218



All content

The Cisco 1841 Router features secure, fast, and high-quality delivery of multiple, concurrent services for small-to-

medium-sized businesses and small enterprise branch offices. The Cisco 1841 router offers embedded hardware-

based encryption enabled by an optional.

Cisco IOS Software security image; further enhancement of VPN performance with an optional VPN acceleration

module; an intrusion prevention system (IPS) and firewall functions; interfaces for a wide range of connectivity

requirements, including support for optional integrated switch ports; plus sufficient performance and slot density

for future network expansion and advanced applications as well as an integrated real-time clock.

Figure 5Cisco 1800 Series

Benefits

• Supports concurrent deployment of high-performance, secure data services with headroom for future

applications.

• Offers cryptography accelerator as standard integrated hardware that can be enabledwith an optional Cisco

IOS Software for 3DES and AES encryption support.

• Provides 32 MB of Flash and 128 MB of synchronous dynamic RAM (SDRAM) memory to support deployment

of concurrent services.

• Supports the Cisco 1841 router starting with Cisco IOS Software Release 12.3T and helps enable end-to-end

solutions with support for latest Cisco IOS Software-based QoS, bandwidth management, and security features.

• New intrusion-detection-system (IDS) signatures can be dynamically loaded independent of the Cisco IOS

Software release.

Hardware



2.1.4) Cisco 1711 and 1712 Security Access Routers

Description

The Cisco 1711 and 1712 Security Access Routers offer an all-in-one security, routing, and switching solution for

enterprise small branch offices and small and medium sized businesses. They feature built-in Fast Ethernet LAN

switching, Fast Ethernet port for DSL or broadband modem connectivity, integrated Cisco IOS Security and backup

WAN for link redundancy to help ensure high availability of critical business applications.

Routers • Cisco 1800 Series Integrated Services Routers


Page 9 of 218



All content

Figure 6Cisco 1711/1712 Application Advantages—Workgroup Segmentation with Dial Backup

Benefits

• Complete Solution—delivering broadband access with link redundancy, routing, switching and security.

• Integrated Network Security—stateful inspection firewall with URL filtering, hardware accelerated VPN

encryption (DES & 3DES) delivering 15 Mbps encryption rates, and IDS detecting 100 signatures.

• Integrated LAN Switching—4 port 10/100BaseT switch with 802.1Q VLAN and MDI/MDIX auto-

configuration.

• High WAN Availability—ensures availability of network connection and applications with analog modem

or ISDN S/T back-up WAN.

• WAN Migration—Use the Analog modem or ISDN S/T port as primary connection then migrate to high speed

Cable/DSL connection when available.

• Dual ISP Support—The 10/100BaseT ports can be separated to allow simultaneous connection to two ISPs for

load balancing and failover protection.

• Superior Manageability—CiscoWorks for centralized configuration and management. Embedded web-based

Security Device Manager (SDM) for simplified device configuration management.

WirelessAccess

Point

802.1Q VLANDefined Wireless

Segment

SalesVLAN

10/100BaseT Port

VPN Tunnel to HQ

DDR Initiated failover toAnalog Modem/ISDN Port

Analog Modem or ISDN Port

Cable/DSL Modem

Finance & HR VLAN

EngineeringVLAN

Internet

PSTN


Page 10 of 218

All content

Hardware


2.1.5) Network Modules for Circuit Emulation Services over IP for the 2600, 3600, and 3700Series Routers

Description

The Cisco 2600/3660/3700 Circuit Emulation over IP (CEoIP) network modules (product IDs: NM-CEM-4T1E1

and NM-CEM-4SER) enable service provider customers to create a new revenue stream by offering a leased line

service over existing packet infrastructure. Enterprise and government customers will be enabled to migrate

applications which require TDM transport on to their IP networks, thus saving operational expenses.

Hardware


2.1.6) Network Analysis Module for the 2600, 3660, and 3700 Series Routers

Description

The Cisco 2600/3660/3700 Series Network Analysis Module (product ID: NM-NAM) is an integrated traffic-

monitoring network module that enables network managers to gain application-level visibility into network traffic

at remote sites with the ultimate goal of improving performance, reducing failures, and maximizing return on

network investments. It expands the Cisco NAM solution available for Cisco Catalyst® 6500 Series switches and

Cisco 7600 Series routers. It provides the unique advantage of performing remote troubleshooting and traffic analysis

through its Web-based NAM Traffic Analyzer without having to send personnel to remote sites or haul large amounts

of data to the central site.

Figure 7The Cisco 2600/3660/3700 Series Network Analysis Module

Routers • Cisco 1711 and 1712 Security Access Routers

Routers • Cisco 2600 and 3700 Series

• Cisco 3600 Router


Page 11 of 218



All content

Benefits

• Real Time and Historical Traffic Monitoring in WANs—Analyze bandwidth usage at application level,

proactively monitor data and VoIP applications.

• Application Performance Management—Identify application response delays observed at branches.

• Fault Isolation and Troubleshooting—Remotely isolate network problems, capture/decode packets.

• VoIP and QoS Monitoring—Analyze IP Telephony sessions, validate QoS policies.

• Capacity Planning and Extended Applications—with standards based software applications.

Hardware


2.1.7) Cisco Unity Express

Cisco Unity Express offers entry-level voice mail and automated attendant services as an option for the Cisco

CallManager Express call-processing solution. This product is critical for Cisco CallManager Express customers

in small/medium businesses or branches that need data connectivity and IP Telephony functionality, and those

that require the productivity benefits that voice mail and auto attendant services provide. Cisco Unity Express is

delivered on a network module that can be used in the Cisco 2600XM Series, Cisco 2691, and the Cisco 3700 Series

Access Routers.

Figure 8Cisco Unity Express

Benefits

• Voice-mail and automated attendant features specifically designed for the small and medium office or branch.

Cisco Unity Express provides up to 100 personal mailboxes, 20 general delivery mailboxes, 8 concurrent sessions

or ports, and 100 hours of onboard storage.

• Cisco Unity Express is delivered on a network module form factor that can be integrated into and shared across

a broad range of access routers (Cisco 2691 Routers; Cisco 2600XM and 3700 Series Access Routers).

Routers • Cisco 2600 and Cisco 3700 Series



Page 12 of 218


All content

• First release of Cisco Unity Express offers superior voice message management to the user by support voice mail

features (ie: replying, forwarding, and saving messages; message marking and play out options for privacy or

urgency; alternate greetings and envelope information).

• Cisco Unity Express includes a built-in automated attendant that simplifies self service for callers by allowing

them to quickly reach the right person without the assistance of an operator, but maintains the option to return

to an operator at any time when greater assistance is needed.

• A choice of GUI, command-line interface (CLI) and telephony user interface (TUI) streamlines administration.

• Cisco Unity Express software is loaded on the network module at the factory, simplifying deployment. The

Cisco Unity Express initialization wizard further expedites the administrator’s startup by automatically

importing information from Cisco CallManager Express, thereby eliminating the need to replicate data entry.

Hardware


2.1.8) Cisco IDS Network Module

With the increased complexity of security threats, achieving efficient network intrusion security solutions is critical

to maintaining a high level of protection. Vigilant protection helps ensure business continuity and minimizes the

effect of costly intrusions. The Cisco IDS Network Module for the Cisco 2600XM and 3700 Series Routers and the

Cisco 3660 Router is part of the Cisco IDS Family sensor portfolio and the Cisco Intrusion Protection System. These

IDS sensors work in concert with the other IDS components (Figure 49), including Cisco IDS Management Console,

CiscoWorks VPN/Security Management Solution, and Cisco IDS Device Manager, to efficiently protect data and

information infrastructure.

The Cisco IDS product line delivers a broad range of solutions that allow easy integration into many different

environments, including enterprise and service provider environments. Each sensor addresses the bandwidth

requirements of different routers up to 10 Mbps in the Cisco 2600XM, and up to 45 Mbps in the Cisco 3700 Series.

The appliance product supports 80 Mbps to 1 Gbps.

The Cisco IDS Network Module can monitor up to 45 Mbps of traffic and is suitable for T1/E1 and T3 environments.

A router installed with this IDS network module also supports other Cisco IOS Security features such as VPN,

firewall, Multiprotocol Label Switching (MPLS), Network Address Translation (NAT), and Web Cache Control

Protocol (WCCP), while supporting all common Cisco IOS Software functions.

Cisco IDS Network Modules fit into a single network module slot on the Cisco 2600XM Series, Cisco 3660, and

Cisco 3700 Series Routers. The available configuration is a 20-gigabyte hard disk for logging and storage of events.

The external Ethernet port is used for command and control to enable a secure outbound port for management. This

setup also allows for both security operations and network operations to have their own command and control

interfaces.

Routers • Cisco 2691 Routers

• Cisco 2600XM and 3700 Series Access Routers


Page 13 of 218


All content

Figure 9Cisco IDS Network Module

Benefits

By integrating IDS and branch office routing, Cisco reduces the complexity of securing WAN links, while reducing

operational costs. Following are the benefits associated with the integration of the IDS into the branch office router:

• Physical Space Savings: uses a single network module slot in a Cisco 2600XM Series, Cisco 3660, or Cisco 3700

Series branch office routers.

• Simple Power and Cable Management: takes advantage of the power options of the router, including DC power

and redundant power.

• Common Management Interface: can be configured and managed from the Cisco IOS Software CLI. This

network module supports all the same CiscoWorks Management Center for Cisco IDS Sensors that the Cisco IDS

4200 Series supports, allowing customers to use one centralized management system for both appliance and

router IDS sensors.

• Network Command and Control Interface: by using the external Fast Ethernet port for command and control,

the Cisco IDS Network Module internal router connection is free to capture the packets to the network module

for processing by the IDS engine.

• Separate Processor for the Cisco IDS Network Module to Maximize Performance: a dedicated CPU in the

network module frees the router CPU from process-intensive IDS tasks.

• Lower Operational Costs: the Cisco IDS Network Module is covered via Cisco maintenance service for the router.

This setup minimizes network operational costs.

Hardware

Product Management Contact: Kevin Sullivan, [email protected]

Routers • Cisco 2600XM, 3600, and 3700 Series Routers



Page 14 of 218


All content

2.2) Broadband

Table 3 Broadband Feature Highlights

2.2.1) Upstream Connection Speed Transfer at LAC

This feature allows the configuration for Layer 2 Tunneling Protocol (L2TP) Attribute-Value Pair 38 (AVP) at the

L2TP Access Concentrator (LAC). AVP38 allows the communication of the upstream (from the remote site to the

LAC) connection speed and complements Cisco’s existing support for AVP24 for downstream (from LAC to remote

site) connection speed. This support allows for the creation of asymmetric broadband services where the upstream

and downstream connection speeds differ.

Benefits

• Allows support of asymmetric broadband service speeds such as Asymmetric DSL (ADSL).

• Better compliance with RFC2661 for L2TP.

• Required for regulatory compliance in European countries like Germany.

Hardware


Sections

2.2.1) Upstream Connection Speed Transfer at LAC

2.2.2) Configurable MAC Address for bba-group

2.2.3) Explicit Call Transfer for ETSI PRI

2.2.4) Protocol Translation Template

2.2.5) Asynchronous Line Monitoring

2.2.6) VRF Aware Dialer Watch

2.2.7) PPP/MLP MRRU Negotiation

2.2.8) Digital Private Network Signaling System Backhaul

2.2.9) V.120 Support for Network Access Servers

2.2.10) Layer 2 Tunnel Protocol Tunnel Connection Speed Labeling

2.2.11) Peer Pool Backup Command

2.2.12) Point to Point Protocol over Ethernet Relay

2.2.13) PPPoE Session Limit per NAS Port Download

2.2.14) Telnet/Packet Assembler/Dissembler Translation Authorization

2.2.15) X.25 Data Display Trace

2.2.16) PPPoE over VLAN Scaling and ATM Support for PPPoE over VLANs

2.2.17) End of Record Functionality for Data Communication Networks

2.2.18) Packet Assembler/Disassembler Subaddress Formatting Option

2.2.19) Layer 2 Tunneling Protocol Version 3

2.2.20) PPPoE Session Recovery after Reload2.2.21) L2TP Client-Initiated Tunneling

2.2.22) B-Channel Availability Control

2.2.23) ISDN Backup in Multiprotocol Label Switching Core

2.2.24) V.110 Support for MGCP-Dial

2.2.25) X.25 Call Confirm Packet Address Control

Routers • Cisco 7200, 7300, and 7400 Series Routers


Page 15 of 218



All content

2.2.2) Configurable MAC Address for bba-group

This feature allows the configuration of separate MAC addresses for PPPoE and RBE sessions on the same physical

ATM interface. This is important since the aggregation router, as shown in Figure 10, uses the ATM interfaces MAC

address as the source address for both the PPPoE and RBE incoming sessions. In cases where multiple hosts exist and

PPPoE and RBE sessions have been initiated, there is a need to have the ability to configure the MAC address (versus

simply taking the MAC address from the ATM interface of the CPE router) so that the different sessions can be

differentiated. This feature is only available under the bba-group configuration mode and requires each session to

be on its own PVC.

Figure 10Configurable MAC Address for bba-group

Benefits

Allows support of multiple session types, like RBE and PPPoE, on the same ATM interface for broadband

applications.

Hardware

Considerations

• Only configurable under the bba-group mode and not vpdn-group mode.

• Requires each session to be on its own PVC.


2.2.3) Explicit Call Transfer for ETSI PRI

Explicit Call Transfer (ECT) allows the router to transfer a call received from the PSTN to the final destination

number on the PSTN instead of “hairpinning” the call on the router interface and consuming DS0 channel on a PRI

interface. This particular feature will allow the ECT functionality to work on ETSI (NET5) switch-type and will help

make better use of channels on a PRI interface. The typical architecture for this functionality has the AS5xxx to

acting as a voice gateway between a SIP (Session Initiation Protocol) based Voice Recognition Server(VRS) and a

Central Office Switch in the PSTN network. The application is to be able to provide call transfer services based upon


ATM

AggregationRouter

CPE Routeracting as a

Bridge

Logical Bridge


Page 16 of 218



All content

voice recognition (the typical voice activated menus of call centers like an airline reservation system) to service

provider customers looking to operate large customer contact centers. In these applications, the call flow proceeds

as follows:

1. An initial call is received on a PRI interface of the Cisco AS5000 Series and routed to the Voice Recognition Server

via a SIP interface.

2. The VRS identifies a destination number to transfer the call to based on a voice command selection from the

end user.

3. The VRS sends appropriate SIP message with the destination number to the Cisco AS5000 Series and the

Cisco AS5000 Series does an Expicit Call Transfer on its PRI interface of the original call.

Benefits

Allows better utilization of DS0 channels on PRI interfaces for VoIP applications and allows Call Transfer

functionality to work with ETSI (NET5) switch types, which are found in Europe and Asia.

Hardware

Product Management Contact: Sanjay Bhardwaj, [email protected]

2.2.4) Protocol Translation Template

Protocol Translation Template (PTT) will allow Telco DCN (Data Communication Network) customers increased

flexibility in configuring PT sessions in environments where a large number of PT sessions must be configured. The

current PT configuration requires static mapping between incoming connections (like PAD, Telnet, LAT) and

configuration parameters to the outbound protocol connection (PAD, Telent, LAT, PPP, SLIP, …) and configuration

parameters. The new PTT will allow the construction of a template which will contain ‘ruleset’ capabilities to allow

for the dynamic configuration construction to simplify the task of creating large scale PT configurations. The ‘ruleset’

capability will allow for multiline string searches, comparisons, and substitutions in the PTT to create a configuration

for PT.

Benefits

Using Protocol Translation Templates will allow Telco DCN administrators to create large scale PT configurations

in a quicker and more error-free manner. Administrators will not have to configure a large number of static PT

sessions and will have a simple method to configure a general purpose PTT.

Hardware


Access Servers • Cisco AS5000 Series Access Server

Routers • Cisco 2610XM, 2620XM, 3660, 3725, and 3745 Routers


Page 17 of 218



All content

2.2.5) Asynchronous Line Monitoring

Asynchronous Line Monitoring enables the monitoring of control characters, along with the character mode traffic

on an asynchronous line. A new keyword ‘control-char’ will be added to the existing CLI ‘monitor traffic’ to turn on

this function.

Asynchronous Line Monitoring also adds the ability to lock the keyboard, preventing the insertion of typed

characters into the stream of characters on the asynchronous line.

The modified CLI will look like this:

monitor traffic line <line> [in] [out] [control-char][interactive]

This functionality is important for Telco Data Communication Network (DCN) applications where Service Providers

want to monitor remote Network Elements via asynchronous lines.

Figure 11Asynchronous Line Monitoring

In the DCN application example shown above, the user opens a telnet session from the Operation Support

System (OSS) host to the Network Element.

Benefits

Asynchronous Line Monitoring provides added granularity and enables network administrators to control traffic

on asynchronous lines.

Hardware


2.2.6) VRF Aware Dialer Watch

Description

The virtual routing and forwarding instance (VRF) Aware Dialer Watch feature enhances dialer watch functionality

by allowing an IP address and VRF pair to be watched for dial backup. In this way, a given VRF (or set of VRFs)

may be backed up by an ISDN or Dial Connection. This functionality provides an added measure of fault tolerance

in a VPN environment.

Routers • Cisco 2610XM, 2620XM, 3660, 3725, and 3745 Routers

Telnet SessionOSS

TCP/IP

TCPOut

TCPIn

Async

NetworkElement

LineMonitoring

Async

IP


Page 18 of 218



All content

Figure 12VRF Aware Dialer Watch Typical Configuration

A typical scenario for the VRF Aware Dialer Watch feature follows:

• A VRF router learns the route to the CE (Customer Edge) from a PE (Provider Edge).

• The VRF router watches these learned routes to the CEs.

• The primary link between a PE and CE goes down.

• The watched route goes down in the VRF router.

• Dialer Watch call is initiated to the corresponding CE.

Benefits

Enhanced fault tolerance and network Resiliency in VPN environments.

Hardware


2.2.7) PPP/MLP MRRU Negotiation

Description

The PPP/MLP MRRU Negotiation Configuration feature enables a router to send and receive frames over Multilink

PPP (MLP) bundles that are larger than the default Maximum Receive Reconstructed Unit (MRRU) limit of 1524

bytes. Previously, configuring the MRRU option negotiated on a multilink bundle with the MLP was not possible.

Cisco IOS Software provided an MRRU default value of 1524 bytes, which meant that the maximum transmission

unit (MTU) of the peer’s bundle interface was restricted to a value of 1524 bytes or fewer for a successful data

transfer.

Routers • Cisco 3631, 3640, 3640A, and 3660 Routers

• Cisco 3725 and 3745 Routers

Dail-Out

Each VLAN is Associated with Each VRF

When a primary link goes down, Dailer Watch detects it at the VRF and call the appropriate CE.

Primary Link

PE

VRF

PE

IP VPN

Customer Site

ISDN

CE2 CE

CE1

CE3

Secondary Link

VRF3

VRF2

VRF1


Page 19 of 218


All content

The PPP/MLP MRRU Negotiation Configuration feature allows configuration control over MRRU negotiation. A

new interface configuration command introduced with this feature, ppp multilink mrru, allows configuration of

the specific MRRU value that the router will advertise, and optionally establishing a lower boundary on the MRRU

value of the peer.

Benefits

This feature is useful when the addition of a header, such as an IPsec header or application software header, causes

the MTU of packets on an MLP interface to exceed the 1500 byte MTU of a typical IP packet.

Hardware


2.2.8) Digital Private Network Signaling System Backhaul

This feature introduces support for Digital Private Network Signaling System (DPNSS) Layer 2 functionality on the

Cisco Gateway (GW) Router. It supports Layer 3 backhauling to a Cisco PGW2200 using DPNSS and Digital Access

Signaling System (DASS) User Adaptation (DUA) over Stream Control Transmission Protocol (SCTP).

DPNSS was developed by British Telecom and is used in the United Kingdom, Northern Europe, and parts of Asia.

It is a standard and open protocol used between PBXs in a private network that enables complex features to work

on a network basis. This feature applies the DPNSS backhaul solution on Cisco gateways to provide connectivity and

services to the PBXs that are running the DPNSS protocol.

Benefits

This functionality enables Cisco routers to interoperate with PBXs that run the DPNSS signaling protocol. This will

allow for successful migration of Cisco VoIP solutions into a DPNSS-based PBX environment.

Hardware


2.2.9) V.120 Support for Network Access Servers

The V.120 Support for Network Access Server (NAS) feature supports the International Telecommunication Union

Telecommunication Standardization Sector (ITU-T) V.120 bit rate adaptation standard, which allows connectivity

to slower bandwidth devices through rate adaption. This feature was developed for the Media Gateway Control

Protocol (MGCP) network access server (NAS) package, and allows ISDN terminal adapters to transfer data. The

MGCP NAS package implements signals and events to create, modify, and close data calls. The events include

signaling the arrival of an outbound call, such as IP to Public Switched Telephone Network (PSTN) to the media

gateway controller (call agent), reporting carrier loss and call authorization status, and receiving callback requests.

Routers • All (platform independent)

Routers • Cisco 2610XM, 2611XM, 2620XM, 2621XM, 2650XM, and 2651XM Routers



Page 20 of 218



All content

Benefits

This feature enables Cisco routers to function in Gateway role between networks with different data rates that use

the V.120 standard.

Hardware


2.2.10) Layer 2 Tunnel Protocol Tunnel Connection Speed Labeling

In previous releases of Cisco IOS Software, when a Layer 2 Tunnel Protocol (L2TP) Network Server (LNS) received

an Incoming-Call-Connected (ICCN) message, there was no authentication check on the users connection speed.

L2TP Tunnel Connection Speed Labeling introduces the ability to accept or deny an L2TP session based on the

allowed connection speed that is configured on the Cisco Access Registrar (ARS) RADIUS server for that user.

This allows RADIUS server authorization of users based on their Service Level Agreement (SLA).

Benefits

This feature enables an LNS to authorize users for network access based upon the connection speed of the session.

This is useful in certain European markets due to regulatory requirements.

Hardware


2.2.11) Peer Pool Backup Command

The “peer pool backup” facility provides ability to specify a “preferred” IP address pool from AAA (on a per

user basis) and still provide alternate pools when then AAA specified pool is exhausted or not yet created. This

functionality is driven by the emergence of numerous independently controlled AAA servers in a large scale dial or

DSL environments where user groups are assigned address ranges, but there is a common “over flow” pool set so

that the number of users in a group can far exceed the address range assigned. This facility also provides the ability

to suppress the loading of dynamic IP address pools on a per interface basis and the ability to limit the AAA pool

name to a set acceptable to the NAS, both key features when the NAS and AAA are controlled by separate parties.

Benefits

Allows Cisco routers increased flexibility and scalability in assigning IP addresses for Dial/DSL environments which

have a large service subscriber base.

Access Servers • Cisco AS5300, AS5350, AS5400, AS5850-ERSC, and AS5850-RSC Series Access Servers


• Cisco 7301, 7304-NPE-G100, and 7304-NSE-100 Routers


Page 21 of 218



All content

Hardware


2.2.12) Point to Point Protocol over Ethernet Relay

Point to Point Protocol over Ethernet Relay (PPPoE) Relay enables an L2TP access controller (LAC) to relay active

discovery and service selection functionality for PPP over Ethernet (PPPoE), over a L2TP control channel, to an L2TP

network server (LNS) or tunnel switch. The relay functionality of this feature enables the LNS or tunnel switch to

advertise the services it offers to the client, thereby providing end-to-end control of services between the LNS and

a PPPoE client.

Benefits

PPPoE Relay allows end-to-end control of services between LNS and PPPoE client. This allows a broadband Service

Provider added flexibility in the services offered to the user base or further granularity to customize the network

based upon the subscriber.

Hardware


2.2.13) PPPoE Session Limit per NAS Port Download

PPPoE Session Limit Per NAS Port limits the number of PPPoE sessions on a specific virtual circuit (VC) or VLAN

configured on an L2TP access concentrator (LAC). The NAS port is either an ATM VC or a configured VLAN ID.

The PPPoE per-NAS-port session limit is maintained in a RADIUS server customer profile database. This customer

profile database is connected to a LAC and is separate from the RADIUS server that the LAC and L2TP Network

Server (LNS) use for the authentication and authorization of incoming users. See Figure 72 for a sample network

topology.


• Cisco 3631, 3640, and 3660 Routers

• Cisco 7200 and 7400 Series Routers

Access Servers • Cisco AS5300, AS5350, AS5400, AS5850-ERSC, and AS5850-RSC Series Access Servers

Routers • Cisco 7200 and 7400 Series Routers


Page 22 of 218



All content

Figure 13PPPoE Session Limit Per NAS Port Sample Topology

Benefits

Allows centralized control of the number of users on a given port for a service provider. This is useful when dealing

with multiple LAC devices.

Hardware


2.2.14) Telnet/Packet Assembler/Dissembler Translation Authorization

Due to the security risks inherent in allowing unauthorized network usage, it is important to authorize sessions before

allowing access to network resources. In previous releases of Cisco IOS Software, protocol translation sessions

established the use of a one-step protocol translation without first issuing an authorization request. The Telnet/Packet

Assembler/Dissembler (PAD) Translation Authorization feature adds an option to require that an authorization

request be issued as a prerequisite to establishing a protocol translation session.

Benefits

The key benefit is enhanced security introduced by the Authorization step when using Telnet sessions or low-cost

PAD devices for managing Network Elements in Telco environments with X.25.

Hardware


Routers • Cisco 2691 Router

• Cisco 2610XM, 2611XM, 2620XM, 2621XM, 2650XM, 2651XM Series

• Cisco 3631, 3640, 3640A, and 3660 Routers

PPPoE Client LAC

L2TP Tunnel

Customer Profile Database(AAA RADIUS Server)

LNS

LAC/LNS AAARADIUS Server


Page 23 of 218


All content

Considerations

• This feature is supported only for X.25-to-TCP and TCP-to-X.25 protocol translation sessions.

• It is supported for both permanent virtual circuit (PVC) and switched virtual circuit (SVC) X.25 connections.


2.2.15) X.25 Data Display Trace

The ability to debug a network is of vital importance when trying to trace the source of problems that cause lack

of connectivity or suboptimal performance. X.25 Data Display Trace enhances the Cisco IOS Software debugging

capability for X.25. It enables an authorized user to display the entire X.25-encoded traffic stream, including user

data, for those packets specified by an X.25 debug command.

Benefits

X.25 Data Display Traces enables enhanced debugging capabilities for maintaining a router network or perhaps

using the router to troubleshoot a network with X.25 connectivity.

Hardware


2.2.16) PPPoE over VLAN Scaling and ATM Support for PPPoE over VLANs

Scalability, both in terms of session counts and more broadly in terms of media types supported, is of critical

importance to Service Providers deploying Broadband Networks. The PPPoE over VLAN Scaling and ATM Support

for PPPoE over VLANs feature provides two enhancements to PPP over Ethernet (PPPoE) over IEEE 802.1Q VLAN

functionality:

• Session Scalability: removes the requirement for each PPPoE over VLAN session to be created on a subinterface.

Removing this requirement increases the number of VLANs that can be configured on a router to 4000 VLANs

per interface.

• Media Support: adds ATM permanent virtual circuit (PVC) support for PPPoE over VLAN traffic that uses

bridged RFC 1483 encapsulation.

Routers • All routers supporting X.25 encapsulation on serial interfaces


Page 24 of 218



All content

Figure 14Sample Network Topology for PPPoE over 802.1Q VLANs over ATM

Benefits

• Lower cost per session due to the increase in session scalability.

• Increased flexibility in terms of choosing an underlying physical media to carry PPPoE over VLAN traffic over

due to the ATM support.

Hardware

Considerations

• PPPoE over 802.1Q VLAN support can be configured without using subinterfaces on the PPPoE server only.

• ATM PVC support for PPPoE over 802.1Q VLANs can be configured only on the PPPoE server.

• Scalability targets refer to software configurability only. Hardware memory and performance considerations may

impose lower limits to the number of usable sessions on a given hardware product.


2.2.17) End of Record Functionality for Data Communication Networks

The Cisco Protocol Translator is designed to support telnet-like applications that are stream-based, with no

recognition or accommodation for logical records. This can cause problems for record-oriented applications, because

the record boundaries in X.25 data are lost during translation to TCP.

End of Record Functionality for Data Communication Networks (DCN) provides for the configuration of an End

of Record (EOR) marker, enabling the X.25 logical boundaries to be marked when translated to TCP. The feature

enables the preservation of logical boundaries when translating X.25 data to TCP, enabling X.25-based networking

solutions to adapt to and benefit from TCP/IP technologies.

Routers • Cisco 1700, 7200, 7300, and 7400 Series Routers


Ethernet

DSL Modem

VLANTrunk

ATM

DSL AccessMultiplexer

NAS Configured forPPPoE over VLAN

over ATM

PPPoECleints


Page 25 of 218


All content

Benefits

The benefit of this feature is that it will preserve data integrity in X.25 over TCP (XOT) protocol translation

environments and minimize the need for packet resends; therefore, it will improve network performance/data

throughput.

Hardware

Considerations

This feature is supported only for XOT protocol translation sessions.


2.2.18) Packet Assembler/Disassembler Subaddress Formatting Option

Prior to Cisco IOS Software Release 12.3(2)T, Packet Assembler/Disassembler (PAD) Subaddressing specifies a

two-digit field for subaddressing that requires a leading zero for subaddress values less than 10 (i.e., 0-9). The PAD

Subaddress Formatting Option feature introduces the ability to suppress the leading zero for subaddresses with a

value of nine or lower. This suppression occurs before the subaddress field is appended to the calling address.

Figure 15X25 Addressing Scheme: PAD Calls from Branch Office to Host

Benefits

This feature increases compatibility with X.25 host systems that use single-digit subaddresses. This will be

particularly relevant for European X.25 host systems, which have a large installed base of single-digit systems.

Routers • Cisco 2610XM, 2611XM, 2691, 3631, 3640, 3660, 3725, and 3745 Routers

• Cisco 7200, 7400, and 7500 Series Routers

Switches • Cisco IGX8400-URM Switch

Access Servers • Cisco AS5300, AS5350, and AS5400 Series Access Servers

X.25

X.25Host

X.25Switch

PDN BackboneXDT, X.25

or ANNEXG

Async(PAD)

CurrentExpectedBehavior

66

9451206945126

9451206945126

9451206945126


Page 26 of 218


All content

Hardware


2.2.19) Layer 2 Tunneling Protocol Version 3

Layer 2 Tunneling Protocol version 3 (L2TPv3) is the Cisco solution for transporting Layer 2 packets over an

IP network. L2TPv3 extends the usability of IP networks by enabling the transport of Layer 2 frames over an IP

infrastructure. L2TPv3 is required for supporting legacy services over IP infrastructures and for supporting several

new connectivity options, including Layer 2 virtual private networks (VPNs) and Layer 2 virtual leased lines.

L2TPv3 is an update to RFC2661 (L2TPv2). L2TPv2 was originally defined as a method of tunneling PPP frames

across packet switched data network. A need emerged to update the draft, so it could include all Layer 2

encapsulations that required tunneling across packet networks, which led to the development of L2TPv3.

L2TPv3 includes to noticeable changes: removal of the PPP specific portions of the L2TPv2 header, thus generalizing

it for other applications, and the transition to a performance friendly format for high-speed decapsulation.

L2TPv3 uses a directed Control Channel session between edge routers for setting up and maintaining connections.

Forwarding occurs through the use of IP packet forwarding between two edge devices. Two headers, an IP header

and the L2TPv3 header, are used to forward packets between routers. The external header is an IP header that routes

tunneled packets over the IP backbone to the egress provider edge (PE) device. The L2TPv3 header determines the

egress interface, and is used to bind the Layer 2 egress interface to the tunnel.

Figure 16L2TPv3

Routers • Cisco 800 Series Routers

• Cisco 1700 Series Access Routers

• Cisco 2691, 3631, 3640, 3660, 3725, 3745 Routers

• Cisco 7200, 7400, and 7500 Series Routers

Switches • Cisco Catalyst 4000-AGM Series

• Cisco IGX8400-URM Series Switches

IP Core

L2TPv3PPP

Frame Relay

Leased LineEthernet

PPPFrame Relay

Leased LineEthernet


Page 27 of 218


All content

Benefits

• Reduced Cost: consolidate multiple core technologies (ie: IP and Asynchronous Transfer Mode (ATM)) into a

single packet-based infrastructure.

• Simplified Services: Layer 2 transport provides options for Service Provider and Enterprise customers who need

to provide L2 connectivity and maintain customer/department autonomy. Several key factors assist in the

simplification of service deployment:

– Configuration only on edge routers.

– Service Provider and Enterprise customers do not participate in passing/maintaining routing information

for VPN traffic.

– Leverages code and mind share from L2VPN access network deployment.

• Protect Existing Investments: Service Provider and Enterprise customers can leverage existing IP infrastructures

to support Layer 2 networks without deploying an old-world infrastructure.

• Feature Support: Layer 2 transport can be tailored to meet customer requirements by using Cisco IOS Software

features (ie: Quality of Service (QoS) and IPsec).

• New Service (revenue) Opportunities for IP Networks: ie: L2 Transport and Virtual Leased Line (VLL) services.

• Standards-Based Approach: standards track open architecture addressed by the IETF.

Hardware

Attachments: Frame Relay, Ethernet, HDLC, PPP

Product Management Contact: Neil Abogado, [email protected]

2.2.20) PPPoE Session Recovery after Reload

If the PPP keepalive mechanism is disabled on customer premises equipment (CPE) device, a Point-to-Point Protocol

over Ethernet (PPPoE) session will hang indefinitely after an aggregation device reload. PPPoE Session Recovery After

Reload enables the aggregation device to attempt to recover PPPoE sessions that failed because of reload by sending

a PPPoE active discovery terminate (PADT) packet to the CPE. The CPE device is expected to take failure recovery

action upon receipt of this packet.

Benefits

Network availability will improve, because CPE routers in a Broadband network will be informed to reestablish their

PPPoE session after a reload at the Aggregation Router. This will minimize the impact and duration of connectivity

loss during a failure in the Aggregation Router.

Hardware


Routers • Cisco 1700, 2600, 3700, 7200, and 7300 Series




Page 28 of 218



All content

2.2.21) L2TP Client-Initiated Tunneling

Layer 2 Tunneling Protocol (L2TP) Client-Initiated Tunneling introduces the ability to establish client-initiated

L2TP tunnels. The client may initiate an L2TP or L2TPv3 tunnel to the L2TP network server (LNS) without the

intermediate network access server (NAS) participating in tunnel negotiation or establishment.

Benefits

This enables providers to offer value-added services, such as VPNs or Firewalls, directly to their customers.

Hardware


2.2.22) B-Channel Availability Control

ISDN B-Channel Availability Control (BCAC) and Round-Robin Channel Selection Enhancements allow more

dynamic control of the ISDN B channels by providing additional functionality for configuring message signaling, and

an enhanced channel selection scheme that adds round-robin configuration to the existing ascending and descending

channel selection schemes already available.

Benefits

BCAC gives Service Providers dynamic control of B-channel availability for applications like aggregating low data

volume links.

Hardware


2.2.23) ISDN Backup in Multiprotocol Label Switching Core

When a primary link is down in the Multiprotocol Label Switching (MPLS) core network, ISDN Backup in

MPLS Core allows a backup ISDN link on a dialer interface to be brought up to restore network connectivity.

This feature ensures high availability of the link between two routers in the MPLS core by providing a backup

mechanism. In terms of defining the “core” of the MPLS network, this functionality is intended for the Provider-

Provider Edge (P-PE) and the Provider-Provider (P-P).

Benefits

Enhanced network availability is the key benefit, as links in an MPLS core network will be backed up by an ISDN

connection. This will ensure network connectivity on critical links in the MPLS core.

Hardware

Routers • Cisco 827, 830, 1710, 1711, and 1712 Routers

Routers • Cisco 3640 and 3660 Routers




Page 29 of 218




All content

Considerations

• Works only with dialer profile configuration.

• Available only for PPP encapsulation.


2.2.24) V.110 Support for MGCP-Dial

This feature adds V.110 encapsulation support for MGCP NAS package dial technology configurations. V.110

encapsulation allows you to connect to slower bandwidth devices through the V.110 rate adaption protocol, which

enables Global System for Mobile Telecommunications (GSM/DCS/PCS) mobile users to access corporate intranets

and the Internet through Integrated Services Digital Network (ISDN) networks.

Benefits

This functionality will allow Cisco routers providing Internet connectivity to interoperate in environments where

V.110 encapsulation is used for data rate adaptation. An example of this type of environment would be when slow

speed Mobile Personal Digital Assistants (PDAs) try to connect to the Internet.

Hardware


2.2.25) X.25 Call Confirm Packet Address Control

The X.25 Call Confirm Packet Address Control feature provides options for controlling the source and destination

addresses that are encoded in outgoing Call Confirm packets. You can suppress the addresses completely or specify

that the addresses originally proposed in the received Call packet be encoded in the Call Confirm packet. This feature

may be necessary when connecting to equipment that implements a nonstandard or proprietary X.25 service, where

the addressing scheme needs to be modified.

Benefits

The key benefit here is improved interoperability with networking equipment that implements X.25 in a slightly

proprietary manner.

Hardware


Routers • Cisco AS5350, AS5400, and AS5850 Series


• Cisco 1710, 2691, 3631, 3640, 3660, 3725, and 3745 Routers



Page 30 of 218




All content

2.3) High Availability

Table 4 High Availability Feature Highlights

2.3.1) Cisco IOS Warm Upgrade

Cisco IOS Warm Upgrade significantly reduces planned downtime for Cisco IOS Software devices during upgrades

to new Cisco IOS Software images. This improves the overall availability of hardware with single route or switch

processors. Users implementing Cisco IOS Warm Upgrade will typically enjoy an eighty percent reduction in

downtime during an image upgrade.

Figure 17Cisco IOS Warm Upgrade

Benefits

• Reduced downtime for planned upgrades

Cisco IOS Warm Upgrade allows the image to be directly loaded into memory and uncompressed while the

current image is still executing on the Cisco IOS Software device. A failover then occurs to the new image

after it is completely loaded. This allows the load and decompress as well as initial boot steps to be bypassed.

• Upgrade without storage media

With Cisco IOS Warm Upgrade, it is possible to upgrade to a new image over the network without attempting a

netboot from rommon or the boothelper. This allows users to evaluate a new software on a device without placing

the image on the flash media of a Cisco IOS Software device. Furthermore, if Cisco IOS Warm Upgrade fails for

any reason, the Cisco IOS Software device will continue to run the existing image if possible.

Sections

2.3.1) Cisco IOS Warm Upgrade

2.3.2) Cisco IOS IPsec Stateful Failover

WarmUpgradeExecute Cold Boot

• Normal Reloading without Cisco IOS Warm Upgrade Router loses packet forwarding for about 3.5 minutes

• With Cisco IOS Warm Upgrade Router loses packet forwarding for about 30 seconds

Initialize

Save DataSegment


Page 31 of 218


All content

Hardware

Considerations

Users will need to have sufficient free memory to decompress the new Cisco IOS Software image in the system in

order to be able to leverage Warm Upgrade.

Additional Information:

• http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801a755a.html

• http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00802b4383.html

• http://www.cisco.com/go/fn

2.3.2) Cisco IOS IPsec Stateful Failover

IPsec Stateful Failover allows customers to employ a backup IPsec server to continue processing and forwarding IPsec

packets after a planned or unplanned outage occurs. The backup (secondary) IPsec Server automatically take over

the tasks of the active (primary) router, without losing secure connections with its peers in the event the active router

loses connectivity for any reason. This process is transparent to the end user and does not require adjustment or

reconfiguration of any remote peer.

IPsec Stateful Failover is designed to work in conjunction with Stateful Switchover (SSO) and Hot Standby Routing

Protocol (HSRP). HSRP provides network redundancy for IP networks, ensuring that user traffic immediately and

transparently recovers from failures in network edge devices or access circuits. IPsec Stateful Failover provides

protection for IPsec tunnels, IPsec with GRE, and Cisco IOS Easy VPN traffic.

Figure 18IPsec Stateful Failover Feature Module

Routers • http://www.cisco.com/go/fn/

*Stateful Switchover

SSO*

SP


Page 32 of 218


http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801a755a.html

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00802b4382.html

http://www.cisco.com/go/fn

All content

Benefits

Increased Resiliency and Availability for Network applications such as client/server, voice and video over VPN. These

applications now can continue uninterrupted during schedule network maintenance time or network outage. IPsec

Stateful Failover feature enables rapid IPsec Stateful Failover for geographically dispersed peers, avoiding disruption

to critical enterprise applications.

Hardware


http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guides_list.html




Page 33 of 218



All content
Cisco Systems, Inc.
s are Copyright © 1992–2005 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.

2.4) Infrastructure

Table 5 Infrastructure Feature Highlights

2.4.1) Cisco IOS Embedded Event Manager 2.1

Cisco IOS Embedded Event Manager (EEM) has been enhanced significantly since it first become available in

Cisco IOS Software Release 12.3(4)T. Now EEM allows user-programmable action based on Tool Command

Language (TCL).

EEM marks a shift in network management systems design. Cisco has committed to increasing the level of

management intelligence and self-awareness within Cisco IOS Software. EEM provides the infrastructure for

detection of specific events and the ability to take local action based on those events.

Local actions, called EEM policies, can be defined using simple CLI commands, or more complex or custom actions

can be specified using TCL. The TCL interpreter with TCL extensions embedded within Cisco IOS Software provides

full access to the CLI, so the type of actions is limited only by the imagination.

Figure 19Embedded Event Manager 2.1 Architecture

Sections


2.4.2) Embedded Resource Manager

Event Publishers

EventSubscribers

Event Detectors

Cisco IOS Subsystems Tcl Shell

EEM Policy

Subscribers to ReceiveApplication Events,

Publishes ApplicationEvents Using

Application SpecificEvent Detector

Subscribers to ReceiveEvents, Implements

Policy Actions

Embedded Event ManagerServer

SyslogInterface

Counters &Status

SNMP

RedundancyFacility

SNMPSubsystem

IOS ProcessWatchdo

Cisco

g

CountersTimer

Services

SyslogDaemon

WatchdogSysmon

HARedundancy

Facility

ApplicationSpecific

Event Detector

Page 34 of 218


All content

Benefits

• Onboard event detection.

• Extensive set of event detectors.

• User-programmable automatic actions triggered by specific events.

• EEM policy definition using TCL.

Hardware

Product Management Contacts: Rohit Shrivastava ([email protected]), Rick Williams ([email protected])

2.4.2) Embedded Resource Manager

Continuing on the commitment to add more embedded intelligence within the network devices, Embedded Resource

Manager (ERM) lays the groundwork for even more internal monitoring and reporting capabilities.

ERM provides internal mechanisms for monitoring internal Cisco IOS Software tasks and shared resource

consumption.

Figure 20ERM Architecture

Benefits

• Allows dynamic monitoring of internal resource utilization.

• Provides ability to take actions to improve the performance and availability of the device.

• Yields information to allow better understanding of scalability requirements in terms of resource consumption.

• Delivers infrastructure for future development and delivery of autonomic functions.

Routers • Cisco 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers

CLI SNMP

Customer View

Resource ManagerFramework

VRF

CiscoExpress

Forwarding

PLU CPU MEM

Resource Owner

TCAM

Cisco

Customer

EEMPolicyRe

sour

ce U

ser


Page 35 of 218



All content

Hardware

Cisco IOS Packaging

Cisco IOS Embedded Resource Manager is positioned in the IP Base packages across Cisco routers.

Cisco IOS Packaging Contact: Fariba Farniam ([email protected])

Product Management Contact: Siva Valliappan ([email protected])

Routers • Cisco 800, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Page 36 of 218



All content

2.5) IP Mobility

Table 6 IP Mobility Feature Highlights

2.5.1) Support for RFC 3519 NAT Traversal

IETF RFC 3519 defines the process by which Mobile IP enabled devices can roam into and traverse networks

with a Network Address Translation (NAT) device at the exist points of the network.

Typically, the ability to roam into and through a network with NAT deployed is unpredictable and dependent

upon the NAT implementation deployed. The best way to ensure seamless IP roaming through a NAT device

is by supporting RFC 3519 and using UDP to encapsulate the Mobile IP packets.

It is very common for Public WLAN “Hot Spot” networks and GPRS Wireless WAN networks to use private

IP addressing and NAT devices at the exit points of their networks.

Support is provided in the Foreign Agent and Home Agent capability within Cisco IOS Software:

• Foreign Agent and Home Agent

• Mobile Node to Home Agent

– Assumes the Mobile Node (Mobile IP client) also supports RFC 3519 NAT Traversal

– Example: the Birdstep Mobile IP Client does support RFC 3519 NAT Traversal

NAT Traversal encapsulates the Mobile IP packets in a UDP packet, which requires any Firewalls in the path

to PERMIT UDP Port 434.

The use of RFC 3519 is transparent to the individual.

Benefits

Ensure the ability for individual users to maintain their IP sessions when roaming into networks using NAT.

Hardware

Product Management Contact: Mark Denny, [email protected]

2.5.2) Mobile IP Foreign Agent Local Routing for Mobile Networks

Description

The Mobile IP v4 protocol, as defined in RFC 3344, does not allow direct routing from any corresponding node

(IP host/device) to any mobile node or to mobile networks behind a mobile router. The protocol requires the traffic

to go through the mobile node’s Home Agent (HA) thus creating a behavior to be known as “triangle routing”.

Sections

2.5.1) Support for RFC 3519 NAT Traversal

2.5.2) Mobile IP Foreign Agent Local Routing for Mobile Networks

2.5.3) Mobile IP—Mobile Networks PPP Dynamic Collocated Care-of-Address

2.5.4) Dynamic Security Associations and Key Distribution



Page 37 of 218

http://www.cisco.com/cgi-bin/Support/FeatureNav/FN.pl



All content

Foreign Agent (FA) Local Routing to Mobile Networks provides a solution to this problem by allowing the

corresponding nodes (IP host/device) connected to a FA to route traffic directly via the FA to mobile networks

which have roamed to and connected to the same FA.

The FA and HA work together in a secured fashion to learn the necessary routing information that the FA will add

to its own routing table. This information enables the ip traffic from natively attached (Ethernet, wlan) IP hosts to

follow the optimized routing path to the mobile networks.

Learning consists of identifying when a mobile networks attaches to the FA, the subnets of the mobile networks,

and when the mobile networks have left the FA in question. With this information the FA is able to add routing

information to its routing table and subsequently clean up and remove the routing reachability information.

It is a mandatory requirement to turn on FA-HA Authentication (FHAE) which is off by default as per Mobile IP

RFC 3344.

Figure 21Foreign Agent Local Routing to Mobile Networks—Before

C3200 MobileAccess Router

Roamed Connection = WLAN, CDMA, ...IP Traffic Path to the Mobile IP Host/Device

FA

HA

All IP traffic to devices on a Mobile Network will always route through the Mobile NetworksHome Agent (HA) on their home network.

As per the Mobile IP RFC 3344.911


Page 38 of 218

All content

Figure 22Foreign Agent Local Routing to Mobile Networks—After

Benefits

• Optimized routing path between IP devices connected to a Foreign Agent and Mobile Networks that roam

into and connect to the same Foreign Agent.

• Latency sensitive applications such as Video and Voice will benefit from a shorter routing path.

• Conserve link bandwidth between FA and HA, beneficial when low speed connections are in use.

Refer to the following document for additional information:

IP Mobility Support for IPv4: http://www.ietf.org/rfc/rfc3344.txt?number=3344

Hardware


Routers • Use Feature Navigator for find the latest supported platform information:http://www.cisco.com/go/fn/

Roamed Connection = WLAN, CDMA, ...IP Traffic Path to the Mobile IP Host/Device

This enhancement now optimizes the routingpath between an IP host connected to the ForeignAgent (FA) and Mobile Networks that roam andconnect to the “same” FA.

Enhancement to the Mobile IP RFC 3344.

C3200 MobileAccess Router

FA

HA

911


Page 39 of 218


http://www.ietf.org/rfc/rfc3344.txt?number=3344


All content
Cisco Systems, Inc.
2.5.3) Mobile IP—Mobile Networks PPP Dynamic Collocated Care-of-Address

Description

• Per RFC 3344 when a mobile node/mobile router is connecting to a Home Agent (HA) directly, bypassing a

Foreign Agent (FA), it must obtain an IP address from the local network it has roamed into and use this address

as its Co-Located Care of Address (CCoA).

– Mobile node; Mobile IP client capability on an individual IP device.

– Mobile router; Mobile IP client capability on a router or Layer 3 device with one or more subnets connected

to it.

• This enhancement enables a mobile router to acquire an IP Address dynamically from the network it has roamed

into, and use this address as its CcoA.

• This enhancement supports the use of PPP/IPCP to dynamically acquire an IP Address.

• Support of DHCP to dynamically acquire an IP Address will follow.

• The mobile router registers itself with its Home Agent using the dynamically acquired IP Address. Upon

successful registration, the home agent builds a tunnel to the mobile routers CCoA.

• Prior to this enhancement all interfaces on a mobile router requiring CCoA support had to have an IP address

statically pre-configured.

Figure 23Mobile Networks PPP Dynamic Co-Located CCoA

MAR to HA: MAR connects directly to the HA in CCoA mode

HA to MAR: HA authenticates MAR and builds a tunnel directly to the MAR CCoA

MAR to HA: MAR registers with HA using the dynamically acquired IP address as its CCoA

MAR obtains IP Address Dynamically using PPP/IPCP

MAR roams into GPRS network and detects NO FA

MAR roams into CDMA network and detects an FA

MAR to FA: MAR connects to the HA through the FA

FA to HA: MAR is Authenticated by HA

HA to FA and FA to MAR: 2 stage delivery of traffic from the HA to MAR

GPRS

CDMA

HAC3200 MobileAccess Router

(MAR)

s are Copyright © 1992–2005 Cisco Systems, Inc. All rights reserved. Important Notices and Privacy Statement.Page 40 of 218


All content

Benefits

• Greatly simplifies configuration and provision of a mobile router, such as the Cisco 3200 Mobile Access Router.

• With Dynamic CCoA support the mobile router can automatically detect whether or not a Foreign Agent is

present in the roamed to network, and determine the appropriate method for connecting to it’s Home Agent.

• Flexibility to roam into and connect through networks that might not be known in advance.

• Ability to dynamically acquire an IP Address from a roamed to network.

• Initial support for Static Co-located Care-of-Address (CCoA) required upfront knowledge of all potential

networks the Mobile Access Router would connect to and through, and required an IP address be pre-provisioned

for each mobile router.


http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_4/gtcolloc.htm

IP Mobility Support for IPv4: http://www.ietf.org/rfc/rfc3344.txt?number=3344

Hardware


2.5.4) Dynamic Security Associations and Key Distribution

Dynamic Security Associations and Key Distribution facilitates Mobile IP deployment by simplifying security aspect

of Mobile IP configurations and provision. Before this feature, the security associations, including security parameter

index, authentication algorithm, and pre-shared key, need to be determined in advance and configured on a Mobile

IP client. With this feature, the security associations do not need to be configured manually in advance. The Mobile

IP client can now derive the security associations from its user’s Windows login name and password upon logging in

the Windows domain. The Home Agent router will authenticate the user from an existing Windows authentication

system, such as Window Domain Controller or Window Active Directory. Once the user is authenticated, HA

generates the user’s security associations dynamically to perform Mobile IP registration authentication. Additionally,

the dynamic key can be renewed to further improve security.



Page 41 of 218


http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_4/gtcolloc.htm

http://www.ietf.org/rfc/rfc3344.txt?number=3344


All content

Figure 24Dynamic Security Associations and Key Distribution

Benefits

• Improve user mobility experience by allowing user to integrate Windows login and Mobile IP client login.

• Simplify Mobile IP provisioning for network administrators by leveraging existing authentication infrastructure

and eliminating additional key allocation to the mobile users.

• Increase mobility security through dynamic re-keying.

Hardware




Home Agent Window Domain Controlleror Active DirectoryRADIUS ServerMobile Node

Request to authenticate the user and acquire a secure

key from an existing security infrastructure

RegistrationRequest

Registration Reply

Relay the RequestAuthenticatethe User

Reply the authentication result and the secure key

Relay the info to HA

Existing Security Infrastructure

AuthenticateReply

RegistrationComplete

Generate SA using user’s Windows login username

and password

Generate SA for the user and perform the Mobile IP

authentication locally

User DB


Page 42 of 218


All content

2.6) IP Multicast

Table 7 IP Multicast Feature Highlights

2.6.1) Multicast Enhancements

Bootstrap Router (BSR) for IPV6 is one of the mechanisms by which a IPv6 PIM router learns the set of Group-to-

RP mappings required for IPv6 PIM SM & Bi-Dir to function. The mechanism is dynamic, largely self-configuring,

and robust to router failure.

Source base filtering for Multicast boundary will add SSM (S,G) filtering support on multicast boundary. This will

extend the functionality of “ip multicast boundary <acl>” command to allow SSM to have the same access-control

capabilities that have already been offered for ASM. It will also enable SSM to improve the usefulness of the

commands functionality as a general tool. IN “ip multicast boundary <acl>” command ACL can be standard or

extended ACL.

VRF Aware Multicast Error Messages will display the VRF names for the error messages generated by IP Multicast

subsystems when MVPN is in use. This additional information can be better used to associate protocol and packet

forwarding events with their MVPNs which can be very useful in software or network problem troubleshooting.

When an MVPN related error message is printed, the first parameter it will display is the VRF name it is related to,

followed by whatever is displayed today. This is modeled after the unicast VPN error messages and only applies to

the configured VRFs. Error messages related to the global table will stay the same.

Inhibit Customer traffic from flooding in the MVPN core will automatically change the default pim mode for the

MDT tunnel according to the pim mode of the native interfaces in the MVRF. The three possible cases of MVRF

interface configuration, and their corresponding MDT tunnel modes are:

1. All native interfaces are in sparse-dense or dense mode, the MDT tunnel will be in sparse-dense mode.

2. All native interfaces are in sparse mode, the MDT tunnel will be in sparse mode.

3. Some are in sparse and some are in sparse-dense or dense mode, the MDT tunnel will be in sparse-dense mode.

Hardware


Sections

2.6.1) Multicast Enhancements

2.6.2) MSDP Compliance with IETF MSDP Draft 20

2.6.3) IPv6 Multicast Phase 1 & Phase 2

2.6.4) PIM Dense Mode Fallback Prevention after RP Information Loss




Page 43 of 218



All content

2.6.2) MSDP Compliance with IETF MSDP Draft 20

Description

MSDP compliance with IETF MSDP Draft 20 feature enables you to use BGP route reflectors without running MSDP

on them. It also allows you to use an Interior Gateway Protocol (IGP) for the RPF check and thereby giving you the

ability to run peerings without BGP or MBGP.

Benefits

This feature adds support for the following functions:

• Allows the use of BGP route reflectors without running MSDP on them.

• Allows the use of an Interior Gateway Protocol (IGP) for the RPF check and thereby giving you the ability to run

peerings without BGP or MBGP.

• Provides ability to have peerings between routers in non-directly connected autonomous systems (that is, with

one or more autonomous systems between them). This helps in confederation configurations and for redundancy.

• Provides valuable information while debugging MSDP problems with the new “show ip msdp rpf” command.

Hardware


2.6.3) IPv6 Multicast Phase 1 & Phase 2

Description

IPv6 Multicast is a new version of IP Multicast which is designed to be an evolutionary step from IPv4 Multicast.

Although the basic notion of multicasting is common to IPv4 and IPv6, differences of multicasting between IPv4 and

IPv6 require several original approaches toward implementation, including handling of multicast interfaces, using

scoped addresses in PIM and more.

Cisco IPv6 Multicast feature set (Phase 1 & Phase 2) introduces all the mandatory software components required

to deploy a production IPv6 Multicast network, to support any IPv6 Multicast application end-to-end in a given

network. It supports the deployment scenarios for both intra-domain and inter-domain IPv6 Multicast.

IPv6 Multicast Phase 1 feature introduces the support for:

• RFC 2373

• RFC 3569

• RFC 3590

• PIM (Protocol Independent Multicast)

• Source Specific Multicast (PIM-SSM)

• Sparse-Mode (PIM-SM)

• Full MLDv1/v2 Compatibility

• Explicit Tracking in v2 Mode

Routers • Cisco 3700 Series

• Cisco 7200 Series and Cisco 7500 Series


Page 44 of 218



All content
Cisco Systems, Inc.
• Full Support for DR Functionality (registers, etc.)

• Static RP Assignment with Multiple RP Mapping

• Intra-Domain Multicast Routing via PIMv6-SM

• Inter-Domain Multicast via PIMv6-SSM

• Multicast v6 Ping

• Mtrace for v6

• IPv6 Scoped Address Architecture

• Basic Multicast v6 Debugging Capabilities

• v6-in-v4 Tunneling

IPv6 Multicast Phase 2 feature introduces the support for:

• Support for Embedded RP Mapping

• mBGP for Multicast v6

• Static mroutes

• Forwarding Support for BSR Messages

• MLD Access-Groups for Receiver Control

• Register Filters for Source Control

• Enhanced Boundaries, Policy per Sources and per Groups

• Distributed Fast Switching for Multicast v6

• v6-in-v6 Tunneling

Figure 25IPv6 Multicast Phase 1 & Phase 2

PIM SM–v6 PIM SSM–v6

MLD v1, v2

IPv6MulticastReceivers

IPv6Multicast Source

MLD v1, v2

MLDSnooping

PIM SM–v6 PIM SSM–v6

ISP-A

ISP-B

MBGP forIPv6

Multicast RP for v6

RP for v6


All content

Benefits

• Cisco IPv6 Multicast feature set allows you to deploy a production IPv6 Multicast network, to support

any IPv6 Multicast application end-to-end in a given network.

• It supports the deployment scenarios for both intra-domain and inter-domain IPv6 Multicast.

Hardware


2.6.4) PIM Dense Mode Fallback Prevention after RP Information Loss

Description

Preventing the use of PIM dense mode is very important to multicast networks whose reliability is critical. This

feature enables you to prevent Protocol Independent Multicast (PIM) dense mode fallback when all rendezvous

points fail. It provides a mechanism to keep the multicast groups in sparse mode and also allows you to block

multicast traffic for groups not specifically configured.

Benefits

• Ability to block multicast traffic for groups not specifically configured.

• Provides a mechanism to keep the multicast groups in sparse mode.

Hardware



• Cisco 7200 and 7500 Series




Page 46 of 218



All content

2.7) IP Routing

Table 8 IP Routing Feature Highlights

2.7.1) Enhanced Interior Gateway Routing Protocol Prefix Limit Support

Enhanced Interior Gateway Routing Protocol (EIGRP) allows the network administrator to limit the number of

prefixes learned by EIGRP. This feature provides a means to limit the shared resources (memory and CPU) consumed

by the EIGRP process.

Additional CLI configuration options are added to support this feature.

Benefits

• Provides optional facility to force an upper bound on the number of prefixes learned by the EIGRP routing

process.

• Is useful for preventing unwanted oversubscription of shared resources.

Sections

2.7.1) Enhanced Interior Gateway Routing Protocol Prefix Limit Support

2.7.2) Enhanced IGRP Simple Network Management Protocol Support

2.7.3) Open Shortest Path First Sham-Link MIB Support

2.7.4) Border Gateway Protocol Support for Fast Peering Session Deactivation

2.7.5) Border Gateway Protocol Support for IP Prefix Import from Global Table into Virtual Routing and ForwardingTable

2.7.6) Border Gateway Protocol Support for Next-Hop Address Tracking

2.7.7) Routemap Display Extension

2.7.8) Optimized Edge Routing Support for Cost-Based Optimization and Traceroute Reporting

2.7.9) Policy-Based Routing: Recursive Next Hop

2.7.10) Internet Group Management Protocol Version 3 Host Stack

2.7.11) Per Interface mroute State Limit

2.7.12) Integrated Routing and Bridging Support on MGX-RPM-XF-512

2.7.13) Border Gateway Protocol Support for Named Extended Community Lists

2.7.14) Border Gateway Protocol Support for Sequenced Entries in Extended Community Lists

2.7.15) Border Gateway Protocol Support for Dual Autonomous System Configuration for Network AutonomousSystem Migrations

2.7.16) Cisco Optimized Edge Routing Support for Policy-Rules Configuration and Port-Based Prefix Learning

2.7.17) Enabling Open Shortest Path First v2 on an Interface Using the ip ospf area Command

2.7.18) Cisco Optimized Edge Routing

2.7.19) Enhanced Interior Gateway Routing Protocol Support for Route Map Filtering

2.7.20) Enhanced Interior Gateway Routing Protocol MPLS VPN PE-CE Site of Origin

2.7.21) Border Gateway Protocol Cost Community Support for Enhanced Interior Gateway Routing Protocol MPLSVPN PE-CE with Back Door Links

2.7.22) OSPF Link State Database Overload Protection

2.7.23) OSPF Area Transit Capability

2.7.24) OSPF Per-Interface Link Local Signaling (LLS)

2.7.25) VRF Selection using Policy Based Routing

2.7.26) BGP Transient Memory Usage Enhancement

2.7.27) BGP Support for TTL Security Check

2.7.28) CLNS Support for GRE Tunneling of IPv4 and IPv6


Page 47 of 218


All content

Hardware

Product Management Contact: Chetan Khetani ([email protected])

2.7.2) Enhanced IGRP Simple Network Management Protocol Support

This feature provides SNMP MIB support for SNMP GET and SNMP TRAPS for EIGRP and provides an

infrastructure interface for network management.

Benefits

• Provides the ability to monitor EIGRP from a remote management system.

• Provides notification on EIGRP events.

Hardware

Cisco IOS Packaging

EIGRP SNMP Support is positioned in the Enterprise Base packages across Cisco routers.



2.7.3) Open Shortest Path First Sham-Link MIB Support

In some MPLS VPN networks, OSPF sham link is used to interconnect two VPN sites that share the same OSPF area.

This arrangement presents some difficulty for network management. Prior to this feature, no SNMP MIB objects

have provided useful information for OSPF sham links.

This feature enhances the specific Cisco MIB (CISCO-OSPF-MIB.my) to allow for monitoring of OSPF sham links.

The enhancement allows for:

• Status queries

• Notification of error

• Notification of state change

• Statistical information on retransmissions

Benefits

Provides a means to manage OSPF sham links.

Hardware





Page 48 of 218




All content

Considerations

The implementation is RFC 1850 compliant and based on an OSPFv2 MIB IETF draft. See IETF draft draft-rosen-

vpns-ospf-bgp-mpls-05.txt.


2.7.4) Border Gateway Protocol Support for Fast Peering Session Deactivation

Border Gateway Protocol (BGP) support for Fast Peering Session Deactivation accelerates speed at which the

BGP subsystem releases a peering session. The BGP subsystem will deactivate the peering session immediately

upon indication that the peer is gone and eliminates an internal wait timer. This feature optimizes the software

such that multiple failure detection mechanisms are linked to trigger session deactivation.

Benefits

• Improves routing protocol reconvergence.

• Speeds BGP session deactivation in the event of a dead neighbor.

• Provides support for faster session deactivation when peers go away.

Hardware

Cisco IOS Packaging

BGP Support for Fast Peering Session Deactivation is positioned in the Advanced Security and SP Services packages

across Cisco routers.


Product Management Contact: Pepe Garcia ([email protected])

2.7.5) Border Gateway Protocol Support for IP Prefix Import from Global Table into VirtualRouting and Forwarding Table

This feature allows customers to specify which specific prefixes from the global routing table are to be imported into

a VPN routing and forwarding table.

Hardware

Cisco IOS Packaging

BGP Support for IP Prefix Import From Global Table Into a VRF Table is positioned in the Advanced Security and

SP Services packages across Cisco routers.






Page 49 of 218






All content

2.7.6) Border Gateway Protocol Support for Next-Hop Address Tracking

Border Gateway Protocol (BGP) Next-Hop Address Tracking provides a mechanism for routes learned using BGP

to converge more quickly on a new path when triggered by a change to a monitored BGP next-hop address.

An address-tracking filter mechanism is used to filter notifications to the routing information base. This mechanism

allows for new path selection to begin as soon as the notification regarding the change in reachability state of the

next hop occurs. The results are much faster convergence of traffic to a new path and less impact to traffic flows.

All of these facts mean faster reconvergence, leading to improved perception of reliability for users.

Figure 26Next-Hop Tracking Speeds Reconvergence

Next-Hop Tracking will trigger the BGP scanner at PE-1 to run immediately on Interior Gateway Protocol (IGP)

convergence, so the route through PE-3 will handle traffic upon failure to PE-2.

Benefits

• Provides faster routing protocol reconvergence.

• Avoids delays for traffic to get to destination.

• Reduces service impact.

Hardware


2.7.7) Routemap Display Extension

Routemap Display Extension enhances the display of dynamic routemaps to include detailed information about the

ACLs used in the match clauses.

Benefits

• Makes more details available using CLI show command.

• Simplifies troubleshooting and checking of configuration.


A

B

PE-1

PE-3

PE-2


Page 50 of 218


All content

Hardware

Cisco IOS Packaging

Routemap Display Extension is positioned in IP Base packages across Cisco routers.



2.7.8) Optimized Edge Routing Support for Cost-Based Optimization and Traceroute Reporting

Optimized Edge Routing (OER) provides automatic outbound route optimization for multihomed enterprises by

establishing criteria for the optimal exit point for traffic destined for other networks. OER enables link selection

according to performance, cost, and load distribution policy.

This enhancement provides outbound traffic optimization based on financial link cost. The idea is to minimize the

cost associated with service through efficient and effective traffic routing. This is called cost minimization.

The configuration for cost minimization supports fixed-cost Service Level Agreements (SLAs) and tier-based-with-

bursting cost SLAs. SLAs encompass the billing criteria that are established with each ISP. Although the specific

details of “tier-based-with-bursting” billing models will vary by ISP, most ISPs will use some variation of the

following algorithm to calculate what an enterprise should pay in a tiered billing plan:

1. Gather periodic measurements of egress and ingress traffic carried on the enterprise’s connection to the ISP’s

network and aggregate the measurements to generate a rollup value for a rollup period.

2. Generate one or more rollup values per billing period.

3. Rank the rollup values for the billing period from the largest value to the smallest.

4. Discard the top 5 percent of the rollup values to accommodate bursting.

5. Apply the highest remaining rollup value to a tiered structure to determine a tier associated with the rollup value.

6. Charge the customer based on a set cost associated with the determined tier.

Cisco OER seeks to minimize the overall service cost by distributing traffic in the most cost-efficient way (or as

configured). By deploying the Cisco OER bandwidth cost minimization functionality, customers can instruct Cisco

OER to select the exit links that provide the most cost-effective bandwidth utilization, while still maintaining the

desired performance characteristics.

This release also adds support for traceroute reporting. The feature allows the network administrator to form a

clearer picture of the amount of delay introduced by different segments in the path. If an unexpected round-trip delay

value for a prefix on a particular exit is observed, the delay can be quantified on a per-hop basis.

Benefits

• Allows companies to minimize traffic sent over expensive links or consolidate multiple flat-rate connections to

fewer and lower cost connection services.

• Provides statistics on traffic distribution and usage before and after route optimization.

• Helps enterprise customers manage ISP costs more effectively.



Page 51 of 218



All content

Hardware

Cisco IOS Packaging

OER Support for Cost-Based Optimization and Traceroute Reporting feature is positioned in the Advanced Security,

SP Services, and Enterprise Base packages across Cisco routers.


Product Management Contact: Paul Kohler ([email protected])

2.7.9) Policy-Based Routing: Recursive Next Hop

Policy-Based Routing (PBR): Recursive Next Hop provides the ability to set a next hop that is not directly connected

to enable load balancing when PBR is used.

With this feature enabled, the routing table will be examined recursively to find the directly connected next hop when

PBR is used to set an indirect next hop.

The following new configuration command is introduced:

set ip next-hop recursive

This command may be used to set a directly connected next hop or subnet as well as an indirect next hop or subnet.

Figure 27Using Recursive Next Hop for Load Balancing

Benefits

Allows use of Cisco Express Forwarding load balancing when PBR is configured.

Hardware



R1

R2e.g. Match xSet Next-Hop Recursive 3.3.3.0/24

PBR Configuredwith RecursiveNext-Hop Set

6.6.6.15.5.5.0/24

3.3.3.0/24

1.1.1.0/242.2.2.0/24


Page 52 of 218



All content

Cisco IOS Packaging

Policy-Based Routing: Recursive Next Hop is positioned in the IP Base packages across Cisco routers.



2.7.10) Internet Group Management Protocol Version 3 Host Stack

Internet Group Management Protocol (IGMP) Version 3 Host Stack support enables the router or switch to behave

as a multicast network endpoint or host. The support for IGMPv3 also allows other Cisco IOS Software subsystems

to take advantage of the infrastructure to use Source Specific Multicast (SSM) for broadcast functions.

One reason to use this feature is the rapid deployment of voice applications and gateway functionality within Cisco

IOS Software. Cisco devices that provide voice services may join a multicast channel for music on hold and convert

and distribute that stream to analog or ISDN interfaces.

Benefits

• Provides infrastructure needed to support voice applications, specifically Multicast Music on Hold (MMoH).

• Aids troubleshooting for problems related to multicast.

Hardware

Cisco IOS Packaging

IGMPv3 Host Stack is positioned in the IP Base packages across Cisco routers.


Product Management Contact: Gurvinder Singh ([email protected])

2.7.11) Per Interface mroute State Limit

The Per Interface mroute State Limit feature will limit the number of mroute states on a per-interface basis. This

limitation is beneficial for access routers or Layer 3 switches, particularly for deployments of advanced Ethernet

services or Ethernet to the home, curb, pedestal, business, multiple tenant dwelling unit, and so on.

Prior to this feature, Cisco IOS Software supported an ability to limit mroute states on a per-VRF basis using ip

multicast [vrf <name>] route-limit . This feature extends that capability to allow specification on an interface

basis.

Benefits

• Extends the benefits of Ethernet as a last-mile technology.

• Offers more granular DoS attack prevention.

Hardware




Page 53 of 218





All content

Cisco IOS Packaging

Per Interface mroute State Limit is positioned in the IP Base packages across Cisco routers.



2.7.12) Integrated Routing and Bridging Support on MGX-RPM-XF-512

Integrated routing and bridging (IRB) is a bridging mechanism that allows integration of traditional systems

with your IP network. IRB is useful when you need to connect bridged networks with Layer 3 routed networks.

IRB has existed in Cisco IOS Software since Release 11.2, and is available on a wide variety of Cisco products.

This feature adds support for the Cisco MGX® Route Processor Module.

Benefits

Increases the deployment options for the Cisco MGX Route Processor Module.

Hardware

Cisco IOS Packaging

IRB Support on Cisco MGX Route Processor Module is positioned in the Enterprise Base packages across Cisco

routers.


Product Management Contact: Christopher Kolstad ([email protected])

2.7.13) Border Gateway Protocol Support for Named Extended Community Lists

Border Gateway Protocol (BGP) uses extended community lists to apply policies to groups of prefixes to distinguish

routing paths. This enhancement introduces support for named extended community lists. Previously, extended

community lists could only be numbered and were limited to a few hundred entries.

Benefits

• Improves customer’s ability to manage and troubleshoot BGP policies by using name strings for extended

community lists instead of numerical values.

• No inherent limit on the number of named extended community lists, provided that they are uniquely named.

Hardware

Product Management Contact: Pepe Garcia, [email protected]


Routers • Cisco 1700, 2600, 3700, 7200, 7400, 7500 Series, and 7600-MWAM


Page 54 of 218






All content

2.7.14) Border Gateway Protocol Support for Sequenced Entries in Extended Community Lists

Border Gateway Protocol (BGP) uses extended community lists to apply policies to groups of prefixes, in order to

distinguish routing paths. These extended community lists are applied in sequential order and can become large in

some implementations.

This enhancement provides support for sequencing individual entries in an extended community list.

Benefits

Specific entries within an extended community list are more easily removed, added, and/or modified in a list without

having to remove and re-apply the whole list. Each entry has its own sequence number allowing configuration

changes to be more efficiently done to individual entries.

Hardware


2.7.15) Border Gateway Protocol Support for Dual Autonomous System Configuration forNetwork Autonomous System Migrations

When a Service Provider merges its Autonomous System (AS) with another (i.e.: via business acquisition), this

features provides for a seamless way to transition the customers over to the new AS.

This transition involves two integrated feature components:

• Maintaining the TCP session with the customer’s router independent of AS.

• Modifying the inbound and outbound as-path lists so that this transition to a new AS is as transparent to the

customer as possible.

Benefits

This feature allows Service Provides to more easily transition customers from one of their AS numbers to another

during the transition phase. Customers can change the Service Provider AS number in their configurations at their

convenience.

Hardware


2.7.16) Cisco Optimized Edge Routing Support for Policy-Rules Configuration and Port-BasedPrefix Learning

The Cisco Optimized Edge Routing (OER) policy-rules master subcommand facilitates easy switching between

configured OER policies. Customers can define more than one oer-map and select the current map with the policy-

rules enhancement.

Routers • Cisco 1700, 2600, 3600, 3700, 7200, 7300, 7400, 7500 Series, and 7600-MWAM

Routers • Cisco 1700, 2600, 3600, 3700, 7200, 7300, 7400, 7500 Series, and 7600-MWAM


Page 55 of 218




All content

Cisco OER automatically learns prefixes that have the highest throughput or greatest delay. In addition to this

automatic prefix learning, Cisco OER now can filter prefixes on the basis of “interesting” protocol-ports configured

by the administrator.

Benefits

• When the network administrator knows that traffic streams to ports below certain numbers or traffic flowing to

a particular protocol or combination of protocol-port is not important and need not be optimized, protocol-port

based learning can be configured to optimize the learning process by learning what is important to the

administrator and the enterprise.

• If the network administrator is interested in learning prefixes destined or originating from/to a particular port, or

a set of ports or set of protocols, additional filters are available with the current protocol-port based learning

capability that can be applied to the learning mechanism.

Hardware

Considerations

• This feature adds more granularity to the learn throughput and learn delay features. It optimizes the learning

process by learning the prefixes which the administrator intends to optimize.

• Learning, optimizing, and maintaining uninteresting, superfluous prefixes can cost CPU cycles, increase

maintenance overhead, and consume memory on the master controller and the border routers.

Product Management Contact: Paul Kohler, [email protected]

2.7.17) Enabling Open Shortest Path First v2 on an Interface Using the ip ospf area Command

Historically, Open Shortest Path First (OSPF) v2 is enabled on interfaces based on the network command in the

“router ospf” mode. OSPFv2 per interface Area command allows OSPF to be enabled under the interface

configuration mode.

Benefits

• Useful in scenarios where there are un-numbered interfaces.

• Consistent functionality between OSPFv2 and OSPFv3.

Hardware

Product Management Contact: Chetan Khetani, [email protected]

2.7.18) Cisco Optimized Edge Routing

Cisco Optimized Edge Routing (OER) automates routing performance and allows customers to minimize bandwidth

costs and engineering operating expenses. Cisco IOS OER leverages Cisco IOS Netflow and Cisco IOS Service

Assurance Agent to choose the optimal outbound route based on cost minimization, load distribution policy, and

overall network performance.

Routers • Cisco 1700, 1800, 2600, 2800, 3600, 3700, 3800, 7200, and 7500 Series Routers

Routers • Cisco 800, 1700, 2600, 3600, 3700, 7200, 7301, and 7500 Series Routers


Page 56 of 218



All content

Cisco OER enables intelligent network traffic load distribution and dynamic failure detection of data-paths at the

WAN edge (i.e.: multi-homing to the Internet or intranet connectivity). While other routing mechanisms can provide

both load-sharing and failure mitigation, Cisco OER is unique in that it can make instant routing adjustments based

on criteria other than static routing metrics: response time, packet loss, path availability, traffic load distribution, and

financial cost minimization policies.

Cisco OER is implemented in Cisco IOS Software as an integrated part of Cisco core routing functionality. It can be

deployed with familiar simplicity via standard CLI configuration. Cisco OER may also be configured with an external

Cisco 2100 Series Intelligence Engine (Cisco appliance) management device to provide enhanced scalability, extended

history and a web-based GUI for configuration and reporting. Cisco OER offers increased Cisco product value and

differentiation by leveraging various Cisco IOS Software features (i.e.: Cisco IOS Netflow, Cisco IOS SAA) and cross

product integration to support multiple hardware products and routing protocols.

Figure 28Cisco OER Deployment Example

Benefits

Features Benefits

Automatic Performance, CostMinimization, and Policy-BasedLoad Distribution

• Instant routing adjustments based on performance, path availability,load share, or monetary cost measurements & business objectives.

Multiple Router Support • Delivers advanced networking capabilities and investmentprotection on many Cisco IOS Software based hardware products.

Multiple Routing Protocol Support • Delivers advanced networking capabilities and investmentprotection by integrating with IP core routing (i.e.: BGP, static routes)and network characterization features.

Internet and WAN Edge TrafficOptimization

• Improve Internet and WAN edge traffic performance for content/application providers’ customers.

OER Master

iBGPand/or

OSPF, EIGRP,etc.

CR1

ComputerAccess

CR2

BR1

SLA A

SLA B

SLA C

eBGPBR2

BR3

Server(s)

Enterprise/ContentProvider

Transit ServiceProviders

ContentConsumer

SP C SP D

SP F

SP E

SP A SP B


Page 57 of 218

All content

Hardware

Product Management Contact: Paul Kohler, [email protected] or Anita Freeman, [email protected]

2.7.19) Enhanced Interior Gateway Routing Protocol Support for Route Map Filtering

Enhanced Interior Gateway Routing Protocol (EIGRP) Support for Route-Map Filtering enables the filtering of

internal and external routes based on multiple route-map options. The functionality enables EIGRP to process

currently permitted set and match parameters within route-map, and also extends the parameters with EIGRP

specific set and match choices.

Benefits

• Helps during re-distribution.

• Controls the advertisement.

• Learns routes for fine-tuning the network.

Hardware


2.7.20) Enhanced Interior Gateway Routing Protocol MPLS VPN PE-CE Site of Origin

Enhanced Interior Gateway Routing Protocol (EIGRP) MPLS VPN PE-CE Site of Origin (SoO) introduces support

for back door links. A back door link is a connection that is configured outside of the VPN between a remote and

main site; for example, a WAN leased line that connects a remote site to the corporate network. Back door links are

typically used as backup routes between EIGRP sites if there is a failure in the VPN link or it is not available. A metric

is set on the back door link, so that the route through the back door router is not selected unless there is a VPN link

failure.

Passive & Active Measurements • Delivers advanced networking capabilities and investmentprotection by integrating with existing Cisco IOS Software features,such as Cisco IOS NetFlow and Cisco IOS SAA.

• NetFlow passive measurements minimize active probing.

Control & Observation Modes forDifferent Prefixes

• Allows non-disruptive observation of the behavior of OER beforecontrolling prefixes.

Support Multiple Link Billing Models • Provides flexibility for bandwidth cost minimization and ISPselection.

CLI Configuration & Reporting on CiscoIOS Software Based Hardware Products

• Provides consistent Cisco IOS CLI which leverages the existingCLI knowledge of IT staff.


Additional Devices • Master Controller Engine Linux appliance

Routers • All hardware that supports the Cisco IOS Software Release 12.3T family

Features Benefits


Page 58 of 218




All content

Benefits

EIGRP MPLS VPN PE-CE SoO allows EIGRP Enterprise customers who pay MPLS VPN providers and have back

door links to optimize their investments on VPN connections. Before this functionality became available, back door

links were always preferred over MPLS VPN connections, because it was impossible to filter routes on the PE/back

door routers. This was re-learned from other PEs.

Hardware


2.7.21) Border Gateway Protocol Cost Community Support for Enhanced Interior GatewayRouting Protocol MPLS VPN PE-CE with Back Door Links

This feature allows one to customize the local route preference and influence the Border Gateway Protocol (BGP)

best path selection process. Before EIGRP SoO BGP Cost Community support was introduced, BGP preferred locally

sourced routes to routes learned from BGP peers. Back door links in an EIGRP MPLS VPN topology will be preferred

by BGP if the back door link is learned first.

The “pre-bestpath” point of insertion (POI) was introduced in the BGP Cost Community feature to support mixed

EIGRP VPN network topologies that contain VPN and back door links.

Benefits

Without this functionality, back door links were always preferred over MPLS VPN connections. As a result, EIGRP

enterprise customers who are paying to MPLS VPN providers and have back door links were not optimizing their

investments on the VPN connections.

Hardware


2.7.22) OSPF Link State Database Overload Protection

Description

OSPF Link State Database (LSDB) Overload Protection addresses the requirement to limit the number of non-self

generated link-state advertisements (LSAs) for a given OSPF process. The goal is to prevent resource starvation (CPU

and Memory) on the router that can be caused by excess LSAs received.

Benefits

Excessive LSAs can be generated in the network because of wrong redistribution or abnormal growth in the network.

This processing of excessive LSAs and its storage in the LSDB can lead to resource starvation—CPU and memory on

a given router. OSPF LSDB Overload Protection is applicable to any given OSPF Process.




Page 59 of 218



All content

Hardware


2.7.23) OSPF Area Transit Capability

Description

RFC 2328 defines OSPF area transit capability as the ability of the area to carry data traffic that neither originates

nor terminates in the area itself. OSPF Area Transit Capability enables the OSPF ABR to discover shorter paths

through the transit area and forward traffic along those paths rather than using the virtual link or path, which are not

as optimal.

Hardware


2.7.24) OSPF Per-Interface Link Local Signaling (LLS)

Description

When LLS is enabled at the router level, it is automatically enabled for all interfaces. The OSPF Link-Local Signaling

per-Interface feature allows one to selectively enable or disable the LLS feature for a specific interface. Disabling LLS

on an interface that is connected to a non-Cisco device that may be noncompliant with RFC 2328 can prevent

problems with the forming of Open Shortest Path First (OSPF) neighbors in the network.

Hardware


2.7.25) VRF Selection using Policy Based Routing

Description

VRF Selection using Policy Based Routing is an extension of VRF Selection based on Source IP Address. This

functionality takes advantage of the existing Route-map (which is capable of supporting multiple selection criteria)

and uses Policy Based Routing (PBR) as a way to classify packets and set the relevant routing/forwarding decision.

Classification criteria include source and/or destination IP addresses, protocol number, source and/or destination port

number, IP precedence value, DSCP value, TCP flags, packet length and ICMP type.





Page 60 of 218




All content

Hardware


2.7.26) BGP Transient Memory Usage Enhancement

Description

BGP uses a large amount of running memory when processing updates for full Internet routes. This feature reduces

significantly the amount of the transient memory (i.e., temporarily allocated and released memory) for processing

those updates more efficiently. Transient memory usage is more consistent throughout the processing of large Internet

routing table updates.

Hardware


2.7.27) BGP Support for TTL Security Check

Description

This feature enables checking of TTL (Time To Live) values on BGP packets from peers to minimize possible session

spoofing attacks. All TCP packets from BGP are sent out with a TTL value of 255. All incoming TCP packets for

BGP will be checked for a TTL value that is greater than or equal to the configured incoming TTL value.

For most cases, since the peer is just one hop away, the incoming TTL value will be configured as 254. If the EBGP

peer is multiple hops away, then the incoming TTL value should be configured to allow all required paths between

the two peers.

Hardware


2.7.28) CLNS Support for GRE Tunneling of IPv4 and IPv6

Description

This enhancement adds support for GRE encapsulation of IPv4 and IPv6 packets through a CLNS network

in accordance with RFC 3147 for statically configured tunnels.

Routers • Cisco 2610XM, 2611XM, 2620XM, 2621XM, 2650XM, 2651XM and 2691 Routers



• Cisco 7200, 7400 and 7500 Series Routers





Page 61 of 218




All content

Hardware




Page 62 of 218


All content

2.8) IP Services

Table 9 IP Services Feature Highlights

2.8.1) Network Address Translation Virtual Interface

Cisco IOS Software provides a NAT subsystem with extensive support for protocols that embed IP addresses within

the payload using Application Layer Gateway (ALG) functions. Cisco IOS NAT was extended to support VPN VRF

tables in Cisco IOS Software Release 12.2(15)T. This support allowed NAT to be centrally deployed and provided a

solution for interconnection between communities with overlapping addresses in different VRFs. However, prior to

the introduction of this feature, NAT could not be performed on traffic flowing between two interfaces, both marked

as inside interfaces within a single device.

The feature offers an alternative way to configure NAT and permits packets between different VRFs to undergo

NAT, while traffic from each VRF to common services can also be processed.

Services

2.8.1) Network Address Translation Virtual Interface

2.8.2) Network Address Translation Routemaps Outside-to-Inside Support

2.8.3) Dynamic Host Configuration Protocol Intelligent Services Gateway Enhancements

2.8.4) Dynamic Host Configuration Protocol Relay Subscriber Identifier Suboption

2.8.5) Virtual Router Redundancy Protocol Message Digest Algorithm 5 Authentication

2.8.6) Extended Prepaid Tariff Switch with Service Selection Gateway

2.8.7) MAC Address-Based Authorization with Service Selection Gateway

2.8.8) Service Selection Gateway Aware On-Demand IP Address Renewal

2.8.9) Service Selection Gateway Support for Subnet-Based Authentication

2.8.10) First Hop Redundancy Protocols—Virtual Router Redundancy Protocol MIB RFC 2787

2.8.11) Dynamic Host Configuration Protocol—Dynamic Default Gateway on a Statically Configured Route

2.8.12) Dynamic Host Configuration Protocol—Configurable DHCP Client

2.8.13) First Hop Routing Protocols—Object Tracking List Support

2.8.14) Network Address Translation—Support for H.323 Fragmented Control Messages

2.8.15) IP over IPv6 Tunnels

2.8.16) IPv6 Policy-Based Routing

2.8.17) NAT—Stateful Failover Asymmetric Outside-to-Inside

2.8.18) NAT—Stateful Failover for Embedded Addressing

2.8.19) NAT—Static IP Support

2.8.20) ACL—Named ACL Support for Noncontiguous Ports on an Access Control Entry

2.8.21) Rate Based Satellite Control Protocol (RBSCP)

2.8.22) IPv6 Anycast Address

2.8.23) Border Gateway Protocol—Policy Accounting Output Interface Accounting

2.8.24) ACL—Filtering IP Options and IP Options Selective Drop

2.8.25) NAT—Performance Related Enhancements

2.8.26) NAT—Rate Limiting NAT Translation

2.8.27) NAT—Translation of External IP Addresses only

2.8.28) FHRP—Enhanced Object Tracking—Integration with SAA

2.8.29) ACL-TCP Flags Filtering

2.8.30) Cisco Express Forwarding Switching for IPv6 Tunnels (Configured, Automatic, 6to4, ISATAP)


Page 63 of 218


All content

Benefits

• More deployment options available for service providers offering MPLS-based services.

• Reduced complexity for configurations where NAT is required.

Hardware

Cisco IOS Packaging

NAT Virtual Interface is positioned in the IP Base packages across Cisco routers.


Product Management Contact: Patrick Grossette ([email protected])

2.8.2) Network Address Translation Routemaps Outside-to-Inside Support

Cisco IOS NAT allows for the configuration of routemaps to establish traffic eligible for translation. Certain

environments and network designs will benefit from the ability to interrogate defined routemaps for traffic flowing

from the NAT outside interface toward the NAT inside interface.

This feature provides for interrogation and use of defined routemaps for traffic flowing from outside to inside.

Prior to this feature, Cisco IOS NAT did not permit traffic from outside destined to a global address associated with

a dynamic entry based on a routemap. With this support, customers can use routemaps to allocate global addresses

and permit return traffic to use these global addresses. Return traffic is verified to match the defined routemap in the

reverse direction.



Page 64 of 218



All content

Figure 29NAT Routemap Outside-to-Inside Support

In Figure 20, suppose A and B want to converse. When each registered with the directory server, a routemap was

used to allocate the global IP address. With this feature, A is allowed to connect to B directly through R2 (as long as

its traffic matches the routemap), even though B’s global IP address was established using a routemap. Other traffic

from other devices that does not match the routemap is dropped.

Benefits

• Provides more flexibility in allocation of global addresses.

• Allows for service-based address allocation and selective address translation.

Hardware

Cisco IOS Packaging

NAT Routemap Outside-to-Inside Support is positioned in the IP Base packages across Cisco routers.




NAT

Inside

R1

R2

Outside

OutsideInside

B

Global Peer-To-PeerDirectory

A

1

3

2


Page 65 of 218



All content

2.8.3) Dynamic Host Configuration Protocol Intelligent Services Gateway Enhancements

To make it possible for ISPs (or address providers) to provide service to customers using one network infrastructure,

Cisco IOS Software features are closely integrated. These enhancements extend the feature integration between Cisco

IOS Software DHCP services and other features.

More specifically, this work enables a router, under control of the administrator, to specify which address provider,

or address pool, should be used to provide various end stations and customers with an IP address.

This infrastructure will enable other services in future releases.

Benefits

• Extends integration of Cisco IOS Software features to meet customer requirements.

• Enables more flexible deployment and control over IP address assignments.

Hardware

Cisco IOS Packaging

DHCP Intelligent Services Gateway Enhancements is positioned in the IP Base packages across Cisco routers.



2.8.4) Dynamic Host Configuration Protocol Relay Subscriber Identifier Suboption

The DHCP Relay function in Cisco IOS Software provides support for forwarding DHCP requests to designated

DHCP servers.

This feature allows configuration of a character string on an interface or subinterface basis and can be used to

uniquely identify a subscriber or user. When the DHCP Relay Information option is enabled, this configured string

is added in the subscriber-identifier suboption of the Relay Information option in all the DHCP requests that are

forwarded on to the specified DHCP servers.

Benefits

Allows more flexibility and granular control over the way IP address assignments are made.

Hardware

Cisco IOS Packaging

DHCP Relay Subscriber Identifier Suboption is positioned in the Advanced Enterprise Services packages across

Cisco routers.






Page 66 of 218





All content

2.8.5) Virtual Router Redundancy Protocol Message Digest Algorithm 5 Authentication

Hot Standby Router Protocol (HSRP) and Gateway Load Balancing Protocol (GLBP) allow for Message Digest

Algorithm 5 (MD5) authentication for passwords exchanged between first-hop redundancy group members.

This feature brings this same security feature to Virtual Router Redundancy Protocol (VRRP) as well.

Benefits

• Encrypts using MD5 hash the password sent over the wire between VRRP group members.

• Provides the same level of security as HSRP and GLBP for users that demand an IETF standard protocol for first-

hop redundancy.

Hardware

Considerations

Support for MD5 authentication is specific to Cisco and not part of the VRRP standard. It is probably not

interoperable with equipment from other vendors.

Cisco IOS Packaging

VRRP MD5 Authentication is positioned in the IP Base packages across Cisco routers.



2.8.6) Extended Prepaid Tariff Switch with Service Selection Gateway

At present, without this new enhancement service providers can request tariff rates in midsession in Service Selection

Gateway (SSG) prepaid billing mode. One such example of switching tariff rate is that providers want to charge at

a higher rate during business hours and switch to a lower rate after business hours. In another example providers

want to switch between a volume base and a time base or the reverse, in which case the tariff model will be changed

midsession. Both these tariff switch modes are supported today in SSG. But such changes require billing servers to

provide SSG with two quotas and times for tariff switch. The first quota indicates the tariff rate before the switch,

and the second quota indicates the postswitch rate. SSG will accordingly apply the quotas and tariff rates based

on the switch time.

With this new extension to prepaid tariff switching functionality, prepaid billing servers can choose to provide only

one quota instead of two. SSG will use the same quota and report back how much of the quota was used before and

after the tariff switch. This approach simplifies service providers’ billing and operations server implementations.

Benefits

Simplified billing server implementation for service providers.

Restrictions

• Cannot be used when a tariff type is changed in midsession (for example, a change from a time-based tariff

to a volume-based tariff).

• SSG accounting must be enabled in order for the SSG Extended Prepaid Tariff Switching feature to be used.



Page 67 of 218



All content

Hardware

Cisco IOS Packaging

Cisco IOS Extended Prepaid Tariff Switch with SSG is positioned in the Advanced IP Services packages across

Cisco routers.


Product Management Contact: Murali Kolli ([email protected])

2.8.7) MAC Address-Based Authorization with Service Selection Gateway

SSG currently authenticates users with Web-based login through Cisco Subscriber Edge Services Manager (SESM)

or acting as RADIUS proxy in an Extensible Authentication Protocol (EAP) type of authentication. SSG also can

authenticate the users based on their IP address through the functionality called Transparent Auto Logon (TAL).

The MAC address-based authentication is developed to trace DHCP IP address allocation with the MAC address for

reasons of authenticating the user.

If a connection request comes from an unknown user, SSG mandates explicit Web login with a captive portal. After

initial login, the MAC address of the client device is learned and tracked for further authentication during the next

login. Thereafter, SSG implicitly authenticates the user at every login until a predefined time interval has passed.

Benefits

After the user authenticates with Web login, further user logins can be avoided as long the user uses same client device

until the predefined time period has passed.

Restrictions

Assumes that the device belongs to the same user all the time. If users swap devices, the identity of the users behind

the devices can be misunderstood.

Hardware

Cisco IOS Packaging

MAC Address-Based Authorization with SSH is positioned in the Advanced IP Services packages across Cisco

routers.






Page 68 of 218





All content

2.8.8) Service Selection Gateway Aware On-Demand IP Address Renewal

Service Selection Gateway (SSG) functionality poses two problems:

1. Subscribers trying to connect to a broadband remote-access server (BRAS) using Ethernet access need to be given

a temporary IP address until they are authenticated and are ready to connect to one of the services. Switchover

of the IP address to an IP address belonging to the chosen service or SP should happen dynamically.

2. The second situation is for subscribers who are connected and are actively using one of the services. When they

try to switch to a new service or SP, if that new service or SP mandates an IP address change to the session (with

an IP address from a pool specific to that service or service provider’s network), the service selection solution

should be aware of that requirement and support such a change. This is an equal access network (EAN)

requirement and an application service provider requirement to provide specific services (for example, gaming

and Web-sharing applications) belonging to the network.

Benefits

• For Ethernet access subscribers, service providers can give a short-term lease of an IP address and renew for

a longer lease after authentication.

• Subscribers can access services and dynamically change IP address to application service provider distributed

addresses. Enables applications access without NAT.

Hardware

Cisco IOS Packaging

SSG Aware On-Demand IP Address Renewal is positioned in the Advanced IP Services packages across Cisco routers.



2.8.9) Service Selection Gateway Support for Subnet-Based Authentication

Subnet-based authentication functionality enables SSG to accept a login from one of the users in a subnet (for

example, a business) and to treat a complete subnet as authenticated. This functionality will eliminate the need for

all the users in a subnet (or a business) to authenticate individually. This enhancement will also enable services for

all users in the subnet and generate aggregate billing records.

Subnet-based authentication is supported for both Web login users and transparent autologon (TAL) users.

Benefits

• Enables service providers to offer business Internet services, avoiding the need for every user to identify and log in.

• Enables service providers to offer pay-per-use Internet service to their SOHO customers.

• Provides easy-to-use dedicated video and voice appliances to deliver those services over the same IP network after

initial authentication from a personal computer.



Page 69 of 218



All content

Restrictions

• Subnet-based authentication is not supported for users with PPP-based access.

• Once a subnet-based authentication is enabled, individual subscribers on that subnet are not identified and

tracked.

Hardware

Cisco IOS Packaging

SSG Support for Subnet-Based Authentication is positioned in the Advanced IP Services packages across Cisco

routers.



2.8.10) First Hop Redundancy Protocols—Virtual Router Redundancy Protocol MIB RFC 2787

Cisco First Hop Redundancy Protocols (FHRP) is a collection of three separate features in Cisco IOS Software:

• Hot Standby Routing Protocol (HSRP)

• Gateway Load Balancing Protocol (GLBP)

• Virtual Router Redundancy Protocol (VRRP)

Support for the VRRP MIB RFC 2787 enables Cisco customers who have selected the VRRP support within Cisco

IOS Software for redundancy, to use SNMP to configure and monitor their VRRP redundancy groups. Customers

have complete Set and Get and Trap support.

Benefits

• Ability to use SNMP and remotely configure and monitor all aspects of a VRRP redundancy group.

• Set and configure VRRP on the routers.

• Get and retrieve detailed information on the state of the VRRP groups and each router in the VRRP groups.

• Traps and the ability to receive indicators for events such as the transition of a router in a VRRP group to ‘Master’

state.

Hardware


For details of the MIB, refer to RFC 2787 and the download the VRRP MIB from Cisco.

• Definitions of Managed Objects for the Virtual Router Redundancy Protocol

http://www.ietf.org/rfc/rfc2787.txt

• http://tools.cisco.com/ITDIT/MIBS/servlet/index




Page 70 of 218





http://tools.cisco.com/ITDIT/MIBS/servlet/index

All content


2.8.11) Dynamic Host Configuration Protocol—Dynamic Default Gateway on a StaticallyConfigured Route

This feature enables the dynamic configuration of the Default Gateway for a configured IP Static Route using

Dynamic Host Configuration Protocol (DHCP). This enhancement allows a static route to be configured with

the keyword ‘dhcp’.

The DHCP Client within Cisco IOS Software will use DHCP Option 3 (DHCP gateway address) obtained from

a DHCP server and plug in this DHCP Gateway Address as the “next hop” in the static IP Route command.

Example:

Route configuration:

ip route 3.3.3.3 255.255.255.255 dhcp

If a DHCP ip address is obtained and option 3 has also been obtained from server (ie: option 3 contains 3.3.3.2),

then a sh ip route command will show the configured static route:

S 3.3.3.3 255.255.255.255 via 3.3.3.2

This can be an alternative to using DHCP Option 33—Static Route Option. Customers may not always have control

or influence over the DHCP Server configurations of the network providers.

Benefits

Simplifies static routing configurations in networks that make use of DHCP.

Hardware


2.8.12) Dynamic Host Configuration Protocol—Configurable DHCP Client

Configurable Dynamic Host Configuration Protocol (DHCP) Client is the ability to manually configure several

DHCP Client options:

• Client Identifier Option (option 61)

– Allows a user to enter a unique hexadecimal value or a unique null terminated ASCII string.

– This value is expected to be unique for all clients in an administrative domain.

• Vendor Class Identifier (option 60)

– Allows user to configure the Vendor Class Identifier string to use in the DHCP interaction.

– This option is used by DHCP clients to optionally identify the vendor type and configuration of a

DHCP client.



Page 71 of 218






All content

• IP Address Lease Time (option 51)

– Allows user to configure the suggested lease time to be included as the Lease Time Option in DHCP

interaction.

– This option is used in a client request (DHCPDISCOVER or DHCPREQUEST) to allow the client to request

a lease time for the IP address. In a server reply (DHCPOFFER), a DHCP server uses this option to specify

the lease time it is willing to offer.

Benefits

Provides customers additional flexibility in the allocation and control of their IP Address space.

Hardware

Additional Information: http://www.ietf.org/rfc/rfc2132.txt


2.8.13) First Hop Routing Protocols—Object Tracking List Support

First Hop Routing Protocols (FHRP) Object Tracking List Support refers to the ability to group multiple objects,

track the state of these objects collectively, and influence the FHRP design dynamically.

FHRP Object Tracking List support influences Hot Standby Router Protocol (HSRP) and Virtual Router Redundancy

Protocol (VRRP) to initiate a fail-over to another router in the group. It also influences GLBP to shift the IP traffic

of a specific Gateway Load Balancing Protocol (GLBP) router to the rest of the GLBP group.

FHRP is comprised of GLBP, HSRP, and VRRP. These protocols can track on a single “object” at one time, using the

information obtained from this “object” to influence whether to failover from one redundant gateway router to

another in the case of HSRP or VRRP, or shift the traffic of one GLBP router to the rest of the GLBP group.

The result of tracking an object is to perform some pre-defined action when this object state changes. For example,

the user can track an interface when there is a failure and change the HSRP priority such that an election takes place

and a new router takes over as the primary HSRP router. When the interface comes back up, the user can change the

HSRP priority again, so the original primary router takes over its role again.

With the “Object Tracking list” enhancement, multiple objects can now be defined in a list and actions will be

determined by collective state or combined status of the defined objects. It provides logical operations, threshold and

weighting, and percentage comparison among the tracking objects defined in the list. An object tracking list can be

defined as follows:

• Each object in the list of tracked objects will have an associated weight assigned to them. This weight can be

set by the user, or may be calculated automatically if all the objects are to have equal weight. The later is the

default case.

• A threshold value will be defined by the user and by comparing the state of each object and its associated weight,

the state of the “track list” object will be determined depending on whether the threshold value has been met.

• Use of the logical OR function states that when any object defined within the list provides an “UP” state, then

the “track list” object will also define an “UP” state.”



Page 72 of 218






All content

• Use of the logical OR function states that when any object defined within the list provides an “UP” state, then

the “track list” object will also define an “UP” state.”

• Configuration examples:

track 1 interface e0/1 line-protocol



track 4 list

object 1 weight 10

object 2 weight 20

object 3 weight 10

threshold percentage up 30 down 29

track 5 list

object 1

object 2

object 3

object 4

boolean and

track 6 list

object 1

object 2

object 3

object 4

boolean or

Benefits

• Provides customers additional granularity and control when designing network availability.

• Customers can customize the combination of “objects” that will initiate failing over or redistribution

of traffic within an FHRP group.

Hardware


2.8.14) Network Address Translation—Support for H.323 Fragmented Control Messages

For various reasons, control messages for most multimedia applications (ie: H323, Skinny Client Control Protocol)

messages may arrive at a router as fragments. Reasons include: low MTU at origin, TCP window size limitations,

and fragmentation by some middle box. While IP level (layer 3) fragmentation is common and well understood, some



Page 73 of 218





All content

applications have control messages that could span across several IP datagrams. For example, control message of an

application that uses TCP could arrive at a router running Network Address Translation (NAT) as multiple IP (TCP)

packets that are not fragmented.

Currently Cisco IOS NAT expects the entire control message to be present in a single IP packet. If NAT receives

a control message that is fragmented, the packet is simply dropped.

This enhancement supports:

• H.323 Control message that span several IP fragments.

• H.323 Control message that span several non-fragmented IP datagrams.

In order to translate embedded address/port in the payload, NAT will have to reassemble fragments so that the

control message is available in its entirety in the payload. Once a set of packets that make up a complete control

message have been received, the complete packet is processed by Nat and then routed on to its destination.

Benefits

Provides enhanced support for H.323 based Voice over IP sessions.

Hardware


2.8.15) IP over IPv6 Tunnels

Description

IP over IPv6 tunnels encapsulates IPv4 or IPv6 packets in IPv6 packets for delivery across a native IPv6 infrastructure.



Page 74 of 218





All content

Figure 30IP over IPv6 Tunnels

Benefits

• IPv6 VPN over a native IPv6 infrastructure enable through IPv6 over IPv6 tunnels.

• Allow IPv6 Multicast traffic to go over a native IPv6 infrastructure that is not “IPv6 Multicast” enable.

• Enable IPv6 Multi-Homing as proposed in RFC 3178.

• IPv4 sites can be connected over a native IPv6-only infrastructure.


http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/ipv6_vcg.htm

Hardware


2.8.16) IPv6 Policy-Based Routing

Description

This software release introduces support for policy-based routing on the Cisco IOS Release 12.3T. Policy-based

routing provides a tool for expressing and implementing forwarding and routing of data packets based on the policies

defined by network administrators. In effect, policy-based routing is a way to have policy override routing protocol

decisions. Policy-based routing includes a mechanism for selectively applying policies based on access list or packet

size. The actions taken can include routing packets on user-defined routes or setting the precedence and type of

service bits.

Routers • Cisco 1700–7500 Series Routers

Customer No 1

2001:0410:0001:/48

Requires IPv6 over IPv6

Customer No 2 IPv6 Internet2001::/16

2001:0410:0002:/48

Only Announcesthe /32 PrefixISP

2001:0410::/32

ISP2001:0420::/32


Page 75 of 218



All content

Benefits

• Source-Based Transit Provider Selection—Internet service providers and other organizations can use policy-based

routing to route traffic originating from different sets of users through different Internet connections across the

policy routers.

• Quality of Service (QoS)—Organizations can provide QoS to differentiated traffic by setting the Traffic Class

values in the IPv6 packet header at the periphery of the network and leveraging queuing mechanisms to prioritize

traffic in the core or backbone of the network.

• Cost Savings—Organizations can achieve cost savings by distributing interactive and batch traffic among low-

bandwidth, low-cost permanent paths and high-bandwidth, high-cost, switched paths.

• Load Sharing—In addition to the dynamic load-sharing capabilities offered by destination-based routing that the

Cisco IOS Software has always supported, network managers can now implement policies to distribute traffic

among multiple paths based on the traffic characteristics.



Hardware


2.8.17) NAT—Stateful Failover Asymmetric Outside-to-Inside

Description

The Stateful NAT feature enables two NAT routers to participate in a Primary—Backup design. One of the routers

is designated as the primary NAT router and a second router takes the backup NAT role. As traffic is actively

transferred by the primary NAT router it updates the backup NAT router with the NAT translation state (NAT

translation table entries).If the primary NAT router fails or is out of service the backup NAT router will automatically

take over. When the primary comes back into service it will take over and request an update from the backup NAT

router.

The expected behavior in Stateful NAT phase 1 is that all sessions will pass through the primary NAT router

in control of the NAT translation entries, unless the primary NAT router is unavailable. This assured integrity

of the translation information by guarding against the possibility of some packet relevant to NAT session

control, traversing the backup and without the primary being aware of it. When the translation information

is not synchronized, the IP session in question will eventually stop working.

Routers • Cisco 1700–7500 Series Routers


Page 76 of 218



All content

Figure 31Stateful NAT—Asymmetric Outside-to-Inside Support—Before

With the Stateful Failover Asymmetric Outside-to-Inside enhancement, return traffic is handled by either the primary

or the backup NAT translator and NAT translation integrity is preserved.

When the Backup NAT router receives asymmetric IP traffic and performs NAT to the packets, it will update the

Primary NAT router to ensure both the primary and backup NAT Translation tables remain synchronized.

Primary NAT Backup NAT

192.168.123.4 192.168.123.5

HSRPVirtual IP

192.168.123.1

.2 .3

IL: 192.168.123.4:1001IG: 11.1.1.1:1001OG: 12.1.1.1:80OL: 12.1.1.1:80

Dynamic NAT Entry

SP Network A SP Network B

IL: 192.168.123.4:1001IG: 11.1.1.1:1001OG: 12.1.1.1:80OL: 12.1.1.1:80

Dynamic NAT Entry


Page 77 of 218

All content

Figure 32Stateful NAT D A Symmetric Outside-to-Inside Support

This enhancement is the next step towards having two or more NAT devices actively performing NAT and backing

each other up or ‘Active-Active’ NAT.

Benefits

• Ability to support multiple routing paths from outside-to-inside.

• Ability to handle IP Flow or Per Packet load balancing of asymmetric routing from outside-to-inside.

• Improved ROI as the Backup NAT router is not sitting idle.


For overview of the initial Stateful NAT capability please refer to:

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ftsnat.htm

Hardware



Primary NAT Backup NAT

192.168.123.4 192.168.123.5

HSRPVirtual IP

192.168.123.1.2 .3

IL: 192.168.123.4:1001IG: 11.1.1.1:1001OG: 12.1.1.1:80OL: 12.1.1.1:80

Dynamic NAT EntryIL: 192.168.123.4:1001IG: 11.1.1.1:1001OG: 12.1.1.1:80OL: 12.1.1.1:80

Dynamic NAT EntrySP Network BSP Network A


Page 78 of 218




All content

2.8.18) NAT—Stateful Failover for Embedded Addressing

Description

• Stateful Failover Embedded Addressing enhancement allows the Secondary (backup) NAT router to properly

handle NAT and deliver IP traffic.

• This feature is an enhancement to the Stateful Network Address Translation (NAT) feature introduced in Release

12.2(13)T. The initial Stateful NAT feature targeted IP header translations only, with a plan to deliver embedded

translation support in a phase 2 release.

• Cisco IOS NAT inspects all IP traffic entering interfaces which have been configured with the NAT feature. The

inspection consists of matching the incoming traffic against a rule set or set of translation rules and perform an

address translation if a match occurs. For example:

– Matching a source address range.

– Matching a specific destination address range. Matching a list of applications known to NAT which might.

• Require a specific source port for control plane negotiation.

• Embed source IP addresses within the application protocol.

• Some of the applications and protocols which embed Source Port or IP Address information include:

– H.323 RAS

– DNS A and PTR queries

– NetMeeting Internet Locator Server (ILS)

– ICMP

– SMTP

– PPTP

– Cisco Selsius Skinny Client Protocol (SCCP)

• A complete list of current Applications Layers Gateways (ALGs) supported by Cisco IOS NAT can be found at:

http://www.cisco.com/en/US/tech/tk648/tk361/tech_brief09186a00801af2b9.html


Page 79 of 218



All content

Figure 33Cisco IOS NAT ALG Support

• When the Stateful NAT capability performs a failover, all of the Application Layer Gateways (applications

and protocols) supported by Cisco IOS NAT at the time of this release seamlessly failover.

H.323v2 # all H225/245 message typesH.323v1 # for NetMeeting v2.xH.323v2 # for NetMeeting v3.xH.323v2 RASIP Phone to Cisco CM - SkinnyNetMeeting Directory (ILS)SIP

Cisco IOS NAT Application LayerGateway (ALG) Support

Any TCP/UDP traffic that does not carrysource or destination addresses inpayload

Other...

Signaling and VoIP

IP ProtocolsArchieDNS “A” & “PTR ”FingerFTPHTTPICMPNFSNTPrlogin, rsh , rcp

TelnetTFTPSMTP

Vendor Specific

CuSeeMe (White Pines)RealAudio (Progressive Networks)StreamWorks (Xing Technologies)VDOLiveVxtreme

NetBIOS over TCP/IP (Datagram, Name, and Session ServicesIP Multicast (source translation only)PPTP Support with PATSPI Matching – Multiple ESP Mode Tunnels 12.2(15)T

Wide Use

12.1(5)T

12.0(1)12.0(7)T

12.2(2)T12.1(5)T

12.1(5)T12.2(8)T

11.3(4)11.3(4)

12.0(1)T12.1(2)T


Page 80 of 218


All content

Figure 34Stateful NAT—Primary to Secondary State Synchronization

Figure 35Stateful NAT—Failover to the Secondary NAT

DOMAIN A

DOMAIN B

192.168.123.4 192.168.123.5

HSRPVirtual IP

192.168.123.1

.2 .3

IL: 192.168.123.4:1001IG: 11.1.1.1:1001OG: 12.1.1.1:80OL: 12.1.1.1:80

Dynamic NAT Entry

ip nat pool SNATPOOL1 11.1.1.1 11.1.1.9 prefix -length 24 ip nat inside source route -map rm -101 pool SNATPOOL1 mapping -id 10 overload

IL: 192.168.123.4:1001IG: 11.1.1.1:1001OG: 12.1.1.1:80OL: 12.1.1.1:80

Dynamic NAT Entry

DOMAIN A

DOMAIN B

192.168.123.4 192.168.123.5

HSRPVirtual IP

192.168.123.1

.2 .3

ip nat pool SNATPOOL1 11.1.1.1 11.1.1.9 prefix -length 24 ip nat inside source route -map rm -101 pool SNATPOOL1 mapping -id 10 overload

IL: 192.168.123.4:1001IG: 11.1.1.1:1001OG: 12.1.1.1:80OL: 12.1.1.1:80

Dynamic NAT Entry

Dynamic NAT EntryIL: 192.168.123.4:1001IG: 11.1.1.1:1001OG: 12.1.1.1:80OL: 12.1.1.1:80


Page 81 of 218

All content

Benefits

• Ability to seamlessly failover translated IP sessions with traffic that includes embedded IP addressing

(VoIP applications, FTP, DNS—refer to ALG chart and URL provided).


For overview of the initial Stateful NAT capability please refer to:


Hardware


2.8.19) NAT—Static IP Support

Description

The majority of users on public WLAN networks use DHCP for dynamic addresses assignment, however some

percentage of users will have a statically assigned IP Address. This static assignment is specific to their “home”

network.

With a static address assignment these users will not able to be access a public WLAN network and gain access

to the IP network and services offered.

Figure 36Public WLAN Access for Static IP Users Before NAT—Static IP Support


AccessZone

Router

User B withDHCP

WLANClients

User A withStatic IP

Internet,E-mail, VPN, etc.


Page 82 of 218




All content

• The NAT—Static IP enhancement allows public WLAN providers to offer service to customers that use static

IP address assignment for their users.

• No reconfiguration is required on the part of the user with the statically assigned IP Address. The user can roam

into a public WLAN “hotspot”, login to the public WLAN network and immediately gain access to services

offered.

• Cisco IOS NAT feature detects the user trying to access the network and dynamically assigns the user a unique

routable IP address for the life of the session.

– Works with ARP to ensure proper reachability.

– Translates to and from the static source IP address and a routable unique IP address on the public WLAN

network.

– Generates user accounting information processed by the Cisco Service Selection Gateway (SSG) feature.

– Handles all clean up when the user has logged off.

Figure 37Public WLAN Access for Static IP Users with NAT—Static IP Support

Benefits

• Ability for static IP address users to connect to a public WLAN network.

• Ability to prevent malicious client from preventing access to valid host on the outside domain.

• No client reconfiguration needed for clients configured with static IP addresses.

• Accounting information generated per user session.

Internet

CorporateNetwork

Wi-Fi Zone

User AARP NAT1. Gratuitous ARP

2. ARP for Gateway3. ARP Reply (Proxy)

4. First IP Packet from the Host

6. Create ARP Entry

9. ARP Timed Out 10. NAT Deletes Entry

7. User Accounting

5. NAT Creates an Entry

IP Aggregation& Core

VPN

Data Center

Cisco CNSAccess

Registrar

CiscoAccessControl

Billing/PrepaidPartner

11. User Accounting

8. IP Traffic Flows, NAT Handles Translationand Direct Delivery to the Static IP User

Cisco AccessPoints

Cisco AccessZone Router

Switchw/CSG

SSG

Services Servers


Page 83 of 218

All content

• Access Zone Router assists to support the following cases.

• Web login using static IP address.

• 802.1x login using static IP address.

Hardware


2.8.20) ACL—Named ACL Support for Noncontiguous Ports on an Access Control Entry

Description

• Prior to this enhancement, multiple application ports could be listed on the same Access Control Entry (ACE) but

they had to be contiguous. If they weren’t contiguous, a separate ACE was required for each non-contiguous port.

• This enhancement enables customers to specify an ACE with non-contiguous application ports, which will reduce

the number of ACE’s within an Access Control List (ACL) group and simplify management of their ACL groups.

• There is a maximum or 10 source ports and 10 destination ports per ACE.

• Example of ACL—Support for non-contiguous Port Ranges on an ACE.

access-list host 100.52.65.11 host 172.23.56.194 eq www smtp lpd telnet tftpaccess-list host 100.52.65.11 host 172.23.56.10 eq wwwaccess-list host 100.52.65.11 host 172.23.56.10 eq smtpaccess-list host 100.52.65.11 host 172.23.56.10 eq lpdaccess-list host 100.52.65.11 host 172.23.56.10 eq telnetaccess-list host 100.52.65.11 host 172.23.56.10 eq tftp

With the enhancement

access-list host 100.52.65.11 host 172.23.56.194 eq www smtp lpd telnet tftp

Benefits

• Reduction in the number of entries within an ACL group.

• Improved management of large ACL groups.

Hardware


Routers • See Feature Navigator for supported platforms: http://www.cisco.com/go/fn/



Page 84 of 218





All content
Cisco Systems, Inc.
2.8.21) Rate Based Satellite Control Protocol (RBSCP)

Description

Two well-known characteristics of satellite links cause very poor TCP performance:

• Higher bit-error rates over the satellite link as compared to hard links cause an increase in lost packets.

• Long round-trip time (RTT) over the satellite link, typically > 500ms.

These characteristics cause the following problems:

• The slow start time is much longer (due to the long RTT), increasing the time it takes for a TCP sender to fully

ramp up its sending rate.

• The incorrect interpretation of packet loss by TCP as congestion results in a congestion window collapse such

that only one MTU of data may be allowed to be outstanding. In addition, the long RTT prevents the use of

localized link retransmissions as an effective method to mitigate the packet loss.

The combination of these two issues keep a TCP sender in a perpetual slow start, sending well below the available

bandwidth of the satellite link. The traditional solution to this problem is to utilize a disruptive Performance

Enhancing Proxy (PEP) in order to improve TCP performance across satellite links.

Figure 38IP Over Satellite Before—Disruptive TCP Performance Enhancing Proxy Model

Note that there are multiple boxes in a customer PEP configuration. Basically hosts on the remote side connect to the

Internet through their default router. The router has two links, one to the network of hosts the other leading to a PEP

box. The router considers its upstream gateway to the internet to be the PEP, thus it routes all traffic to the PEP. PEP

terminates any TCP connection flowing to the Internet, spoofing all internet addresses and ports. Traffic is buffered

and then retransmitted through a single PEP connection over satellite. The PEP on the other side of the satellite

connection receives the data and transmits incoming data over separate TCP connections to the destination host on

the Internet1 for each connection between the remote side and the network side. Data coming from the network side

is translated in a similar manner to the remote side. Any non-TCP traffic2 is intercepted and forwarded as well.

SatelliteNetwork

HUB StationRemote Station

Router TCP PEP

Host

RouterTCP PEP

InternetHost

Host

TCP Data Proprietary PEP Protocol TCP Data



All content

The advantages the customer gains using this disruptive PEP configuration are the following:

• Elimination of the TCP flows across the satellite misidentifying dropped packets as congestion.

• Full bandwidth utilization of the satellite link by the elimination of the classic TCP slow-start and initial cwnd

variables.

• Increased bandwidth by minimizing the amount of TCP-Ack traffic transmitted over the satellite link (allowing

for any overhead).

• Greatly reduced TCP slow start time from the end host perspective by generating TCP ACKs at each local router.

The disadvantages to this configuration are quite numerous including (refer to Section 4 of RFC 3135 for more):

• Each new protocol introduced to the Internet needs special handling to assure the PEPs know and can handle the

new type of traffic (examples of upcoming protocols include SCTP and DCCP).

• Any encrypted traffic such as IPsec or AES cannot be enhanced since the end hosts control the encryption. The

only exception to this is if the end hosts are willing to terminate the IPsec connection at the PEP and trust the

provider to send the data in some secure fashion over the satellite link. Alternatively, IPsec traffic may be tunneled

inside TCP flows, requiring client and server software to be present at the end hosts.

• Loss of shared fate in an end-to-end communication path. Fate is shared because if one of the end hosts fails, the

transport will also fail and provide an appropriate indication to the peer end host. In a disruptive PEP, the PEP

will provide a local ACK for data that has not been delivered to the end host. This has the consequence that the

end hosts may not be aware of a crash or other path failure for some time.

A simple protocol, Rate Based Satellite Control Protocol (RBSCP), will be used in place of PEP. This protocol will

allow two routers to control and monitor the sending rates of the satellite link, thus acquiring better bandwidth

utilization. RBSCP will also retransmit lost packets over the satellite link to increase link reliability and help keep the

end host TCP senders out of slow start.

1. This simple description leaves out any interaction that would be required to setup state within both PEP’s upon the start of a new TCP connection.Each end host’s TCP connection requires state propagation in the PEP’s and message exchanges.

2. Such as UDP and Multicast.


Page 86 of 218

All content

Figure 39IP Over Satellite After with Rate Based Satellite Control Protocol (RBSCP)

RBSCP as a Virtual Interface

RBSCP is implemented with a virtual tunnel interface in Cisco IOS Software, and it will look and behave like any

other tunnel interface within the router. IP traffic will be sent across the satellite link with appropriate modifications

and/or enhancements, as determined by the router configuration.

Time Warp Delay Insertion

One side of the router pair will delay frames in transit between the two sides. This delay will increase the RTT time

that the end host’s TCP (or any other protocol) stack estimates; this will “time-warp” the sender into allowing RBSCP

to attempt localized, limited retransmission and recovery of lost TCP (or other protocol) frames. The delay allows

for a single retransmission before the end host’s TCP sender attempts retransmission and congestion window

collapse.

TCP ACK Splitting

Additional performance improvements can be made for clear-text TCP senders. When the satellite link is under

utilized, each router may perform ACK splitting for clear-text TCP ACKs traversing the link. This causes the end

host TCP sender to open the congestion window more quickly and thus increases bandwidth utilization.

Benefits

• Single device handles both routing and optimized IP over the satellite network.

• Non-disruptive software solution preserves the end-to-end IP session.

• Maximizes link bandwidth utilization while reducing slow start.

• Supports IPsec encryption of end host clear text traffic across the satellite link (e.g. a VPN service configuration).

SatelliteNetwork

HUB StationRemote Station

Router

Host

Router

InternetHost

Host

Rate-Based Satellite Control Protocol TUNNEL

TCP/UDP/SCTP User Data


Page 87 of 218

All content

• Does not require any stack/software changes or additional software at the end hosts (e.g. TCP stack changes,

additional client-server software, etc.).

• Supports the use of existing Cisco IOS Software features such as QoS, IPsec, and others.

Hardware


2.8.22) IPv6 Anycast Address

An IPv6 Anycast address is an address that is assigned to a set of interfaces that typically belong to different nodes.

A packet sent to an Anycast address is delivered to the closest interface—as defined by the routing protocols in use—

identified by the anycast address. Anycast addresses are syntactically indistinguishable from unicast addresses

because anycast addresses are allocated from the unicast address space. Assigning an IPv6 unicast address to more

than one interface makes a unicast address an anycast address.

Example (Figure 40): Cisco IOS Software routers set as 6to4 Relay [see RFC 3056] can be configured with the 6to4

Relay Anycast address as defined in RFC 3068.

Figure 40Anycast Prefix for 6to4 Relay


IPv6Network IPv6

Network

IPv6Internet

6to4Router1

192.168.99.1 IPv6 address:2002:c0a8:1e01::1

6to4Relay

IPv4

Network prefix:2002:c0a8:6301::/48 =

router1#

interface Loopback0

ip address 192.168.99.1 255.255.255.0

ipv6 address 2002:c0a8:6301:1::/64 eui-64

interface Tunnel0

no ip address

ipv6 unnumbered Ethernet0

tunnel source Loopback0

tunnel mode ipv6ip 6to4

ipv6 route 2002::/16 Tunnel0

ipv6 route ::/0 2002:c0a8:1e01::1

6to4 relay: Is a gateway to the rest of the IPv6 InternetDefault router Anycast address (RFC 3068) for multiple 6to4 Relay


Page 88 of 218



All content

Benefits

• Compliancy with the IPv6 addressing architecture document.

• Enhanced scalability, discovery and failure recovery of 6to4 Relay.

Hardware

Additional Information: http://www.cisco.com/warp/public/732/Tech/ipv6/

• RFC 3068—An Anycast Prefix for 6to4 Relay Routers


2.8.23) Border Gateway Protocol—Policy Accounting Output Interface Accounting

Border Gateway Protocol (BGP) policy accounting measures and classifies IP traffic that is sent to, or received from,

different peers. Policy accounting was previously available on an input interface only. BGP Policy Accounting Output

Interface Accounting introduces several extensions to enable BGP policy accounting on an output interface, and to

include accounting based on a source address for both input and output traffic on an interface. Counters based on

parameters such as community list, autonomous system number, or autonomous system path are assigned to identify

the IP traffic.

Benefits

• Account for IP Traffic Differentially

– BGP policy accounting classifies IP traffic by autonomous system number, autonomous system path or

community list string, and increments packet and byte counters. Policy accounting can also be based on the

source address. Service Providers can account for traffic and apply billing, according to the origin of the traffic

or the route that specific traffic traverses.

• Efficient Network Circuit Peering and Transit Agreement Design

– Implementing BGP policy accounting on an edge router can highlight potential design improvements for

peering and transit agreements.

Hardware


2.8.24) ACL—Filtering IP Options and IP Options Selective Drop

IP Options provide control functions that are required in some situations but unnecessary for the most common

communications. IP Options include provisions for timestamps, security, and special routing.

IP Options may or may not appear in datagrams. They must be implemented by all IP modules (host and gateways).

What is optional is their transmission in any particular datagram, not their implementation.

Routers • Cisco 830—7500 Series

Routers • Cisco 2600—7500 Series Routers


Page 89 of 218

http://www.cisco.com/warp/public/732/Tech/ipv6/



All content

ACL Support for Filtering IP Options and ACL IP Options Selective Drop are separate enhancements that provide

the customer total flexibility in determining how to best filter on IP traffic that include IP Options fields.

• ACL Support for Filtering IP Options, allows you to filter packets based on a particular “option” value.

• ACL IP Options Selective Drop, allows you to either ‘Drop’ all packets that contain IP Options or ‘Ignore’ in

which case the packets are forwarded as usual.

Benefits

• Filters packets that contain IP Options from the network and relieves downstream routers and hosts of the load

from options packets.

• Reduced load to the Route Processor (RP) for packets with IP Options that require RP processing on distributed

systems. Previously, the packets were always routed to or processed by the RP CPU. Filtering the packets prevents

them from impacting the RP.

• Drop mode filters packets from the network and relieves downstream routers and hosts of the load from options

packets.

• Reduced load to the Route Processor (RP) for options that require RP processing on distributed systems.

Previously, the packets were always routed to or processed by the RP CPU. Now, the ignore and drop forms keep

the packets from impacting the RP.

Hardware

Restrictions

• Resource Reservation Protocol (RSVP) Multiprotocol Label Switching terminal equipment (MPLS TE), Internet

Group Management Protocol Version 2 (IGMPV2), and other protocols that use IP Options packets may not

function in drop or ignore mode if this feature is configured.

• Turbo ACLs do not support ACLs with entries that filter using the option keyword and such ACLs will not get

Turbo compiled. This option keyword restriction will not affect any other ACLs on the router. In general, not

using Turbo ACLs in such cases is not considered a performance issue because as of Release 12.3(2)T

performance of software based ACLs is considerably faster in the order of Turbo ACLs or faster

• The ACL—Support for Filtering IP Options feature can be used only with named, extended ACLs


• http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_4/gtipofil.htm

• http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120s/120s23/

sel_drop.htm

• RFC 791: complete list and description of IP Options

http://www.faqs.org/rfcs/rfc791.html


Routers http://www.cisco.com/go/fn/


Page 90 of 218


http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_4/gtipofil.htm

http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/120newft/120limit/120s/120s23/sel_drop.htm

http://www.faqs.org/rfcs/rfc791.html


All content

2.8.25) NAT—Performance Related Enhancements

• Collection of enhancements aimed at improving overall performance of the Network Address Translation (NAT)

feature within Cisco IOS Software

• Majority of the effort will be transparent to the end customer, however under certain circumstances they should

see

– Optimized CPU utilization—taking longer to ramp to higher CPU percentages

– Will vary based on the IP type of traffic inspected by NAT, Specific platform in question, and other features

active within the router

– Improved throughput when using NAT

• The specific enhancements are

• Support for Cisco Express Forwarding (CEF)

– TCP Flags—SYN, FIN and RST now handled in CEF

– Translation entry creation in the CEF path under

– Support for CEF

– Translation table optimization

– Improved creation and searching of translations

– Pool and Port List optimization

– Support of Fragmented Packets

Benefits

• Improved efficiency of CPU utilization when Network Address Translation is enabled in a router.

• Overall improved throughput, may vary slightly depending on the type and complexity of protocols NAT

is inspecting.

Hardware


2.8.26) NAT—Rate Limiting NAT Translation

This enhancement, “NAT—Rate Limiting NAT Translation”, enhances the existing capability within Cisco IOS

Network Address Translation (NAT) to configure a maximum number of concurrent NAT Translations within the

router. This original capability was sufficient for the initial implementation of NAT, but with the increase in DoS

attacks and different provider edge aggregation designs, there has been a need for a more flexible method for

controlling how to whom NAT addresses are deployed

The enhancement allows customers to configure a NAT Rate Limiting hierarchy within each NAT router:

• Maximum number of concurrent translations for the router

• Maximum number of concurrent translations applied to each MPLS VPNs (assuming the router is part of an

MPLS network)

Routers http://www.cisco.com/go/fn/


Page 91 of 218




All content

• Maximum number of concurrent translations for an individual MPLS VPNs (assuming the router is part of an

MPLS network)

• Maximum number of concurrent translations applied to an ACL

– The ACL might be used to describe a specific subnet to apply this maximum to, or a specific prefix list, or

prefix lists

– Rate limiting can be applied to multiple ACLs with the router

• Maximum number of concurrent translations applied to all IP Hosts (All-hosts) transiting the router

• Maximum number of concurrent translations for an individual IP Host

– This value will override the ‘All-hosts’ maximum if configured for the specific IP host

Examples

Setting a General NAT Limit

The following example shows how to limit the maximum number of allowed NAT entries to 300:

Router(config)# ip nat translation max-entries 300

Setting NAT Limits for VRF Instances

The following example shows how to limit each VRF instance to 200 NAT entries:

Router(config)# ip nat translation max-entries all-vrf 200

The following example shows how to limit the VRF instance named “vrf1” to 150 NAT entries:

Router(config)# ip nat translation max-entries vrf vrf1 150

The following example shows how to limit the VRF instance named “vrf2” to 225 NAT entries, but limit all other

VRF instances to 100 NAT entries each:

Router(config)# ip nat translation max-entries all-vrf 100Router(config)# ip nat translation max-entries vrf vrf2 225

Setting NAT Limits for Access Control Lists

The following example shows how to limit the access control list named “vrf3” to 100 NAT entries:

Router(config)# ip nat translation max-entries list vrf3 100

Setting NAT Limits for an IP Address

The following example shows how to limit the host at IP address 127.0.0.1 to 300 NAT entries:

Router(config)# ip nat translation max-entries host 127.0.0.1 300

Benefits

• Allows customers a great deal of control over how their NAT Address pools and translation table is allocated

and made us of.

• Option to implement a hierarchy of Rate Limiting to tailor to the specific network or devices requirements

and concerns.

• Control how many concurrent translation all users can have.

• Additionally control how many translations a specific individual IP host can have.


Page 92 of 218

All content

• Limit across all MPLS VPNs, and set limits for a specific MPLS VPN.

• Helps control and mitigate Denial-of-Service Attacks in the form of Viruses and Worms that indirectly can

use up the routers NAT resources and seriously effect the overall performance of that router.

Hardware


http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_4/gt_natrl.htm


2.8.27) NAT—Translation of External IP Addresses only

• Previous to this feature, any IP addresses embedded in the packet payload were translated according to the

configured NAT rules and the list protocols or applications that NAT supports.

• With this enhancement, Cisco IOS Network Address Translation (NAT) can be configured to ignore all embedded

IP addresses for any application and traffic type.

• Translation of external IP addressing will still be occur according to the NAT rules configured within the router.

• Main driver for this enhancement is where IP addresses for a source and destination pairs is based on public

routable addresses, but the network they traverse is privately addressed.

Any embedded addressing is valid between the source and destination already and requires no translation. The only

translation required is on the external addresses to allow the IP sessions to pass properly over the privately address

network in between.

Figure 41


192.168.15.21 – 10.0.0.3

NATOutside

NATInside

10.0.0.3 – 192.168.15.21 –

NATOutside

192...172...

NATInside


Page 93 of 218


http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_4/gt_natrl.htm


All content

Benefits

• Provides customer increased flexibility to adapt the NAT functionality to their specific network design.

• Typically only appropriate where

– Source and Destination pair have IP addresses from the same addressing scheme, but the network they are

traversing has a completely different addressing scheme.

– Any IP addresses and ports embedded within the payload are already relevant to the source and destination

networks.

• Simplifies NAT processing performed within each NAT router.

Hardware


http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t4/ftnatxip.htm


2.8.28) FHRP—Enhanced Object Tracking—Integration with SAA

Cisco First Hop Redundancy Protocols (FHRP) is a collection of three separate features in Cisco IOS Software:

• Hot Standby Routing Protocol (HSRP)

• Gateway Load Balancing Protocol (GLBP)

• Virtual Router Redundancy Protocol (VRRP)

Cisco enables each protocol to “track” events within a router that can be used to influence which router is the

“Active” router, or with GLBP change the load sharing metric or change which router is the lead Active router along

with the load sharing metric.

The ‘Enhanced Object Tracking—integration with SAA’ enhancement, significantly expands the number of “objects”

or “events” that can now be tracked by HSRP, GLBP and VRRP.

SAA is a network performance measurement agent within Cisco IOS Software, and provides a scalable, cost-effective

solution for service level monitoring. It eliminates the deployment of dedicated monitoring devices by including the

“probe” capabilities in the routers.

SAA collects network performance information in real time: response time, one-way latency, jitter, packet loss,

website download time, as well as other network statistics. It also provides the mechanism to monitor performance

for different class of traffic over the same connection.

SAA objects include:

1. UDP Echo; Round-trip delay

2. UDP Jitter; Round-trip delay, one-way delay, jitter, packet loss. One-way delay requires time synchronization

between the SAA source and target routers.

3. TCP Connect; Connection Time

4. DNS; DNS Lookup Time



Page 94 of 218


http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t4/ftnatxip.htm


All content

5. DHCP; Round-trip time to get an IP address

6. FTP; Round-trip time to transfer a file

7. HTTP; Round-trip time to get a web page

8. ICMP Echo; Round-trip delay

9. ICMP Path Echo; Round-trip delay for the full path. The path can be discovered by “trace route” or Loose Source

Routing (LSR).

10. ICMP Path Jitter; Round-trip delay, jitter and packet loss for the full path

11. DLSw+; Peer tunnel performance; Frame Relay; Circuit availability, round-trip delay and frame delivery ratio

12. ATM; Availability, round-trip delay and delivery ratio. Supported through Visual Network UpTime.

FHRP protocols can track a single object or event at a time.

IP Host Tracking: Example

The following example shows SAA tracking on router 1:

rtr 1 type echo protocol ipIcmpEcho 10.51.12.4 timeout 1000 frequency 3 threshold 2 request-data-size 1400rtr sched 1 start-time now life forever

!track 2 rtr 1 statetrack 3 rtr 1 reachability!interface e0/1 ip address 10.21.0.4 255.255.0.0 no shutdown standby 3 ip 10.21.0.10d standby 3 priority 120 standby 3 preempt standby 3 track 2 decrement 10 standby 3 track 3 decrement 10

Benefits

• Increased flexibility when designing high availability into the network.

• Expands tracking off the FHRP router for the first time, customer can track a specific destination or the latency

within the network path and alter the characteristics of their redundancy group.

– Redirect traffic around network failures.

– Ensure VoIP or Video applications have the most optimal path for latency.

Hardware



Page 95 of 218


All content


• http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_4/gtfhrp.htm

• http://www.cisco.com/warp/public/732/Tech/nmp/ipsla/


2.8.29) ACL-TCP Flags Filtering

This feature provides a flexible mechanism for filtering on TCP flags. The ACL TCP Flags Filtering feature allows

you to select any desired combination of flags on which to filter. The ability to match on a flag set and on a flag not

set gives you a greater degree of control for filtering on TCP flags, thus enhancing security.

Before Cisco IOS Release 12.3(4)T, only ORing of TCP flags was supported in Cisco IOS Software.

Two new keywords are introduced “match-all” or “match-any” which indicates the type of matching. Also,

customers can specify whether to match on a flag set as well as on a flag not set.

To enable this, the TCP flags can be prefixed with a + or a - sign to indicate that the flag to be matched on should be

set or not set respectively. These two mechanisms give the user a great degree of control for filtering on TCP flags.

Configuring the ACE to Filter TCP Packets Based on TCP Flags: Example

The following ACE has been configured to allow TCP packets only if the TCP flags SYN and ACK are set and the

FIN flag is not set:

Router> enableRouter# configure terminalRouter(config)# ip access-list extended aaaRouter(config-ext-nacl)# permit tcp any any match-all +ack +synRouter(config-ext-nacl)# permit tcp any any match-any -urg +syn -pshRouter(config-ext-nacl)# end

The show access-list command has been entered to show the following matches based on the configured ACLs:

Router# show access-list aaa

Extended IP access list aaa

1o permit tcp any any match-all +ack +syn 20 permit tcp any any match-any -psh +syn -urg

Benefits

• Provides customer more flexibility in dealing with various attacks involving TCP packets, which can be sent as

false synchronization packets that can be accepted by a listening port. It is recommended that administrators of

firewall devices set up some filtering rules to drop false TCP packets.

• The customer can configure an ACL to detect and drop unauthorized TCP packets by allowing only the packets

that have very specific group of TCP flags set or not set.

– Users can select any desired combination of TCP flags on which to filter TCP packets.

– Users can configure ACEs in order to allow matching on a flag set as well as on a flag not set

Hardware



Page 96 of 218


http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_4/gtfhrp.htm

http://www.cisco.com/warp/public/732/Tech/nmp/ipsla/


All content


http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_4/gtaclflg.htm


2.8.30) Cisco Express Forwarding Switching for IPv6 Tunnels (Configured, Automatic, 6to4,ISATAP)

Overlay tunneling encapsulates IPv6 packets in IPv4 packets for delivery across an IPv4 infrastructure. By using

overlay tunnels, IPv6 hosts and routers can communicate with each other without a need to upgrade the IPv4

infrastructure between them.

Cisco IOS Software introduced support for IPv6 overlay tunnels in Release 12.2(2)T (Configured, automatic and

6to4) and Release 12.2(15)T (ISATAP).

Cisco Express Forwarding for IPv6 (CEFv6) is advanced, Layer 3 IP switching technology for the fast switching

forwarding of IPv6 packets as introduced in Cisco IOS Software Release 12.2(13)T.

In Cisco IOS Software Release 12.3(4)T, IPv6 tunnels—Configured, automatic, 6to4 and ISATAP—are now Cisco

Express Forwarding version 6 switched.

Benefits

Improved performances of the IPv6 tunneled traffic to scale the integration of IPv6 applications.

Hardware

Additional Information: http://www.cisco.com/warp/public/732/Tech/ipv6/




Page 97 of 218

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_4/gtaclflg.htm


http://www.cisco.com/warp/public/732/Tech/ipv6/


All content

2.9) IPv6

Table 10 IPv6 Feature Highlights

2.9.1) Dynamic Host Configuration Protocol version 6 Prefix Delegation Using Authentication,Authorization, and Accounting

An IPv6 prefix-delegating router (DHCPv6 server) selects prefixes to be assigned to a requesting router (DHCPv6

client) upon receiving a request from the client. Prior to this feature, these prefixes could be obtained only using one

of the following:

• A statically configured client-specific binding

• A locally configured IPv6 prefix pool

This feature enables a third option. It allows the prefix assignment to originate from a RADIUS/AAA Server using

the Framed-IPv6-Prefix attribute as described in RFC 3162.

Cisco IOS Software Release 12.3(4)T added support for the Framed-IPv6-Prefix attribute (see DDTS CSCdy19621).

The DHCPv6 Prefix Delegation Using AAA feature enables the DHCPv6 server to interface with AAA to obtain the

prefix assignment using an AAA/RADIUS authorization request.

Benefits

• More flexibility and control of IPv6 address assignments.

• Centralized control and management of IPv6 prefix assignments using AAA/RADIUS.

Hardware


http://www.cisco.com/en/US/tech/tk872/technologies_white_paper09186a00801e199d.shtml


2.9.2) Mobile IP: Mobile IPv6 Home Agent

This feature provides support for the Mobile IPv6 Home Agent (HA). It includes the following:

• Home Agent

Home agent functionality allows an IPv6 router to act as a home agent for one or more mobile nodes when they

are away from home.

Section

2.9.1) Dynamic Host Configuration Protocol version 6 Prefix Delegation Using Authentication, Authorization, andAccounting

2.9.2) Mobile IP: Mobile IPv6 Home Agent

2.9.3) Cisco Express Forwarding Support for Network Address Translation-Protocol Translation

2.9.4) Simple Network Management Protocol Using IPv6 Transport

2.9.5) IPv6 Bootstrap Router Bidirectional Support

2.9.6) IPv6 Bootstrap Router Scoped Zone Support



Page 98 of 218


http://www.cisco.com/en/US/tech/tk872/technologies_white_paper09186a00801e199d.shtml


All content

• Advertisement Interval Option

Allows a configurable Advertisement Interval option to help mobile nodes perform movement detection.

• Duplicate Address Detection

Enables verification of the mobile node (MN) IP address by performing duplicate address detection (DAD) when

processing a request for registration from an MN.

• Dynamic Home Agent Address Discovery

Allows home agents in a subnet to learn of each other’s presence and capabilities by listening to router

advertisements.

• Access Control Lists

Supports use of ACLs to limit sources of binding updates, Dynamic Home Agent Address Discovery (DHAAD)

requests, and prefix solicitations. Allows control over roaming.

Benefits

RFC 3775-compliant support for Mobile IPv6 Home Agent.

Hardware

Considerations

• Does not include full support for correspondent node.

• This phase will not deliver support the use of IPsec (ESP) in binding updates and binding acknowledgements

between a mobile node and its home agent. However, this phase will not prevent end-to-end IPsec being used

to secure communication between a mobile node and a correspondent node when Cisco IOS Software is acting

as the home agent.

Additional Information: http://www.cisco.com/warp/public/732/Tech/ipv6/docs/mobileipv6.pdf

Cisco IOS Packaging

Mobile IP: Mobile IPv6 Home Agent is positioned in the Advanced IP Services packages across Cisco routers.



2.9.3) Cisco Express Forwarding Support for Network Address Translation-Protocol Translation

Cisco IOS Network Address Translation-Protocol Translation (NAT-PT) translates packets that traverse between

IPv4-only and IPv6-only networks in either direction. NAT-PT translates the IP header and source and destination

ports if needed. It also translates the embedded IP addresses and ports for application protocols of which it is aware.

Prior to the introduction of this feature, packets undergoing NAT-PT were process-switched, which limited the

throughput that could be achieved while using this feature. Now packets that undergo NAT-PT are processed in

the interrupt path and use Cisco Express Forwarding.



Page 99 of 218

http://www.cisco.com/warp/public/732/Tech/ipv6/docs/mobileipv6.pdf



All content

Benefits

Better performance when translation between IPv4 and IPv6 networks is necessary.

Hardware


http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_data_sheet09186a008011ff51.html

Cisco IOS Packaging

Cisco Express Forwarding Support for NAT-PT is positioned in the IP Base packages across Cisco routers.



2.9.4) Simple Network Management Protocol Using IPv6 Transport

IPv6 networks are becoming more prominent, as are the requirements for management in an all-IPv6 environment.

To date, most IPv6 networks have been deployed with support for IPv4 and with the assumption that network

management was based on IPv4.

SNMP over IPv6 Transport allows network management to be performed from a station running only IPv6.

The feature includes:

• Support for SNMP get/set requests and responses on IPv6 transport

• SNMP notifications to IPv6 destinations

– Modification to snmp-server host CLI to configure IPv6 hosts as trap receiver

• SNMPv3 configuration*

– Support of MIBs for configuration of SNMPv3 users, groups, and views and configuration of SNMPv3

engines or endstations for use in either an IPv4 or IPv6 environment

• SNMP proxy forwarder

– Support of SNMP proxy forwarder using IPv6 transport

MIB Changes

• MIB updates for IPv6

– CISCO-FLASH-MIB

– CISCO-CONFIG-COPY-MIB

– CISCO-CONFIG-MAN-MIB

– CISCO-CONFIG-COPY-CAPABILITY

– ENTITY-MIB

– NOTIFICATION-LOG-MIB

• New MIB

– CISCO-SNMP-TARGET-EXT-MIB (extension from SNMP-TARGET-MIB)

Routers • Cisco 800, 1800, 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Page 100 of 218

http://www.cisco.com/en/US/products/sw/iosswrel/ps1835/products_data_sheet09186a008011ff51.html



All content

• Modification of MIB implementation for IPv6

– SNMP-USM-MIB

– SNMP-VACM-MIB

Benefits

• Provides base function needed to enable management of all IPv6 networks.

• Includes support for RFC 3419: Textual Conventions for Transport Addresses.

Hardware

Considerations

Provides for support of IPv6 using an internal proxy method.

Cisco IOS Packaging

SNMP Using IPv6 Transport is positioned in the Advanced IP Services packages across Cisco routers.


Product Management Contacts: IPv6—Patrick Grossette ([email protected]), SNMP—Michael Cheung

([email protected])

2.9.5) IPv6 Bootstrap Router Bidirectional Support

This feature improves upon the IPv6 Bootstrap Router (BSR) implementation by offering support for bidirectionality

in BSR.

Benefits

Supports the advertising of bidirectional rendezvous points in C-RP messages and bidirectional ranges in the band

splitter module (BSM).

Hardware

Considerations

All the routers in the system must be upgraded to be able to understand the bidirectional range. Just upgrading

candidate RP and candidate BSR routers is not sufficient.

Cisco IOS Packaging

IPv6 BSR Bidirectional Support is positioned in the Advanced IP Services and Enterprise Services packages across

Cisco routers.






Page 101 of 218






All content

2.9.6) IPv6 Bootstrap Router Scoped Zone Support

IPv6 Bootstrap Router (BSR) Scoped Zone Support enhances IPv6 BSR, allowing for distribution of group-to-RP

mappings in networks using administratively scoped multicast.

Benefits

Allows the customer to configure candidate BSRs and a set of candidate RPs for each administratively scoped region

in the domain.

Hardware

Cisco IOS Packaging

IPv6 BSR Scoped Zone Support is positioned in the Advanced IP Services and Enterprise Services packages across

Cisco routers.





Page 102 of 218



All content

2.10) Management Instrumentation

Table 11 Management Instrumentation

Sections

2.10.1) Multicast VPN MIB

2.10.2) Exclusive Configuration Change Access

2.10.3) Selective Enabling of Applications Using HTTP Server

2.10.4) Bandwidth Estimation Using Corvil Bandwidth Technology

2.10.5) IP Service Level Agreements Voice over IP Call Setup (Postdial Delay) Monitoring

2.10.6) IP Service Level Agreements—Voice over IP Gatekeeper Delay Monitoring

2.10.7) IP Service Level Agreements CLI Introduction

2.10.8) IP Service Level Agreement Sub-Millisecond Accuracy Improvements

2.10.9) Egress Netflow

2.10.10) Netflow MIB and Top N Talkers

2.10.11) Service Selection Gateway Support of Overlapping IP Addresses

2.10.12) Service Selection Gateway Support for Radius Attributes 27 and 29

2.10.13) Service Selection Gateway Default Quota for Prepaid Billing Server Failure

2.10.14) Service Selection Gateway Support for Dynamic Load Balancing

2.10.15) Cisco IOS Service Assurance Agent Multiple Operation Scheduling

2.10.16) MPLS Aware NetFlow

2.10.17) Service Selection Gateway Interface Redundancy

2.10.18) SSG Permanent TCP Redirection

2.10.19) SSG Transparent Auto-Logon

2.10.20) SSG TCP Re-direct Exclusion List

2.10.21) Service Assurance Agent VoIP Proactive Monitoring

2.10.22) NetFlow MIB

2.10.23) Configuration Rollback/Configuration Replace

2.10.24) Cisco IOS Service Assurance Agent for VoIP UDP Operation


2.10.26) Contextual Configuration Diff Utility

2.10.27) Service Selection Gateway Unconfig

2.10.28) SSG to Accommodate New L2TP Error Codes

2.10.29) SSG Support of NAS Port ID

2.10.30) Extensible Authentication Protocol Transparency and Extensible Authentication Protocol-SIMEnhancements

2.10.31) SSG Complete ID

2.10.32) SSG L2TP Dialout

2.10.33) SSG Auto Logoff Enhancement

2.10.34) SSG Open Garden Configuration Enhancements

2.10.35) SSG Direction Command for Interfaces and Ranges

2.10.36) SSG Prepaid Idle Timeout

2.10.37) SSG Suppression of Unused Accounting Records

2.10.38) SSG Unique Session ID

2.10.39) Embedded Syslog Manager Version 1.0

2.10.40) Cisco IOS Scripting with Tool Command Language


Page 103 of 218

All content

2.10.1) Multicast VPN MIB

Multicast VPN MIB provides enhancements and support for SNMP Multicast VPN MIB.

Benefits

• Improves management for Multicast VPN deployments.

• Provides interfaces to Cisco AutoSecure.

Hardware


2.10.2) Exclusive Configuration Change Access

The Cisco IOS Software CLI has offered a familiar and effective interface for configuration and troubleshooting for

many years. With the increased importance and proliferation of network connections and equipment, management

and maintenance activities have grown. Some organizations have segmented their network engineering and

operations teams, with multiple groups or systems now requiring access to the CLI.

The feature introduces a configuration session locking mechanism. It allows a user to have exclusive access to the

Cisco IOS Software configuration mode, preventing any other user from changing the system configuration for the

duration of the lock.

Benefits

• Ensures consistent and error-free configuration changes by preventing conflicts.

• Prevents conflicts between programmatic interfaces and back-end systems.

Hardware

Product Management Contact: Mark Basinski ([email protected])

2.10.3) Selective Enabling of Applications Using HTTP Server

Cisco IOS Software incorporates an internal HTTP server that permits easy configuration using a browser interface.

A number of Cisco IOS Software subsystems and features use the included server. However, until now, each feature

could not individually be controlled with respect to the HTTP server interface. For example, a user can now enable

one particular subsystem for Web-based configuration and control, but not another.

The feature enables selective enabling of Cisco IOS Software applications or subsystems that use the internal HTTP

server in Cisco IOS Software.

Benefits

• Provides more secure environment for configuration and control of network devices.

• Enables specific control over applications that use the internal HTTP server in Cisco IOS Software.




Page 104 of 218



All content

Hardware

Product Management Contact: Mark Basinski ([email protected])

2.10.4) Bandwidth Estimation Using Corvil Bandwidth Technology

Allocating adequate bandwidth is crucial to ensuring the network performance required for applications. However,

allocating too much bandwidth can be costly. Bandwidth Estimation in Cisco IOS Software, using Corvil Bandwidth

technology, allows network managers to determine the correct bandwidth requirements to achieve user-specified

Quality of Service (QoS) targets for networked applications.

Corvil Bandwidth can determine the minimum bandwidth required to meet a customer-specified QoS target with

statistical reliability. From a network manager’s perspective, an application’s QoS requirements are characterized

with respect to its sensitivity to packet loss and delay. Corvil Bandwidth gives the network manager a way to specify

limits for delay and packet loss and to get a close estimate of the minimum bandwidth essential to achieve desired

application performance.

Figure 42Corvil Bandwidth


Time

Mean Traffic Rate E.g., 300 kbps over a 5-Minute Period

Too little bandwidth can makebusiness services unusable

Too much bandwidth can be very costly

Too MuchBandwidth

Too LittleBandwidth

The ability to obtain bandwidthvalues for user-specified QoStargets distinguishes CorvilBandwidth from other approaches

Use Corvil Bandwidth values to allocate bandwidth using existing Cisco IOS QoS policy mechanisms

Ban

dwid

th

Adequate Bandwidth is Essentialfor Application Performance

Corvil Bandwidth Provides theMinimum Bandwidth Required toMeet a Quality of Service Target

What You See Today

Real-Time Traffic Bursts

E.g., the CB is 460 kbps for thisapplication to achieve no morethan 250 ms delay & 0.1% loss

What You Need to Know:Corvil Bandwidth (CB) •

•

•

•


Page 105 of 218


All content

Benefits

• Users can set service-level objectives for the desired performance of networked applications.

• Network managers can eliminate operational overhead and guesswork in bandwidth provisioning and QoS

configuration.

• Potentially significant bandwidth cost savings while meeting QoS requirements are possible.

• Increased capability and flexibility to offer bandwidth-on-demand types of services are possible.

Hardware

Cisco IOS Packaging

Bandwidth Estimation Using Corvil Bandwidth Technology is positioned in the SP Services packages across

Cisco routers.


Product Management Contact: Tim McSweeney ([email protected])

2.10.5) IP Service Level Agreements Voice over IP Call Setup (Postdial Delay) Monitoring

Customers demand guaranteed, reliable network services for business-critical applications and services. Cisco IOS

IP Service Level Agreements (SLAs) are a capability embedded in Cisco IOS Software that allows Cisco customers

to increase productivity, lower operational costs, and reduce the frequency of network outages. IP and SLAs are

converging, and extending IP performance monitoring to be application aware is critical for new IP network

applications such as voice over IP (VoIP), audio and video, VPN, and other business-critical applications. Cisco IOS

IP SLAs measure end to end and can perform network assessments, verify QoS, ease deployment of new services, and

assist administrators with network troubleshooting. Cisco IOS IP SLAs use unique service-level assurance metrics

and methodology to provide highly accurate, precise service-level assurance measurements.

This feature enhances Cisco IOS IP SLAs further by including a capability to monitor the call setup delay for VoIP

calls. With this feature, Cisco IOS SLAs measure the call setup time using the H.323/Session Initiation Protocol (SIP)

over an IP network.

The Jitter operation in IP SLAs offers the ability to configure various codec types and provide the corresponding

Impairment/Calculated Impairment Planning Factor (ICPIF) and mean opinion scores (MOSs). This capability is

widely used to monitor VoIP performance. This enhancement focuses on measuring call setup time. It provides the

capability to send an H.323 or SIP call setup message and to measure the time to ringing, busy, or connect. The typical

setup time measured is from setup/INVITE message is sent to the time the alert/ringing message is received.



Page 106 of 218



All content

Figure 43Cisco IOS IP SLAs VoIP Call Setup (Postdial Delay) Monitoring

Benefits

• Measures call setup delay for VoIP calls.

• Extends the functionality provided by IP SLAs.

• Adds to the already strong VoIP-monitoring capabilities.

• Provides performance visibility for VoIP, video, business-critical applications, MPLS, and VPN networks.

• Monitors SLAs.

• Monitors network performance.

• Provides IP service network health readiness or assessment.

• Monitors edge-to-edge network availability.

• Monitors business-critical applications performance.

• Troubleshoots network operation.

Hardware

Cisco IOS Packaging

Cisco IOS IP SLAs VoIP Call Setup (Postdial Delay) Monitoring is positioned in the IP Voice packages across

Cisco routers.


Product Management Contact: Tom Zingale ([email protected])


IP SLAs WAN Measurements

IP SLAs Postdial Delay Measurements

IP SLAs End-To-End Measurements

PSTN

IP WAN


Page 107 of 218



All content

2.10.6) IP Service Level Agreements—Voice over IP Gatekeeper Delay Monitoring

Customers demand guaranteed, reliable network services for business-critical applications and services. Cisco IOS IP

Service Level Agreements (SLAs) are a capability embedded in Cisco IOS Software that allows Cisco customers to

increase productivity, lower operational costs, and reduce the frequency of network outages. IP and SLAs are


applications such as voice over IP (VoIP), audio and video, VPN, and other business-critical applications. Cisco IOS

IP SLAs measure end to end and can perform network assessments, verify QoS, ease deployment of new services, and

assist administrators with network troubleshooting. Cisco IOS IP SLAs use unique service-level assurance metrics

and methodology to provide highly accurate, precise service-level assurance measurements.

With Voice over IP (VoIP) deployments accelerating, even more requirements are being placed on the operations staff

to ensure that service meets or exceeds the required levels. A converged network with VoIP Gatekeeper functionality

adds another aspect to performance monitoring.

This feature adds a VoIP Gatekeeper (GK) registration delay monitoring operation to the IP SLAs feature set. This

operation measures the “lightweight registration time” from an H.323 Gateway (GW) to the GK. The lightweight

registration time is the time from the sending of a registration request (RRQ) to the time a registration confirmation

(RCF) is received by the GW.

Figure 44IP SLAs VoIP Gatekeeper Delay Monitoring

Benefits

• Adds to the already strong VoIP-monitoring capabilities.


• Monitors SLAs.


• Provides IP service network health readiness assessment.


IP SLAs Gatekeeper Delay Measurements

IP SLAs Network-To-Server Measurements

IP SLAs End-To-End Measurements

PSTN

IP WAN


Page 108 of 218

All content


• Troubleshoots network operations.

Hardware

Cisco IOS Packaging

Cisco IOS IP SLAs VoIP Gatekeeper Delay Monitoring is positioned in the IP Voice packages across Cisco routers.



2.10.7) IP Service Level Agreements CLI Introduction


IP Service Level Agreements (SLAs) are a capability embedded in Cisco IOS Software that allows Cisco customers



applications such as voice over IP (VoIP), audio and video, VPN, and other business-critical applications. Cisco

IOS IP SLAs measure end to end and can perform network assessments, verify QoS, ease deployment of new services,

and assist administrators with network troubleshooting. Cisco IOS IP SLAs use unique service-level assurance

metrics and methodology to provide highly accurate, precise service-level assurance measurements.

IP SLAs used past Cisco IOS Software service assurance functionality and added recent enhancements. The new

CLI is being implemented to ease the deployment of service monitoring and will simplify configuration of IP SLAs

measurements and enhance command-line views for service-level measurement data.

The transition to the new configuration command set is made easy because support for the previous configuration

commands is included. In future releases the command structure will be simplified more based on customer input.

Other new commands are also included with this Cisco IOS Software release.

Benefits

• Ease-of-use improvements.

• Improved show commands with more detailed and useful information.

• Performance visibility for VoIP, video, business-critical applications, MPLS, and VPN networks.

• SLA monitoring.

• Network performance monitoring.

• IP service network health readiness assessment.

• Edge-to-edge network availability monitoring.

• Business-critical applications performance monitoring.

• Network operation troubleshooting.



Page 109 of 218



All content

Hardware

Considerations

Because some display commands are changed, automated scripts that parse output of the commands may need to

be modified. Consult the documentation for details.

Cisco IOS Packaging

Cisco IOS IP SLAs CLI Introduction is positioned in the IP Voice, Advanced Security, and Enterprise Base packages

across Cisco routers.



2.10.8) IP Service Level Agreement Sub-Millisecond Accuracy Improvements


Software IP Service Level Agreements are a capability embedded in Cisco IOS Software that allows Cisco customers



applications such as VoIP, audio and video, VPN, and other business-critical applications. Cisco IOS Software IP

SLAs measure end to end and can perform network assessments, verify QoS, ease deployment of new services, and

assist administrators with network troubleshooting. Cisco IOS Software IP SLAs use unique service-level assurance

metrics and methodology to provide highly accurate, precise service-level assurance measurements.

This feature adds granular and highly accurate measurements to the robust set functions included in Cisco IOS

Software IP SLAs. The functions within IP SLAs measure various performance parameters such as round-trip time,

one-way latency, jitter (interpacket delay variance), packet loss, and so on.

Improvements such as increased link speeds and the deployment of higher performing routers and switches have

reduced the latency, increased capacity, and enormously expanded the throughput in today’s high-speed networks.

Because of these facts, the accuracy of the measurements provided in IP SLAs is likewise being improved upon.

Improvements have been made in two primary areas:

• The accuracy of measurements is improved from one millisecond to one-tenth of a millisecond.

• More efficient time stamping also results in greater accuracy of measurements.

Benefits

• Provides very accurate performance data.

• Offers more granular and accurate results to reflect the characteristics of networks being deployed now and into

the future.

• Allows more efficient use of internal resources for enhanced performance.


• Monitors SLAs.




Page 110 of 218



All content

• Provides IP service network health readiness assessment.



• Troubleshoots network operation.

Hardware

Cisco IOS Packaging

IP SLAs Sub-millisecond Accuracy Improvements is positioned in the IP Voice packages across Cisco routers.


Considerations

In order to utilize the accuracy enhancements, the source and destination endpoints of the measurements must have

Cisco IOS Software Release 12.3(14)T or later.


2.10.9) Egress Netflow

Understanding who is using the network and for how long, what protocols and applications are being utilized, and

where the network data is flowing is a necessity for today’s IP network managers. NetFlow data can be used for a

variety of purposes: network management and planning, user and security monitoring, protocol and application

monitoring, enterprise accounting, departmental charge backs, Internet Service Provider (ISP) billing, data

warehousing, and data mining for marketing purposes.

NetFlow traditionally monitors IP flows entering or ingress to a Cisco IOS Software device; however, it does not track

egress information. Egress NetFlow can track egress IP flows or flows exiting a Cisco IOS Software device. This new

capability will ease IP accounting and flow monitoring in some network topologies. For example, egress NetFlow

will simplify the tracking of all IP traffic going to a server farm.

With Egress NetFlow also enables the tracking of flows after features such as QoS or NAT have made changes to the

IP packet. Egress NetFlow can be used with an MPLS or IP network.

Benefits

• Ingress and egress NetFlow accounting within Cisco IOS Software.

• Tracking of flow information after other Cisco IOS Software features such as QoS or NAT have changed packet

characteristics.

• Tracking of all flows egress or exiting a specific interface.

• Tracking of all flows entering a specific interface destined to a specific egress interface.

Hardware


Routers • Cisco 800, 1700, 2600, 3600, 3700, 7200, and 7500 Series Routers


Page 111 of 218



All content

Additional Information: http://www.cisco.com/go/netflow

Product Management Contact: Tom Zingale, [email protected]

2.10.10) Netflow MIB and Top N Talkers

Understanding who is using the network and for how long, what protocols and applications are being utilized and

where the network data is flowing is a necessity for today’s IP network managers. NetFlow data can be used for a

variety of purposes: network management and planning, user and security monitoring, protocol and application

monitoring, enterprise accounting, departmental charge backs, Internet Service Provider (ISP) billing, data


NetFlow information is traditionally exported from the router and persistently stored and analyzed by network

management applications. An additional method to retrieve NetFlow data is now available: NetFlow MIB (cisco-

netflow-mib) allows access to NetFlow data. The MIB will provide the ability to configure and modify NetFlow using

an SNMP interface. The user can retrieve a snapshot of IP flow, protocol and packet size distribution information

easily with SNMP. The NetFlow MIB will be very useful for security monitoring and detection of attacks by

monitoring flow information. One of the key features of the NetFlow MIB will be the availability of Top N Talkers

and the top conversations (NetFlow cache) information. A new show command, which is part of the Top N Talkers

feature, enables users to monitor top conversations in the network using CLI.

Benefits

• A new additional method to retrieve NetFlow information beyond traditional UDP export.

• Top N Talker NetFlow information using the CLI and MIB.

• MIB access to IP flow, protocol and packet size distribution information.

• Retrieval of NetFlow information when the traditional export may not be practical.

• Useful security information directly from an SNMP MIB.

• Remote configuration of NetFlow features without using CLI.

Hardware


• http://www.cisco.com/go/netflow

• http://tools.cisco.com/ITDIT/MIBS/servlet/index


2.10.11) Service Selection Gateway Support of Overlapping IP Addresses

Service Selection Gateway (SSG) enables Service Providers to offer services in which the provider assigns IP addresses

to subscribers. Because Service Providers assign IP addresses from private IP address pools, identical IP addresses

could be assigned to different subscribers. The SSG Support for Overlapping Subscriber IP Addresses feature enables

SSG to support overlapping subscriber IP addresses by adding VRF support to SSG downlink interfaces. VRF support



Page 112 of 218

http://www.cisco.com/go/netflow





All content

on SSG downlink interfaces allows the same IP address to be assigned to different subscribers that are bound to

different downlink interfaces and connected to different uplink services. VRF support on downlink interfaces also

eliminates the need for SSG to perform NAT on the subscriber traffic.

SSG allows subscribers with overlapping IP addresses to access multiple services, so that a subscriber who is assigned

an IP address for one service will be able to access other services. To provide access to multiple services, NAT will be

performed on the subscriber traffic by SSG or through the Cisco IOS NAT configuration on the router.

Multiple subscribers with overlapping IP addresses can simultaneously connect to a common service, but SSG must

perform NAT on all the connections to provide non-overlapping IP addresses.

Benefits

• Sometimes Service Providers assign IP addresses from private IP address pools. When subscribers of multiple

Service Providers are aggregated on a single platform, different subscribers could be assigned the same IP address.

This SSG Support for Overlapping Subscriber IP Addresses feature enables SSG to support overlapping subscriber

IP addresses and hence will let providers assign IP addresses from their private address pools.

• This feature also avoids NAT for subscribers connecting into their provider’s network where IP address conflict

does not arise (even though they are private IP addresses, they are within same private IP address pool).

Hardware

Restrictions

The SSG Support for Overlapping Subscriber IP Addresses feature does not support downlink interface redundancy.

• The SSG Support for Overlapping Subscriber IP Addresses feature does not add support for uplink VRFs. The

next-hops for services must be globally routable; however, if a service is bound to an Ethernet interface, SSG uses

the downlink interface VRF for upstream routing. In such cases, the uplink interface could be within a VRF, but

the downlink interface must also be on the same VRF.

• Cisco IOS VRF-aware NAT for overlapping users cannot be configured for subscribed services. It can be used for

open garden services and services bound to Ethernet interfaces (broadcast interfaces). For all other cases in which

services are bound to next-hops, SSG NAT must be used. SSG does not support Cisco IOS NAT for open garden

services bound by next-hops.


2.10.12) Service Selection Gateway Support for Radius Attributes 27 and 29

The Service Selection Gateway (SSG) Support for Radius Attributes 27 and 29 feature introduces SSG compliance

with RFC-3580 with respect to RADIUS attributes #27 (Session-Timeout) and #29 (Termination-Action). RFC-3580

recommends using attributes #27 and #29 in Access-Accept packets during authentication to enforce periodic re-

authentication of users. See RFC-3580 “IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage

Guidelines” for details.

Routers • Cisco 2651XM, 3745, 7200, 7301, and 7600 MWAM


Page 113 of 218


All content

For instances that indicate re-authentication after the session timeout, SSG uses the cached username and password

while performing re-authentication. If SSG does not have these credentials, the session is brought down as if re-

authentication has failed. If a particular deployment makes use of one-time passwords for authenticating users, SSG

re-authentication will fail and the session will be brought down.

For SSG transparent auto-logon (TAL) hosts (TAL users who have host objects created on SSG), SSG will perform

TAL reauthorization upon session timeout whenever attribute #29 is present in the RADIUS profile of the user. (Note

that for TAL users, SSG performs re-authorization and not re-authentication because the user profile is downloaded

on the basis of the IP address and service password).

In SSG RADIUS proxy deployments, SSG will not perform session timeout processing when attribute #29 is present

in the Access-Accept packet and is set to re-authenticate.

Benefits

• Service Providers can implement time based pre-paid billing model with standard RADIUS attributes (unlike

SSG’s prepaid model which is proprietary and extensive).

• If Service Providers already have a billing system that is implemented based on these RADIUS attributes, they

can introduce SSG into that Business System easily.

Hardware

Restrictions

• In SSG RADIUS proxy deployments, SSG will not perform session timeout processing when attribute #29 is

present in the Access-Accept packet and is set to re-authenticate.

• SSG uses the cached username and password while performing re-authentication. If SSG does not have these

credentials, the session is brought down as if re-authentication has failed. If a particular deployment makes use

of one-time passwords for authenticating users, SSG re-authentication will fail and the session will be brought

down.


2.10.13) Service Selection Gateway Default Quota for Prepaid Billing Server Failure

The Service Selection Gateway (SSG) default quota for prepaid billing server failure allows Service Selection

Gateway (SSG) to allocate a default quota when the prepaid server fails to respond to an authorization request.

This functionality allows prepaid users to connect to a service even when the prepaid server is unavailable during

authorization. SSG can be configured to allocate multiple default quotas up to a configured maximum. SSG will also

allocate default quotas when the prepaid server is unresponsive to reauthorization requests, thus preventing existing

connections from being terminated.

SSG can be configured to allocate a default quota when the prepaid server fails to respond to an authorization

request. The default quota for a service is specified in the service profile. SSG stores the value when the service profile

is downloaded from the AAA server. If the prepaid server is not accessible during initial authorization, SSG allocates

the default quota and activates the connection, thus allowing the prepaid user to connect to the respective service.



Page 114 of 218


All content

When a default quota expires, SSG attempts to reauthorize the user. If the prepaid server still does not respond, SSG

will allocate another default quota. SSG will allocate multiple default quotas up to a configured maximum. Once

SSG has allocated the configured maximum number of default quotas, no further default quota allocations will be

made, and the user’s connection to the service will be terminated.

SSG will also allocate default quotas when the prepaid server fails during the reauthorization of existing connections.

Allocation of a default quota for the reauthorization of an existing connection prevents the connection from being

terminated due to the unavailability of the prepaid server.

Benefits

This enhancement ensures continued subscriber connectivity against any temporary connection failures with pre-paid

billing servers.

Hardware

Considerations

• The default quota is applicable for prepaid services only.

• The default quota will be used only when the prepaid billing server is not available; that is, when the RADIUS

packet retransmit times out.


2.10.14) Service Selection Gateway Support for Dynamic Load Balancing

The Service Selection Gateway (SSG) Support for Dynamic Load Balancing feature enables the Dynamic Feedback

Protocol (DFP) to be used to facilitate dynamic load balancing among multiple Service Selection Gateways (SSGs).

When DFP support is configured on SSG, SSG registers with the DFP agent and hands over weights at configured

intervals. The DFP agent conveys the weights to a DFP manager, such as a Cisco IOS Server Load Balancing device,

which uses the weights to determine load balancing among the SSGs.

When multiple SSGs are deployed with Cisco IOS Server Load Balancing, DFP enables the real servers (the SSGs)

to communicate server health to the DFP manager. SSG registers with the DFP agent and hands over weights at

configured intervals. The DFP agent calculates relative weights for SSG on the basis of three factors:

• The DFP weight configured for the SSG

• CPU load

• Memory utilization

The weights are conveyed by the DFP agent to the load balancer, which uses the weights in an algorithm to determine

load balancing among the SSG devices. A higher weight for a server indicates higher availability; a weight of zero

indicates that a server has no availability.

SLB always uses weights to balance loads. If DFP is not configured or if the DFP connection has been terminated and

the DFP agent cannot relay the current weights, SLB uses static weights that have been configured for the server. If

weights have not been configured, SLB uses default weights.



Page 115 of 218


All content

Benefits

• Allows multiple SSGs with different CPU power and memory to be used together easily in a single SSG network

with a load balancer.

• Increased session reliability by preventing a busy SSG from receiving too many new connection requests.

• Allows a new SSG that is being introduced into an existing SSG farm to come up to equal load as the other SSGs

dynamically.

Hardware


2.10.15) Cisco IOS Service Assurance Agent Multiple Operation Scheduling

Cisco IOS Service Assurance Agent (SAA) uses various metrics to assess network’s performance and availability. It

can perform network assessments, verify service level agreements, and assist administrators with troubleshooting. It

automates service level monitoring for both end customers and Service Providers. Cisco IOS SAA uses unique service

level assurance metrics and methodology to provide highly accurate, precise service level assurance measurements.

Cisco IOS SAA will inform users if the Quality of Service (QoS) is working and configured correctly. It reduces

operational costs by identifying issues and tests the network infrastructure continuously. It also reduces the time

required to track and isolate network performance problems, thus decreasing operating expenses. Cisco IOS SAA

sends data across the network to measure performance between multiple network locations or across multiple

network paths. It simulates network data and IP services, collecting network performance information in real time.

Collected information includes response time, one-way latency, jitter, packet loss, voice quality scoring, and server

response time.

Cisco IOS SAA Multiple Operation Scheduling allows the user to easily schedule active performance measurements

to a group of destination devices from a source device. This capability allows sequential activation of a large number

of SAA operations with one CLI command or SNMP MIB set. For example, the user can schedule a set of SAA jitter

operations to measure edge to edge jitter, packet loss, and response time from a source router to a large number of

destination routers with one CLI command.



Page 116 of 218


All content

Figure 45Cisco IOS Service Assurance Agent Multiple Operation Scheduling

Benefits

• Enhances Cisco IOS SAA scalability and ease of use.

• Provides more flexibility in the ability to schedule SAA operations.

• Embedded active monitoring in Cisco IOS Software.

• Automated real-time, accurate network performance and network health monitoring.

• Capable of verifying and measuring IP service levels and parameters needed for service level agreements.

• Per-class QoS traffic monitoring.

• Flexible scheduling.

• Proactive notifications with Simple Network Management Protocol (SNMP) Trap.

• Hop-by-hop and end-to-end performance measurement.

• Controlled through SNMP or Command Line Interface (CLI).

• VoIP codec simulation and VoIP quality measurement (MOS and ICPIF).

• MPLS network monitoring.

• Integrated into several third-party diagnostic tools.

Hardware

Additional Information: http://www.cisco.com/go/saa

Routers • All routers that support the Cisco IOS Software Release 12.3T family

Switches • All switches that support the Cisco IOS Software Release 12.3T family, except theCisco Catalyst 4500 Series Switch

Measurement PacketsTime T3

Source Router

• Automatically schedule measurements from the source to multiple destinations routers.

Destination 3

Destination 1Destination 2




Page 117 of 218

http://www.cisco.com/go/saa

All content


2.10.16) MPLS Aware NetFlow

Understanding who is using the network and for how long, what protocols and applications are being utilized and

where the network data is flowing is a necessity for today’s IP networks managers. IP network managers rely on

exported NetFlow data for a variety of purposes, including:

• Network management and planning

• Enterprise accounting

• Troubleshooting

• Security monitoring and departmental charge back billing

• Data warehousing

• Data mining for marketing purposes

NetFlow version 9 is a new flexible and extensible format for exporting IP flow information from Cisco routers and

switches, providing rapid support for IP accounting of Cisco technologies. New features that leverage NetFlow

version 9 include MPLS Aware NetFlow, NetFlow multicast and NetFlow BGP Next Hop. The NetFlow Version 9

extensible format is recognized as a new standard for exporting flow information from IP devices.

Capacity planning is a necessity for Cisco customers using MPLS VPN, MPLS traffic engineering, and MPLS label

distribution protocol. MPLS network management and capacity planning has now been enhanced with the addition

of MPLS Aware NetFlow, which allows customers to determine the IP destination of labeled switched traffic and to

understand the utilization of labeled switched paths.

Figure 46Feature Name MPLS Aware NetFlow

MPLS

Traditional NetFlowfor IP to MPLS Traffic

MPLS Aware NetFlow(version 9)

IP

IP

P

Egress MPLS NetFlow Accountingfor MPLS to IP Traffic

Traffic Flow

Egress MPLS NetFlow Accounting • IP Information Only • Ideal for Billing • Current Availability: Cisco IOS Software Releases 12.0(10)ST and 12.1(5)T MPLS Aware NetFlow (version 9) • Exports up to Three MPLS Levels, and IP Packet Information • Ideal for Traffic Engineering • MPLS Packer Header can be Accounted (MPLS-Length Configuration)

PEPE


Page 118 of 218



All content

Benefits

• NetFlow version 9 is a flexible and extensible export format and an emerging IETF standard for exporting

information from IP devices.

• MPLS aware NetFlow enhances MPLS network planning.

• Peering arrangements.

• Network Planning.

• Traffic Engineering.

• Accounting and billing.

• Security Monitoring.

• Internet access monitoring (protocol distribution, where traffic is going/coming).

• User Monitoring.

• Application monitoring.

• Charge back billing for departments.

Hardware

Considerations

MPLS Aware NetFlow is also available in Cisco IOS Software Release 12.0(24)S on the Cisco 12000 Series Internet

Router, and in Release 12.0(26)S for additional hardware products.

Additional Information: http://www.cisco.com/go/netflow


2.10.17) Service Selection Gateway Interface Redundancy

In Service Selection Gateway (SSG), each service is associated with an outbound interface. When a subscriber chooses

to use a service, SSG connects the subscriber to the service via the associated outbound interface. SSG interface

redundancy allows services to be associated with more than one interface to protect against link failures.

When redundant interfaces are configured for a service, a distance metric is assigned to the service binding. This

influences the order in which SSG selects the interface to be used to reach a service. The interface for the service

binding with the lowest metric is the primary interface. The interface for the service binding with the second lowest

weight is the secondary interface, and so on. If a failure occurs on an active interface, SSG will recognize the failure

and switch the service connection to the interface associated with the next lowest metric. When the primary uplink

interface or next hop becomes available again, SSG will switch back to using the primary interface.

SSG Uplink Interface Redundancy Topologies

The SSG Interface Redundancy feature supports uplink interface redundancy in the following network topologies:

Routers • Cisco 3700, 7200, 7300, 7400, and 7500 Series Routers


Page 119 of 218



All content

Figure 47Multiple Next-Hops per Service Sample Topology

Figure 48Multiple Uplink Interfaces with a Single Next Hop Sample Topology

Figure 49Multiple Uplink Interfaces with No Next Hop Sample Topology

Figure 50Combinations of Directly Connected Uplink Interfaces and Interfaces with Next Hops Sample Topology

Next Hop 2

Next Hop 2Uplink 2

ServiceSSG

Uplink 1

Next HopUplink 2

ServiceSSG

Uplink 1

Uplink 2ServiceSSG

Uplink 1

Uplink 2ServiceSSG

Uplink 1


Page 120 of 218

All content

Benefits

• Reduces Connectivity Downtime

Service Providers can use SSG Interface Redundancy to configure a redundant interface for services they offer to

subscribers. Any failures on primary interface will activate the backup interface reducing the service connection

downtimes. It also helps subscribers to get an uninterrupted access to services that Service Providers are

providing.

Hardware

Product Management Contact: Murali Kolli, [email protected]

2.10.18) SSG Permanent TCP Redirection

Description

The SSG Permanent TCP Redirection feature enables Service Selection Gateway (SSG), in conjunction with Cisco

Subscriber Edge Services Manager (SESM), to provide service selection support to users whose web browsers are

configured with HTTP proxy servers. This feature supports plug-and-play functionality in public access networks

such as Public Wireless LANs.

Benefits

• The SSG Permanent TCP Redirection feature enables SSG to provide service selection support to users whose web

browsers are configured with HTTP proxy servers. This solution enables SSG, in conjunction with SESM, to

provide an emulation of the HTTP proxy so the experience of the user is as if the user’s web browser were

exchanging traffic with the user’s real HTTP proxy server. This feature supports plug-and-play functionality

in public access networks such as Public Wireless LANs.

Restrictions:

The following restrictions apply to the SSG Auto-logoff Enhancement feature:

• SSG will not provide concurrent service selection to the HTTP proxy user who uses web traffic to reach more

than one service. SSG can redirect web traffic to only one service or server.

• SSG will not provide TCP redirection for unauthorized services for HTTP proxy users who are unauthenticated

because SSG will not know the destination of the traffic.

Routers • Cisco 2651XM, 3745, and 7301 Routers

• Cisco 7200 and 7600 MWAM Series Routers

Release

Modification

12.3(3)B

This feature was introduced.

12.3(7)T

This feature was implemented in Cisco IOS Release 12.3(7)T.


Page 121 of 218


All content

• SSG simulates the proxy for HTTP traffic, so if a user tries to send any traffic other than HTTP traffic, the

connection will fail. For example, a user will be unable to use FTP to access the HTTP proxy server configured

in the browser.

• If a user changes his HTTP proxy settings after authentication, SSG will not be able to detect the changes.

Hardware


2.10.19) SSG Transparent Auto-Logon

Description

The Transparent Auto-Logon (TAL) feature enables SSG to authenticate/authorize users based on IP packets received

from the user. SSG authorizes users by using information from the Authentication, Authorization, and Accounting

(AAA) server when a first IP packet is received from the user.

Users can be activated on SSG through Web-based login procedures using Service Edge Subscriber Management

(SESM), RADIUS Proxy, and PPP session termination. The Transparent Auto-Logon feature provides an additional

activation method. Transparent Auto-Logon provides SSG services to a user who is authorized based on the source

IP address of packets received on a downlink interface of SSG, without any previous authentication phase. Depending

on the customer deployment, there can still be user access via Web-based login, RADIUS Proxy, and PPP session

termination. The SSG provides the flexibility to allow the coexistence of these different authentication methods.

Figure 51User-to-Service Packet Flow

Routers • Cisco 2651XM, Cisco 2691 Routers


• Cisco 7200 Series Routers

• Cisc0 7301 Router

SSG

IP

1

IP

4

Radius2 3

AAA


Page 122 of 218


All content

Benefits

The SSG application (which includes the TAL function described in this document) provides the following benefits:

• Prevents interactive subscriber authentication where subscriber identity is verified by other means.

• Enables always-on access to network services, to specific classes of users (transparent, flat-rate users.

• Provides an authentication model to support Pay-per-use users to still require interactive authentication

to network services that are subject to explicit sign-on.

Restrictions:

If SSG Transparent Auto Logon is used, a subscriber’s identity is solely tied to his/her source IP address. To provide

proper security, service providers have to ensure that the subscriber connections are secure and the IP addresses are

not spoofed for illegal use.

Hardware


2.10.20) SSG TCP Re-direct Exclusion List

Description

Existing TCP Redirect feature is enhanced to allow access lists to be associated with server groups. This enhancement

can be used to limit the kind of traffic that is redirected based on the source or destination IP address and TCP

ports. It can also be used to redirect different sets of users to different dashboards for unauthenticated users and

unauthorized service redirection. The access list can be a simple or extended access list. It can also be a named or

numbered access list.

Release

Modification

12.3(3)B


12.3(7)T


Routers • Cisco 2651XM and 2691 Routers





Page 123 of 218


All content

Benefits

• Allows an access list to be associated with a TCP redirect server group to redirect subscribers to different server

groups.

• Can be applied to any type of redirections such as those for authentication, authorization, initial and periodic

captivation, prepaid redirection, etc.

Hardware

Product Management Contact: Murali Kolli, 408-526-5228, [email protected]

2.10.21) Service Assurance Agent VoIP Proactive Monitoring

Description

Understanding network performance is essential to deploying and running a Voice over IP (VoIP) network. Service

Assurance Agent (SAA) proactively measures network performance. If you are deploying a new VoIP network, then

SAA can be used for network assessment. SAA will tell you if the Quality of Service is working and configured

correctly and if the network can support VoIP. After deployment of VoIP you will need to understand the network

performance and trouble shoot network issues. SAA provides this essential information. SAA reduces operational

costs by identifying issues and provides a continuous and reliable test of your network infrastructure. SAA also

reduces the time to track and isolate network performance problems, thus saving expenses.

The Cisco IOS Software SAA feature actively sends data across the network to measure performance between

multiple network locations or across multiple network paths. It simulates VoIP codecs and collects network

performance information in real time: response time, one-way latency, one-way jitter, one-way packet loss, voice

quality scoring (MOS scores), and additional network statistics.

The Cisco IOS Software SAA feature enables the user to monitor network performance thresholds and send SNMP

alerts for proactive notification. In the past SAA has supported threshold monitoring for performance parameters

such as average jitter, unidirectional latency, bidirectional round trip time and connectivity. The latest release of

Cisco IOS Software includes new capabilities to monitor thresholds for important VoIP related parameters including:

unidirectional jitter, unidirectional packet loss, and unidirectional VoIP voice quality scoring (MOS scores).

Release

Modification

12.3(3)B


12.3(7)T


Routers • Cisco 2651XM and 2691 Routers





Page 124 of 218


All content

Figure 52Cisco IOS Service Assurance Agent

Benefits

• Embedded in Cisco IOS Software—no additional cost.


• New SNMP traps unidirectional jitter, unidirectional packet loss, and unidirectional VoIP voice quality scoring

(MOS scores).

• Real-time, accurate VoIP network performance monitoring.


• VoIP Network Assessment.


• Flexible scheduling of operations.


• Controlled through SNMP or Command Line Interface (CLI).

• Extensive partnerships with industry leaders.

NetworkPerformance

Monitor

QoSMonitoring

NetworkAssessment

SLAMonitoring

TroubleShooting

VoIPNetwork

Quality Score

SAA Networks to Server Measurements

SAA End-to-End Measurements

SAA WAN Measurements

Headquarters Branch

Cisco 7200 Cisco 7200

PSTN

IP WAN


Page 125 of 218

All content

Hardware



2.10.22) NetFlow MIB

Description

Understanding network user identities, usage time, the protocols and applications being utilized and the flow of

network data is a necessity for today’s IP network managers. Exported NetFlow data can be used for a variety of

purposes, including network management and planning, user and security monitoring, protocol and application

monitoring, enterprise accounting, and departmental charge backs, Internet service provider (ISP) billing, data


Traditionally NetFlow information is exported from the router and persistently stored and analyzed by network

management applications. An additional method to retrieve NetFlow data is now available: The NetFlow MIB allows

access to NetFlow data when export is not practical. The NetFlow MIB is very useful for security monitoring and

attack detection by monitoring flow information. The MIB will provide the ability to configure and modify NetFlow

using an SNMP interface. The user can retrieve a snapshot of IP flow, protocol and packet size distribution

information easily with SNMP.

Figure 53NetFlow MIB


New SNMP MIB Interface

Enable NetFlow

NetFlowExport Packets

Traffic

Key Features

• Network Planning

• Traffic Engineering

• Accounting and Billing

• Security Monitoring

• Internet Access Monitoring

• User Monitoring

• Application Monitoring

• Peering Arrangements

Traditional Export & Collector

GUI

SNMP Application


Page 126 of 218



All content

Benefits

• A new additional method to retrieve NetFlow information.

• Retrieval of NetFlow information when the traditional export may not be practical.

• Useful security information directly from an SNMP MIB.

• Remote configuration of NetFlow features without using CLI.

• MIB access to IP flow, protocol and packet size distribution information.

Hardware

Additional Information: http://www.cisco.com/go/netflow/


2.10.23) Configuration Rollback/Configuration Replace

Description

Configuration Rollback is now available in Cisco IOS Software via the new “configuration replace” command. The

“configuration replace” command is a mechanism to revert to a previous configuration state, effectively allowing

configuration changes to be rolled back. Instead of basing the rollback operation on a specific set of changes that

have been applied, the Cisco IOS Configuration Rollback capability allows reverting to a specific configuration state,

based on a saved Cisco IOS configuration file.

The “configuration replace” command compares the current running configuration with the specified target

configuration, and internally generates a set of diffs (using the same mechanism used by the Cisco IOS “show archive

diff” command), and then applies the resulting diffs in order to achieve the desired configuration state. Only the

diffs are applied, avoiding potential service disruption from re-applying configuration commands which have not

changed. The config rollback mechanism effectively handles changes to order-dependent commands, such as access

lists, via a multipass algorithm.

Benefits

• Allows the user to revert to a previous configuration state, effectively “rolling back” configuration changes.

• Allows the user to replace the running configuration file with the startup configuration file without having to

reload the router or manually undo CLI changes to the running configuration file, reducing system downtime1.

• Simplifies configuration change by allowing the user to push a complete configuration file to the router, where

only the commands which need to added or removed will be applied2.

• Allows the user to revert to any desired configuration, via replacement of the running configuration with any

previously saved configuration file.


1. This is a benefit of “config replace”—this is not a “rollback” issue.

2. This is a benefit of “archive config”.


Page 127 of 218

http://www.cisco.com/go/netflow/


All content

Hardware


http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_7/index.htm


2.10.24) Cisco IOS Service Assurance Agent for VoIP UDP Operation

Understanding network performance is essential to deploying and running a Voice over IP (VoIP) network. Cisco IOS

Service Assurance Agent (SAA) VoIP UDP Operation proactively measures network performance. It can assess the

network when deploying a new VoIP network: evaluate how QoS is functioning and whether it is configured

correctly, and determine whether the network can support VoIP.

Following VoIP deployment, users need to understand the network performance in order to troubleshoot network

issues. Cisco IOS SAA provides this essential information. It will reduce operational costs by identifying issues and

will enable a continuous and reliable test of the network infrastructure. Cisco IOS SAA will reduce the time needed

to track and isolate network performance problems saving expenses.

Cisco IOS SAA actively sends data across the network to measure performance between multiple network locations

or across multiple network paths. It simulates VoIP codecs and collects network performance information in real

time: response time, one-way latency, one-way jitter, one-way packet loss, voice quality scoring (MOS scores), and

additional network statistics. It also provides the mechanism to monitor performance for different class of traffic and

can send threshold violations to NMS workstations.



Page 128 of 218

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_7/index.htm


All content

Figure 54Cisco IOS SAA VoIP UDP Operation

Benefits

• Embedded in Cisco IOS Software—no additional cost!

• Real-time, accurate VoIP network performance monitoring.


• VoIP Network Assessment.


• Flexible scheduling of operations.



• Controlled through SNMP or CLI.

• Extensive partnerships with industry leaders.

Hardware

Routers • All routers that support Cisco IOS Software new technology (T) releases

NetworkPerformance

Monitor

QoSMonitoring

NetworkAssessment

SLAMonitoring

TroubleShooting

VoIPNetwork

Quality Score

SAA Networks to Server Measurements

SAA End-to-End Measurements

SAA WAN Measurements

Headquarters Branch

Cisco 7200 Cisco 7200

PSTN

IP WAN


Page 129 of 218

All content




Cisco IOS Embedded Event Manager (EEM) 1.0 enables a distributed, scalable and customizable approach to

Event/Fault Management directly into devices that support Cisco IOS Software. The on-device, proactive event

management capabilities are especially useful because not all event management occur off-router, as certain problems

may compromise communication between the router and the external network management device.

Capturing the state of the router during such situations can be invaluable in taking immediate recovery actions and

gathering information to perform root-cause-analysis. EEM 1.0 is a flexible, policy driven framework that supports

in-box monitoring of different components of the system with the help of software agents known as event detectors.

Event detectors notify the EEM when an event of interest occurs. The EEM policies that are configured using

Cisco IOS Software CLI implement recovery based on the current state of the system and on the actions specified in

the policy for the given event. An extendible EEM framework will allow new Event Detectors to be added in future

Cisco IOS Software releases.

Figure 55Cisco IOS Embedded Event Manager 1.0

Actions

• Central Clearing House for fault events detected in a Cisco IOS System

• Distributes fault events to interested applications

Embedded EventManager 1.0 System

Information

EEM Policies

Fault & Event DetectorsFault & Event Detectors

Embedded EventManager 1.0 System

Information

EEM Policies

Fault & Event DetectorsFault & Event Detectors

Syslog Event

SNMP FD

Health MonitoringThreshold Crossed Application

Specific

Future FDs ..Syslog FD

Notify

Reload


Page 130 of 218



All content

Benefits

• Enables a distributed, flexible and proactive approach to fault/event management directly in a Cisco IOS

Software device.

• Supports on-device, predictive self-health monitoring capabilities for key system parameters (CPU utilization,

Processor and IO Memory utilization etc.) in Cisco IOS Software with ability to take immediate recovery actions.

• Provides a flexible and customizable High Availability and Serviceability tool.

Hardware

Product Management Contact: Rohit Shrivastava, [email protected]

2.10.26) Contextual Configuration Diff Utility

Contextual Configuration Diff Utility provides the ability to perform a line-by-line comparison of any two

configuration files (accessible through the Cisco IOS File System) and generate a list of the differences between them.

The generated output includes information regarding the following items:

• Configuration lines that have been added, modified, or deleted.

• Configuration modes within which a changed configuration line exists.

• Location changes of configuration lines that are order-sensitive. For example, the “ip access-list” and

“community-lists” commands are order-sensitive commands dependent on where they are listed within

a configuration file in relation to other Cisco IOS Software commands of similar type.

Benefits

• Simplifies Troubleshooting: easily identify changes between startup and running configuration or any other saved

configurations.

• Improve MTTR: quickly identify changes to the configuration in order to address configuration errors.

• Simple Output Format: output format follows conventions of standard UNIX “diff” utilities, clearly indicating

lines that have been added, deleted, or modified when comparing two configuration files.

Hardware

Routers • Cisco 1700, 2600, 3600, and 7200 Series

Routers • Cisco 806, 827, and 828 Routers



• Cisco 2610XM, 2611XM, 2620XM, 2621XM, 2650XM, 2651XM Routers

• Cisco 3631, 3640, 3660, 3725, and 3745 Routers

SOHO Routers • Cisco SOHO78 Router

Switches • Cisco IGX8400-URM Series Switch

Access Servers • Cisco AS5350, AS5400, AS5800, and AS5850 Series Universal Gateways

Devices • Cisco VG200


Page 131 of 218


All content

Product Management Contact: Mark Basinski, [email protected]

2.10.27) Service Selection Gateway Unconfig

Service Selection Gateway (SSG) Unconfig enhances the user’s ability to disable SSG at any time. It releases the data

structure and system resources created by SSG when SSG is unconfigured.

SSG Unconfig enhances several Cisco IOS Software commands to delete all host objects, delete a range of host

objects. You can also delete all service objects or connection objects. The show ssg host command has been enhanced

to display information about an interface and its IP address when Host-Key mode is enabled on that interface.

Benefits

The SSG Unconfig feature enables users to release and clean up system resources when SSG is not in use.

Hardware

Considerations

SSG Unconfig clears all SSG resources on the system, so it should only be used when all users are logged out and there

is no need to run SSG features on the router.


2.10.28) SSG to Accommodate New L2TP Error Codes

SSG will accommodate and map the error code from L2TP to pass it on to SESM and Radius Authentication Server.

More specifically, when the SSG tunnel (L2TP) service fails or the session setup is unsuccessful, the SSG shall answer

the service logon request with a radius access reject towards SESM or Radius Authentication Server with a reason

describing the error code. The interface to report error code already exists, but this enhancement extends to report

the more granular error codes that customers need. L2TP error codes are generated in compliance with RFC3145.

Benefits

Service Providers will have specific reasons for failed L2TP tunnel setup for analysis and error correction.

Hardware

Considerations

This feature only addresses the error codes that are compliant with RFC 3145.


Routers • Cisco 2651XM, 2691, 3725, 3745, and 7301 Routers

• Cisco 7200 Series Router




Page 132 of 218




All content

2.10.29) SSG Support of NAS Port ID

SSG Support of NAS Port ID will carry the NAS-Port attribute in the authentication packet. This will allow the

authentication server to use consistent policies while authenticating PPPoX and RFC1483 users. Currently, NAS-Port

attribute is sent only for PPPoX users.

Benefits

This feature enables the customizing of subscriber services based on the NAS Port ID.

Hardware


2.10.30) Extensible Authentication Protocol Transparency and Extensible AuthenticationProtocol-SIM Enhancements

Cisco Extensible Authentication Protocol (EAP) transparency enables the SSG on a Cisco router to receive and

forward EAP packets and create the host objects. Supported EAP flavors include EAP-SIM, EAP-TLS, and PEAP.

Additionally, Cisco EAP enhancements add the following to the EAP transparency implementation:

• Prevent the Use of Previously Valid IP Addresses After an Access Zone Router (AZR) Reboot

SSG now cleans up the list of active hosts after receiving an Accounting On/Off command from the AZR after a

reboot. It cleans up those users connected through Subscriber Edge Services Manager (SESM) and EAP-SIM. This

feature closes a security hole that could have allowed an illegal user to hijack the session of a valid user through

the IP address.

• Allow EAP Users to Reconnect Through SESM

SSG auto-logon services are automatically enabled for users successfully authenticated through EAP. This enables

users to access those services without having to log in through the SESM GUI, after EAP authentication is

complete. When EAP users access SESM services and perform an Account Logoff, they can later access the SESM

and perform another Account Logon. Without this feature, users would receive the SESM Account Logon page,

without knowing their user name and password, so they could not access SESM services again.

Benefits

Service Providers can now use EAP for subscriber authentication and avoid interactive user login through user

interface.

Hardware




• Cisco 7200 Series Route


Page 133 of 218



All content

Considerations

To use EAP-SIM enhancements, the Dynamic Host Configuration (DHCP) server needs to allocate IP addresses with

a small lease time.


2.10.31) SSG Complete ID

SSG Complete ID provides enhancements to the current interaction mechanism between SSG and SESM, allowing

SSG to pass along the following additional information:

• Client IP Address

• Client MAC Address

• Sub-interface

• VPI/VCI

• Mobile subscriber ISDN number (MSISDN)

Benefits

This allows SESM to offer greater customization of Web portals, specifically by locations. Each hotspot can now have

its own branded portal.

Hardware


2.10.32) SSG L2TP Dialout

SSG L2TP Dialout enhances SSG tunnel services and provides a dialout facility to users. Many Small Office Home

Offices (SOHOs) use the Public Switched Telephone Network (PSTN) to access their intranet. SSG L2TP provides

mobile users secure connection to their SOHO through the PSTN. SSG L2TP Dialout also provides a convenient way

for GPRS users to connect to their SOHO.




Page 134 of 218



All content

Figure 56SSG L2TP Dialout Network

Benefits

SSG L2TP Dialout provides mobile users and General Packet Radio Service (GPRS) users the benefit of connecting

to their SOHO using Public Switched Telephone Network (PSTN). L2TP Dialout service, in conjunction with SSG

auto-logon, will facilitate an automatic service logon to L2TP dialout service, thus avoiding additional prompts for

service logon.

Hardware

Considerations

SSG L2TP Dialout does not support the following:

• L2TP dialout as a primary service for PPP users.

• Challenge Handshake Authentication Protocol (CHAP) authentication for dialout tunnel services.

• A single user connecting to two overlapping services.

• Dialout tunnels support for protocols other than L2TP protocols.


2.10.33) SSG Auto Logoff Enhancement

SSG Auto-logoff Enhancement configures SSG to check the MAC address of a host each time that SSG performs

an Address Resolution Protocol (ARP) ping. If SSG finds that the MAC address of the host has changed, then SSG

automatically initiates the logoff of that host.



PSTN

144.10.50.10

SSG

SESM AAA

L2TPLAC

10.10.10.1

144.10.50.11 10.10.10.1

IP Access


Page 135 of 218


All content

Benefits

SSG Auto-logoff Enhancement enables Service Providers that use SSG to prevent a malicious host from spoofing the

IP address of a logged-on host and accessing the logged-on host’s services. Using SSG MAC address checking, Service

Providers can prevent SSG host session reuse when a DHCP server assigns the same IP address to a second host. The

first host released its IP address (through either a lease time expiration or an explicit DHCP release), but did not log

off from SSG.

Hardware

Considerations

The following restrictions apply to the SSG Auto-logoff Enhancement feature:

• ARP ping should be used only in deployments in which all hosts are directly connected to SSG through a

broadcast interface (ie: Ethernet interface) or a bridged interface (ie: routed bridge encapsulation (RBE) or

integrated routing and bridging (IRB) interface). Internet Control Message Protocol (ICMP) ping can be used

in all types of deployment scenarios.

• ARP ping will work only on hosts that have a MAC address. It will not work for Point to Point Protocol (PPP)

users because they do not have a MAC table entry.

• ARP ping does not support overlapping IP addresses.

• SSG auto-logoff that uses the ARP ping mechanism will not work for hosts that have static ARP entries.

• Session reuse is not prevented if a malicious host performs a MAC address spoof.


2.10.34) SSG Open Garden Configuration Enhancements

Currently, SSG open garden services can be configured and managed on the router itself, even though they are similar

to normal SSG (subscribed) services. These proposed modifications will allow open garden services to be defined and

managed on the RADIUS server.

Benefits

This feature makes it easier to configure and maintain open garden services on multiple SSG routers.

Hardware







Page 136 of 218



All content

2.10.35) SSG Direction Command for Interfaces and Ranges

SSG Direction Command for Interfaces and Ranges introduces the ssg direction command, which replaces the ssg

bind direction command. This new command streamlines and simplifies SSG configuration by allowing users to

configure interface direction, either uplink or downlink, for a range of sub-interfaces at once.

Benefits

The new ssg direction command makes SSG configuration simpler and faster. For example, users can provision a

large number of Asynchronous Transfer Mode (ATM) Routed Bridge Encapsulation (RBE) subscribers at once,

instead of entering one command for each subscriber, which could mean entering thousands of commands. This

feature enables streamlined provisioning and configuration, with decreased CPU load.

Hardware

Considerations

• This command cannot be used on an individual subinterface that is part of a permanent virtual circuit (PVC)

range, because all members of a range must have the same direction. It can only be used on the entire range.

• An interface that does not exist will not be created as a result of the ssg direction command.

• Before the direction is changed from uplink to downlink, or vice versa, the no ssg direction command must

be used to clear the direction; otherwise, users will see an error message, such as:

– Changing direction from Downlink to Uplink is denied for interface.

– Please use ‘no ssg direction downlink’ to clear the previous bind direction.


2.10.36) SSG Prepaid Idle Timeout

SSG Prepaid Idle Timeout enhances the SSG Prepaid feature by enabling SSG to return residual quota to the billing

server from services that a user is logged into but not actively using. The quota that is returned to the billing center

can be applied to the quota for the services the user is actively using.

Benefits

• Concurrent Service Access

SSG Prepaid Idle Timeout is capable of supporting concurrent service access. SSG services can be configured for

concurrent or sequential access. Concurrent access allows users to log on to a service while simultaneously

connected to other services. Sequential access requires that the user log off from all other services before accessing

a service.

• Real-Time Billing

This feature allows for real-time billing with maximum flexibility, regardless of the type of service and billing

scheme. Users can be billed on a flat rate, air-time, or volume basis.




Page 137 of 218



All content

• Redirection Upon Exhaustion of Quota

When a user runs out of quota, SSG can redirect the user to a portal, where the user can replenish the quota

without being disconnected from the service.

• Returning Residual Quota

SSG Prepaid Idle Timeout enhances the SSG Prepaid feature by enabling SSG to return residual quota to the

billing server from services that a user is logged into but not actively using. The quota that is returned to the

billing server can be applied to the quota for the services that the user is actively using.

• Threshold Values

This prevents revenue leaks by enabling users to configure a threshold value. Configuring a threshold value

reauthorizes user connections before the user completely consumes the allotted quota for a service.

• Traffic Status During Reauthorization

Revenue leaks can be prevented by configuring SSG to drop connected traffic during reauthorization of a service.

The user remains connected to the service and does not need to log back onto the service, but no traffic is

forwarded during the reauthorization process. This prevents a user from continuing to use a service for which

they have run out of quota while the SSG sends a reauthorization request to the billing server. If SSG is connected

to drop traffic during reauthorization and a threshold value is configured, then user traffic continues until the user

exhausts the allotted quota. When the allotted quota is used, the traffic is dropped until SSG receives a

reauthorization response.

Hardware

Considerations

• Quotas are measured in seconds for time or bytes for volume. There is no way to change the unit of measure.

• The volume quota is for combined upstream and downstream traffic.

• Simultaneous time and volume quotas for the same service connection are not supported.

• Returning quota when the connection is idle is supported only for volume-based connections and is not supported

for time-based connections.

• After a user runs out of quota and replenishes the quota at the billing server, SSG receives the updated quota and

resumes the connection only after the next reauthorization.


2.10.37) SSG Suppression of Unused Accounting Records

SSG Suppression of Unused Accounting Records allows users to disable unneeded Service Selection Gateway (SSG)

accounting records. SSG can be configured to send per-host accounting records only, per-service accounting records

only, or per-host and per-service accounting records.




Page 138 of 218


All content

Benefits

With this functionality, accounting can be turned off selectively. This will improve the performance of the accounting

interface and reduce the processing of the accounting server.

Hardware

Considerations

If no ssg accounting is configured on the router, then accounting records will not be sent, even if accounting is enabled

in a service profile.


2.10.38) SSG Unique Session ID

SSG Unique Session ID supports a unique accounting session ID in RADIUS accounting records. It is compatible with

existing back-end billing systems and meets the requirements for the support of wide-area networks based on IEEE

802.11b technology.

Benefits

SSG Unique Session ID is compatible with existing back-end billing systems and meets the requirements for the

support of wide-area networks based on IEEE 802.11b technology.

Hardware


2.10.39) Embedded Syslog Manager Version 1.0

Embedded Syslog Manger (ESM) 1.0 is a customizable framework integrated in Cisco IOS software for correlating,

augmenting, filtering, and routing syslog messages generated by the Cisco IOS logger. ESM allows complete control

over system message logging at the source. ESM provides a programmatic interface to allow you to write custom

filters that meet your specific needs in dealing with system logging.

ESM allows the user to configure post-processing of syslog messages with selected ESM filters, via new message queue

in parallel with standard Cisco IOS syslog message stream. Either filtered or non-filtered syslog streams may be

configured for individual syslog destinations. ESM leverages the Cisco IOS Scripting (Tcl 8.3.4).






Page 139 of 218


mailto: [email protected]

All content

Figure 57Embedded Syslog Manager Version 1.0

Benefits

• Customization: fully customizable processing of system logging messages, with support for multiple, interfacing

syslog collectors.

• Severity Escalation for Key Messages: ability to configure unique severity levels for syslog messages instead of

using the system-defined severity levels.

• Specific Message Targeting: ability to route specific messages or message types, based on type of facility or type

of severity, to different syslog collectors.

• SMTP-Base Email Alerts: capability for notifications using TCP to external servers, such as TCP-based syslog

collectors or Simple Mail Transfer Protocol (SMTP) servers.

• Message Limiting: ability to limit and manage syslog “message storms” by correlating device-level events.

Hardware


• http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_2/gt_esm.htm

• http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_2/gt_tcl.htm





• Cisco 2610XM, 2611XM, 2620-2621, 2620XM-2621XM, 2650, 2651, 2650XM, 2651XM, and2691 Routers



Switches • Cisco Catalyst 4500 Series Switch

• Cisco IGX8400-URM Series

Access Servers • Cisco AS5350, AS5400, AS5800, and AS5850 Series Access Servers


ESMFilters

Buffer Console tty Syslog Server


Page 140 of 218

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_2/gt_esm.htm

http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123t/123t_2/gt_tcl.htm


All content

2.10.40) Cisco IOS Scripting with Tool Command Language

Cisco IOS Scripting with Tool Command Language (Tcl) provides the ability to run Tcl version 8.3.4 commands

from the Cisco IOS Software CLI.

Tcl is a standard scripting language, and a partial implementation of Tcl has been in Cisco IOS Software in support

of internal applications, such as Cisco IOS Software Interactive Voice Response (IVR).

Starting in Cisco IOS Software Release 12.3(2)T, Tcl has been updated to version 8.3.4, providing support for

the Embedded Syslog Manager (ESM) feature, as well as exposing a Tcl Shell (tclsh) for use in the Cisco IOS

Software CLI.

Benefits

• Powerful Scripting Capability: powerful method of custom-processing the events or states within a router, and

taking a variety of actions based on them.

• Easy to Learn: industry standard language.

• Complete Coverage of Cisco IOS Software Commands: all Cisco IOS Software CLI commands may be references

by Tcl scripts, in both EXEC and CONFIG mode.

• Customization of Cisco IOS Software Commands: Tcl scripts can be used to create customized commands,

grouping multiple IOS commands, processing and customizing output, even creating auto-refreshing commands

for real-time refresh at the CLI level.

Hardware







• Cisco 2610XM, 2611XM, 2620-2621, 2620XM-2621XM, 2650XM, 2651XM, and 2691Routers

• Cisco 3620, 3631, 3640, 3660, 3725, and 3745 Routers


Switches • Cisco Catalyst 4500 Series Switch

• Cisco IGX8400-URM Series

Access Servers • Cisco AS5350, AS5400, AS5800, and AS5850 Series Access Servers



Page 141 of 218




All content

2.11) Multiprotocol Label Switching

Table 12 Multiprotocol Label Switching Feature Highlights

2.11.1) Multiprotocol Label Switching: Label Distribution Protocol Graceful Restart

Cisco Nonstop Forwarding (NSF) with Stateful Switchover (SSO) has been proven to increase the availability of

networks for service providers and enterprises. Cisco IOS Software Release 12.2(25)S added support for MPLS HA,

including Label Distribution Protocol (LDP) Graceful Restart capability as specified by RFC 3478.

This feature brings this support for LDP Graceful Restart to other Cisco IOS Software products that are based on

Cisco IOS Software Release 12.3(14)T and future Cisco IOS Software releases.

Benefits

• Enables more product deployment options.

• Features consistency across products.

Hardware

Cisco IOS Packaging

MPL: LDP Graceful Restart is positioned in the SP Services packages across Cisco routers.



2.11.2) Multiprotocol Label Switching: Label Distribution Protocol Inbound Label BindingFiltering

MPLS LDP supports inbound label binding filtering, which allows customers to configure ACLs to control the label

bindings a label switch router (LSR) accepts from its peer LSRs.

Benefits

• Helps control the amount of memory used to store LDP label bindings advertised by other routers.

• In a simple MPLS VPN environment, the VPN PE routers may require LSPs only to their peer PE routers (that is,

they do not need LSPs to core routers).

• Inbound label binding filtering enables a PE router to accept labels only from other PE routers.

Sections

2.11.1) Multiprotocol Label Switching: Label Distribution Protocol Graceful Restart

2.11.2) Multiprotocol Label Switching: Label Distribution Protocol Inbound Label Binding Filtering

2.11.3) Multiprotocol Label Switching: Virtual Routing and Forwarding-Aware Static Labels

2.11.4) Multiprotocol Label Switching: Label Distribution Protocol Session Protection

2.11.5) Multiprotocol Label Switching: Label Distribution Protocol Autoconfiguration

2.11.6) Multiprotocol Label Switching: Label Distribution Protocol-Interior Gateway Protocol Synchronization

2.11.7) MPLS—MLPPP Support

Routers • Cisco 2600XM, 2800, 3600, 3700, 3800, and 7200 Series Routers


Page 142 of 218




All content

Hardware


http://www.cisco.com/en/US/products/sw/iosswrel/ps1829/products_feature_guide09186a00801b23a2.html

Cisco IOS Packaging

MPLS: LDP Inbound label Binding Filtering is positioned in the SP Services packages across Cisco routers.


Product Management Contact: Ripin Checker ([email protected])

2.11.3) Multiprotocol Label Switching: Virtual Routing and Forwarding-Aware Static Labels

The VRF-Aware Cisco MPLS Static Labels feature allows MPLS static labels to be used for VRF traffic.

When static labels software is not VRF aware, it can only be used for the following purposes:

• Configuring MPLS forwarding table entries for the global routing table.

• Assigning label values to forwarding equivalence classes (FECs) learned by the LDP for the global routing table.

Those limitations mean that in MPLS VPN environments, the software can be used only in the provider core.

The VRF-Aware MPLS Static Labels feature provides the following benefits:

• Static labels can be used at the VPN edge.

• Static bindings between labels and IPv4 prefixes can be configured statically.

Note: This feature is supported only in carrier supporting carrier (CSC) mode.

Benefits

• Static labels can be used at the VPN edge.

• Static bindings between labels and IPv4 prefixes can be configured statically.

Hardware


http://www.cisco.com/en/US/products/sw/iosswrel/ps1829/products_feature_guide09186a00801b23af.html

Cisco IOS Packaging

MPLS: VRF Aware Static Labels is positioned in the SP Services packages across Cisco routers.






Page 143 of 218

http://www.cisco.com/en/US/products/sw/iosswrel/ps1829/products_feature_guide09186a00801b23a2.html



http://www.cisco.com/en/US/products/sw/iosswrel/ps1829/products_feature_guide09186a00801b23af.html



All content

2.11.4) Multiprotocol Label Switching: Label Distribution Protocol Session Protection

MPLS LDP Session Protection maintains LDP bindings when a link fails. MPLS LDP sessions are protected through

the use of LDP Hello messages. When you enable MPLS LDP session protection, the LSRs send messages to find other

LSRs with which they can create LDP sessions.

If the LSR is one hop from its neighbor, it is directly connected to its neighbor. The LSR sends out LDP Hello messages

as UDP packets to all the routers on the subnet. The hello message is called an LDP Link Hello. A neighboring LSR

responds to the hello message, and the two routers begin to establish an LDP session.

If the LSR is more than one hop from its neighbor, it is not directly connected to its neighbor. The LSR sends out

a directed hello message as a UDP packet, but as a unicast message specifically addressed to that LSR. The hello

message is called an LDP Targeted Hello. The nondirectly connected LSR responds to the Hello message, and the two

routers establish an LDP session. (If the path between two LSRs has been traffic engineered and has LDP enabled,

the LDP session between them is called a targeted session.)

MPLS LDP Session Protection uses LDP Targeted Hellos to protect LDP sessions.

Benefits

• Improves network reconvergence time.



Hardware


http://www.cisco.com/en/US/products/sw/iosswrel/ps1829/products_feature_guide09186a00802d95d9.html

Cisco IOS Packaging

MPLS LDP Session Protection is positioned in the SP Services packages across Cisco routers.



2.11.5) Multiprotocol Label Switching: Label Distribution Protocol Autoconfiguration

This enhancement provides a global configuration command that enables LDP on interfaces for which a specified

IGP has been enabled. This simplifies LDP configuration by making it unnecessary to explicitly configure each

interface and reduces the likelihood of accidentally omitting explicit LDP configuration on one or more interfaces

for which it is required.

LDP is disabled on all interfaces by default. Prior to this feature, the interface-level [no] mpls ip command enabled

or disabled LDP on the interface.

This feature defines a new global configuration command:

mpls ldp autoconfig



Page 144 of 218

http://www.cisco.com/en/US/products/sw/iosswrel/ps1829/products_feature_guide09186a00802d95d9.html



All content

When this command is used, it is not necessary to configure mpls ip on each interface covered by the mpls ldp

autoconfig command. Optional parameters specify the applicability of the command with regard to the IGP

enabled on each interface.

Benefits

• Reduces potential for configuration error.

• Simplifies configuration.



Hardware


http://www.cisco.com/en/US/products/sw/iosswrel/ps1829/products_feature_guide09186a00802d95de.html

Cisco IOS Packaging

MPLS LDP Autoconfiguration is positioned in the SP Services packages across Cisco routers.



2.11.6) Multiprotocol Label Switching: Label Distribution Protocol-Interior Gateway ProtocolSynchronization

Multiprotocol Label Switching (MPLS) Label Distribution Protocol (LDP) Interior Gateway Protocol (IGP)

Synchronization ensures that LDP is fully established before the IGP path is used for switching.

This feature provides synchronization of IGP forwarding with MPLS forwarding to reduce the chance of MPLS

traffic being lost following link failure or link flap.

Packet loss can occur because the actions of the IGP and LDP are not synchronized. Packet loss can occur in two

situations:

• When an IGP adjacency is established, the router begins forwarding packets using the new adjacency before the

LDP label exchange completes between the peers on that link.

• If an LDP session closes, the router continues to forward traffic using the link associated with the LDP peer rather

than an alternate pathway with a fully synchronized LDP session.

This feature provides a means to synchronize LDP and IGP to minimize MPLS packet loss.

MPLS LDP-IGP Synchronization enables users to globally enable LDP-IGP Synchronization on every interface

associated with an IGP process. (Currently, the only IGP that supports this feature is OSPF.) Also, it provides a means

to disable LDP-IGP Synchronization on interfaces that you do not want enabled. The goal of MPLS LDP-IGP

Synchronization is to prevent MPLS packet loss because of synchronization conflicts.



Page 145 of 218

http://www.cisco.com/en/US/products/sw/iosswrel/ps1829/products_feature_guide09186a00802d95de.html



All content

Benefits

• Improves reconvergence and availability.

• Minimizes potential for traffic and packet loss in certain situations.

Hardware

Considerations

There must be an alternate path available for traffic to benefit from this feature.


http://www.cisco.com/en/US/products/sw/iosswrel/ps1829/products_feature_guide09186a00802d95dd.html

Cisco IOS Packaging

MPLS: LDP Autoconfiguration feature is positioned in the SP Services packages across Cisco routers.



2.11.7) MPLS—MLPPP Support

Description

The Multiprotocol Label Switching (MPLS)—Multilink Point-to-Point Protocol (MLPPP) Support feature ensures

that MPLS Layer 3 Virtual Private Networks (VPNs) with Quality of Service (QoS) can be enabled for bundled links.

Service providers that use relatively low-speed access links can use MLPPP to spread traffic across multiple low-speed

links in their MPLS networks. Link Fragmentation and Interleaving (LFI) should be deployed in the CE-to-PE link

for efficiency, where you use smaller link bandwidths (less than 768 kbps).

This feature supports MPLS over MLPPP links in the edge (provider edge [PE]-to-customer edge [CE]) or in the

MPLS core (PE-to-PE and PE-to-provider router [P]).



Page 146 of 218

http://www.cisco.com/en/US/products/sw/iosswrel/ps1829/products_feature_guide09186a00802d95dd.html



All content

Figure 58MLP on PE-P/P-P and PE-CE Links

Hardware


Routers • Cisco 7200 and Cisco 7500 Series

CE CE

CE

PE

LDP or TE

iBGP – VPNv4Label Exchange

LDP or TELDP or TE

PE

MLP Interfaces MLP InterfacesMLP Interfaces

P P

CE


Page 147 of 218


All content

2.12) Quality of Service

Table 13 Quality of Service Feature Highlights

2.12.1) Cisco AutoQoS for the Enterprise—Suggested Policy

The show auto discovery qos command has been extended to display the Quality of Service (QoS) policy that

Cisco AutoQoS suggests, based on the statistics collected during AutoDiscovery. This suggested policy configuration

is the one that would be applied in response to the command auto qos .

The new Suggested Policy output follows the existing display of Cisco AutoQoS Class information, showing traffic

rates and recommended minimum bandwidth by traffic class, with the recommended class-map and policy-map

configuration commands to support the observed traffic.

Sections

2.12.1) Cisco AutoQoS for the Enterprise—Suggested Policy

2.12.2) Cisco AutoQoS AutoDiscovery “Trust” Option

2.12.3) AutoQoS for the Enterprise

2.12.4) NBAR-NAT Integration and RTSP

2.12.5) Network Based Application Recognition Extended Inspection for HTTP Traffic

2.12.6) NBAR User-Defined Custom Application Classification

2.12.7) Updates to Class-Based QoS MIB

2.12.8) Turbo-Classification for QoS

2.12.9) Real-Time Transport Protocol Header Compression over Asymmetric/Satellite Links


Page 148 of 218


All content
Cisco Systems, Inc.
Figure 59Cisco AutoQoS for the Enterprise—Suggested Policy

Benefits

The user has several possible options:

1. This enhancement provides the ability to view the policy prior to applying it to the interface with the

auto qos command.

2. The use can continue the AutoDiscovery process, collect more traffic statistics, and later view the updated

statistics and new Suggested Policy, which might change.

3. The user can copy the Suggested Policy, edit it offline, and then apply it to the interface.

4. The Suggested Policy can be compared as a benchmark to existing policy statements.

Hardware

Additional Information: http://www.cisco.com/go/qos

Product Management Contact: Tim McSweeney, [email protected]

Routers • Cisco 2610XM-2611XM, 2620XM-2621XM, 2650XM-2651XM, 3631, 3640, 3640A; 3660,3725, and 3745 Routers


Suggested AutoQoS Policy for the current uptime:

!

class -map match -any AutoQoS -Voice -Et3/1

match protocol rtp audio

!

class -map match -any AutoQoS -Inter -Video -Et3/1

match protocol rtp video

!

class -map match -any AutoQoS -Signaling -Et3/1

match protocol sip

match protocol rtcp

!

class -map match -any AutoQoS -Transactional -Et3/1

match protocol citrix

!

class -map match -any AutoQoS -Bulk -Et3/1

match protocol exchange

policy -map AutoQoS -Policy - Et3/1

class AutoQoS -Voice -Et3/1

priority percent 1

set dscp ef

class AutoQoS -Inter -Video -Et3/1

bandwidth remaining percent 1

set dscp af41

class AutoQoS -Signaling -Et3/1


set dscp cs3

. . .

class AutoQoS - Transactional - Et3/1


random - detect dscp - based

set dscp af21

class AutoQoS - Bulk - Et3/1


random - detect dscp - based

set dscp af11

class class - default

fair - queue

Suggested Policy is based on AutoDiscovery statistics

Options• Continue AutoDiscovery (policy may change)• Copy and change the policy (offline)


http://www.cisco.com/go/qos


All content

2.12.2) Cisco AutoQoS AutoDiscovery “Trust” Option

The new “trust” option extends the use of Cisco AutoQoS for the Enterprise to routers where Differentiated Services

Code Point (DSCP) values have already been assigned to traffic at the network edge. This option enables customers

to automatically set the Quality of Service (QoS) policy on routers by allowing the network to trust internally

established priority levels for various types of traffic.

For example, it is typically recommend that traffic be marked, DSCP values assigned, to traffic at the network edge.

Once DSCP marking is complete, these values can then be “trusted” by other routers. Therefore, this “trust” option

enables potential use of Cisco AutoQoS for the Enterprise to set the QoS policy on other routers without running the

NBAR protocol discovery infrastructure (i.e.: DSCP markings assigned at the edge are “trusted”).

Figure 60Cisco AutoQoS for the Enterprise: “Trust” Option for DSCP-Marked Traffic

Benefits

• Extends use of Cisco AutoQoS for the Enterprise to routers that do not need to or should not perform traffic

classification & DSCP marking.

• AutoDiscovery “Trust” Option uses the DSCP values assigned by other devices.

• QoS policies can be generated for routers where traffic arrives with DSCP markings and does not need local

classification and marking.

Hardware

Additional Information: http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps5207/

products_feature_guide09186a00802000a7.html

Routers • Cisco 2610XM-2611XM, 2620XM-2621XM, 2650XM-2651XM, 3631, 3640, 3660, 3725, and3745 Routers


Traffic Classification& DSCP Marking

(NBAR, ACLs, MQC Policy)

DSCP-Marked Packets

"Behind the Edge"Edge

ACL = Access Control ListDSCP = Differentiated Services Code PointMQC = Modular Quality-of-Service (QoS) Command Line Interface (CLI)NBAR = Network-Based Application Recognition

>auto discovery trust• Use when DSCP values already assigned – AutoDiscovery does not inspect and reclassify traffic – QoS policy based on statistics for DSCP-Marked traffic received by router


Page 150 of 218


http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps5207/products_feature_guide09186a00802000a7.html


All content


2.12.3) AutoQoS for the Enterprise

Description

AutoQoS for the Enterprise provides automation for deployment of QoS policies in a general business environment,

particularly for mid-size companies and branch offices of larger companies. A customer will use AutoQoS for the

Enterprise in two steps. First, AutoDiscovery is invoked to run for a period of time—several days or a week—as

desired by the user. AutoDiscovery will use NBAR-based protocol discovery to detect the applications as they arrive,

collect data from the offered traffic, and perform statistical analysis. Users can view the applications that have been

detected before the AutoDiscovery interval is finished. Then this information will be used to automatically build an

MQC-based QoS policy, mapping the applications to their corresponding DiffServ classes and assigning appropriate

values for bandwidth and scheduling parameters. Existing QoS policies may or may not be present during the data

collection phase (AutoDiscovery). However, existing QoS policies are replaced by AutoQoS-generated policies when

the user issues the auto qos command.

Figure 61AutoQoS for the Enterprise Comprehensive QoS Deployment in Two Steps

Benefits

AutoQoS for the Enterprise provides comprehensive QoS deployment in two steps, reducing QoS deployment time

and cost.

IP Routing CS6

Interactive Voice EF

Interactive Video AF41

Streaming Video CS4

Telephony Signaling CS3

Transactional/Interactive AF21

Network Management CS2

Bulk Data AF11

Scavenger CS1

Best Effort 0

Traffic Class DSCPAutomatically ProvisionsUp to 10 Traffic Classes

Procedure:

1. Invoke “auto discovery qos” on the applicable link

Use “show auto discovery qos” to view data collection in progress

2. Automatically configure the link with “auto qos” command

Use “show auto qos” to display the QoS policy settings deployed


Page 151 of 218




All content

Hardware


2.12.4) NBAR-NAT Integration and RTSP

Description

Network Address Translation (NAT) is one of the most widely deployed IP services, and Port Address Translation

(PAT) is one of its most popular configurations. With this NBAR-NAT integration, RTSP-based applications can

work in PAT configuration mode.

Port Address Translation (PAT) configuration mode in Cisco IOS NAT allows customers to multiplex multiple users

concurrently on a single IP Address. A maximum of 65535 individual users can concurrently be using a single source

IP Address. A unique source port is used to differentiate each user.

In PAT configuration, NAT needs to be able to detect ports being used by RTSP (the default port is TCP 554) and

set them aside to ensure that those source ports are not used to identify general users in a PAT configuration.

Real Time Streaming Protocol (RTSP) is a client-server multimedia presentation control protocol that underlies

multimedia applications—video delivery, for example—that are becoming increasingly popular via products such

as these.

• RealSystem G2 by RealNetworks

• Windows Media Services (WMS) by Microsoft

• QuickTime by Apple

• IPTV by Cisco




• Cisco 7200 and Cisco 7500 Series


Page 152 of 218


All content

Figure 62NBAR Provides NAT with RTSP Parsing Results

Benefits

With this NBAR-NAT integration the many customers who use NAT can now run RTSP-based applications in Port

Address Translation (PAT) mode.

Hardware

Product Management Contacts: NAT, [email protected]; NBAR, [email protected]

2.12.5) Network Based Application Recognition Extended Inspection for HTTP Traffic

NBAR Extended Inspection for HTTP Traffic identifies HTTP traffic on ports beyond well-known TCP port 80 by

using an HTTP-specific criterion. As with existing HTTP classification on port 80, users can further classify HTTP

application traffic based on URL strings, by particular host names, and by MIME types for specific HTTP payload

types, such as image, text or video, using the existing command.

Prior to this Extended Inspection enhancement, HTTP traffic on ports other than port 80 was not inspected for an

HTTP-specific signature. With this enhancement, traffic on ports other than port 80 is inspected for a specific

signature and, when it matches, is classified as HTTP.

Routers • Cisco 1710, 1720, 1721, 1751 and 1760 Routers

• Cisco 2610XM, 2611XM, 2620XM, 2621XM, 2650XM, and 2651XM Routers

• Cisco 3631, 3640 and 3660 Routers


• Cisco 7200, 7300, and 7500 Series

PDLM

PDLM

PDLM

NAT

PacketPacketRTSP Packet

Parse+

NBARParse

New NBAR PDLMIdentifies RTSP Traffic

• RTSP-based applications can run in NAT’s PAT configuration mode

• RTSP-based applications include

– RealSystem G2 by RealNetworks

– Windows Media Services (WMS) by Microsoft

– QuickTime by Apple

– Cisco IPTV


Page 153 of 218



All content

Figure 63NBAR Extended Inspection for HTTP Traffic

Benefits

HTTP traffic is classified more precisely and inclusively for the growing number of HTTP-based applications assigned

to ports other than well-known port 80.

Hardware


2.12.6) NBAR User-Defined Custom Application Classification

With the ip nbar custom command, users can specify their own match criteria to identify TCP- or UDP-based

applications across a range of ports, as well as on specific ports, in addition to the protocols and applications

identified natively by NBAR or via downloaded PDLMs imported to NBAR. The user can specify a string or value

to match at a specified byte offsetwithin the packet payload. More than 30 custom PDLMs can be created and given

user-defined names with the ip nbar custom command.

Routers • Cisco 1701, 1710, 1711, 1712, 1721, 1751, and 1760 Routers




HTTP GET Request

Router X Router X HTTPServer

HTTPClients

Extended Inspection: NBAR looks foran HTTP-specific signature in ports

beyond well-known TCP port 80

HTTP GET requestcontains Host/URL string

Optionally, HTTP responses may be further classified by MIME-type

router(config-cmap)#matchprotocol http? • host host-name-string—Match Host Name • url url-string—Match URL String • mime MIME-type—Match MIME Type

match protocol http: http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123cgcr/qos_r/qos_m1g.htm#111278910/


Page 154 of 218


All content

Figure 64NBAR User-Defined Custom Application Classification

Benefits

NBAR User-Defined Application Classification enables NBAR users to specify their own criteria to match a string

or numeric value inside the data packet to identify application traffic.

Hardware


Routers • Cisco 1701, 1710, 1711, 1712, 1721, 1751, and 1760 Routers




ToS

IIPP P Packetacket Data PacketData PacketTCP/UDP Packet

SrcPort

DstPort

Protocol SourceIP Addr

DestIP Addr

FFFF0000MoonbeamFFFF

ExampleName—Name the match criteria—up to 24 characters• lunar_light Offset—Specify the beginning byte of string or value to be matched in the data packet, counting from zero for the first byte• Skip first 8 bytesFormat—Define the format of the match criteria– ASCII, hex or decimal• ascii Value—The value to match in the packet– if ASCII, up to 16 characters• Moonbeam[Source or destination port]—Optionally restrict the direction of packet inspection; defaults to bothdirections if not specified• [source | destination]TCP or UDP—Indicate the protocol encapsulated in the IP packet• tcpRange or selected port number(s)– “range” with start and end port numbers, up to 1000– 1 to 16 individual port numbers• range 2000 2999

ip nbar custom lunar_light 8 ascii Moonbeam tcp range 2000 2999

class-map solar_system

match protocol moonbeam

policy-map astronomy class solar_system

set ip dscp AF21

interface <>

service-policy output astronomy


Page 155 of 218


All content

2.12.7) Updates to Class-Based QoS MIB

The Cisco Class-Based Quality of Service Management Information Base (CBQoSMIB) supports the CLI for

Cisco QoS, the Modular QoS CLI (MQC). New MQC commands are reflected in changes to the CBQoSMIB.

MIB updates provide support for the following Cisco IOS Software features:

• Two-Rate Policer, Cisco IOS Software Release 12.2(4)T.

• Policer Enhancement: Multiple Actions, Cisco IOS Software Release 12.2(8)T.

• Weighted Random Early Detection (WRED): Explicit Congestion Notification (ECN), Cisco IOS Software

Release 12.2(8)T.

• Modular QoS CLI (MQC) Unconditional Packet Discard, Cisco IOS Software Release 12.2(13)T.

In addition to supporting the features listed above, the CBQoSMIB has been enhanced to provide support for the

following functionality:

• Specifying the queue unit type in both the number of cells and bytes.

• Using the Multiprotocol Label Switching (MPLS) experimental (EXP) value in classifying, marking, and

transmitting packets.

Also, the objects associated with the marking types currently supported by the MIB have been changed. Specifically,

the marking type configured when using the set command has been changed to the bitmap (that is, BITS) type. This

enhancement enables the MIB to record more than eight marking types.

Support for the following features provides enhanced traffic policing, marking, and queuing functionality.

• MPLS-DiffServ Tunneling, Cisco IOS Software Release 12.2(13)T

– This feature allows users to base WRED on the discard class value of a packet. This feature also includes the

ability to mark and set the MPLS EXP value for the TopMost Label when policing and classifying traffic.

• Percentage-Based Policing and Shaping, Cisco IOS Software Release 12.2(13)T

– This feature provides the ability to configure traffic policing and traffic shaping on the basis of a percentage

of bandwidth available on the interface.

• Class-Based RTP and TCP Header Compression, Cisco IOS Software Release 12.2(13)T

– This feature allows you to configure Real-Time Transport Protocol (RTP) or TCP IP header compression on a

per-class basis, when a class is configured within a policy map.

Finally, these additions reflect additional support for policing, shaping and packet marking.

• Two time-based MIB objects, burst ms and excess burst ms, used when you are configuring traffic policing. These

parameters were added to allow users to specify the appropriate burst values to be used for policing traffic.

However, these two parameters can be used when you are configuring traffic policing on the basis of a percentage

of bandwidth only.

• Two time-based MIB objects, sustained burst size in msec and excess burst size in msec, used when you are

configuring traffic shaping. These parameters were added to allow users to specify the appropriate burst values

to be used for shaping traffic. However, these parameters can be used when you are configuring traffic shaping

(either average rate traffic shaping or peak rate traffic shaping) on the basis of a percentage of bandwidth only.

• A table used to count statistics for marking and three tables used to support the “Enhanced Packet Marking”

feature available with the Cisco IOS Software Release 12.2(13)T.


Page 156 of 218


All content

Benefits

The CBQoSMIB provides read access to configuration and statistical information for MQC, following the same

structure as MQC.

Hardware


To locate and download Cisco MIBs for selected hardware products, Cisco IOS Software releases, and feature sets,

please visit the Cisco IOS MIB Locator: http://www.cisco.com/go/mibs/


2.12.8) Turbo-Classification for QoS

Turbo-Classification for QoS improves performance on the Cisco 7200 Series Router for configurations that utilize

TurboACLs and QOS features. The technique is limited to the Cisco 7200 Series Router as a reference product at

this time. There are no changes to the configuration of access lists.

One new configuration command has been added:

[ no ] service turboacl

This command will enable or disable TurboACL (initially, TurboACL will default to disabled).

Benefits

TurboACLs improve performance by matching a packet against an access list faster than a sequential search.

Hardware


2.12.9) Real-Time Transport Protocol Header Compression over Asymmetric/Satellite Links

RTP Header Compression over Asymmetric/Satellite Links relies on the existence of a feedback mechanism to recover

from packet channel loss. If the round trip time of the link is large, or if there is no feedback path, then the chance

of loss propagation is greatly increased when a packet is dropped on the link. If there is no feedback path, a

compressed stream may never recover. RTP Header Compression over Asymmetric/Satellite Links provides a

configurable option to allow periodic refreshes of the compressed stream using FULL_HEADER packets. This option

is detrimental to the compression efficiency of cRTP but will increase robustness in certain conditions such as over

satellite, or other asymmetric links.

Routers • Cisco 1701, 1710, 1711, 1712, 1721, and 1751 Routers

• Cisco2610XM, 2611XM, 2620XM, 2621XM, 2650XM, and 2651XM Routers



Routers • Cisco 7200 Series Router


Page 157 of 218

http://www.cisco.com/go/mibs/



All content

Figure 65RTP Header over Asymmetric/Satellite Links

• Compressed RTP (cRTP) packet loss recovery time may be large if link latency is high.

• Configurable option to periodically transmit full cRTP header.

Benefits

RTP Header Compression over Asymmetric/Satellite Links provides improved system performance by reducing

network overhead and speeding up transmission of RTP packets, when the links are slow or are subject to loss.

Hardware

Product Management Contact: Ken Kauffmann, [email protected]

Routers • Cisco 1751, 1760, 2691, 3631, 3640, 3640A, 3660, 3725, 3745 Routers



Switches • Cisco Catalyst 4000-AGM Series Switch

Access Servers • Cisco AS5400, AS5850-ERSC, and AS5850-RSC Series Access Servers

RF/UHF


Page 158 of 218


All content

2.13) Security and VPN

Table 14 Security & VPN Feature Highlights

Sections

2.13.1) Cisco IOS Software Login Password Retry Lockout (per EAL4 Compliance)

2.13.2) Cisco IOS Firewall: HTTP Inspection Engine

2.13.3) Cisco IOS Firewall: Granular Protocol Inspection

2.13.4) Cisco IOS Firewall: Email Inspection Engine

2.13.5) Cisco IOS Firewall: Inspection of Router-Generated Traffic

2.13.6) Virtual Routing and Forwarding Aware Cisco IOS Firewall

2.13.7) Intrusion Prevention Systems Signature Enhancements

2.13.8) Secure Device Provisioning Phase 4: Administrative Introducer

2.13.9) Secure Device Provisioning Phase 4: Hierarchical Certificate Servers

2.13.10) OS Universal Serial Bus Token Support: Public Key Infrastructure Enhancements

2.13.11) Persistent Self-Signed Certificates

2.13.12) Easy VPN Remote Phase 4.1: Enhancements

2.13.13) IPsec Preferred Peer

2.13.14) IPsec Antireplay Window Expansion and Disable Options

2.13.15) IPsec Virtual Tunnel Interface

2.13.16) Reverse Route Injection

2.13.17) Easy VPN Remote Web-Based Activation

2.13.18) WebVPN

2.13.19) Cisco Router and Security Device Manager 2.1

2.13.20) Role-Based CLI Access—Granular Interface Control

2.13.21) 802.1x Supplicant

2.13.22) Cisco IOS Intrusion Prevention System

2.13.23) Cisco IOS Security Device Event Exchange

2.13.24) Cisco IOS Firewall IPv6 FTP Support

2.13.25) Cisco Easy VPN 4.0

2.13.26) Cisco Security and Router Device Manager 2.0

2.13.27) Dynamic Multipoint VPN Spoke to Spoke Functionality

2.13.28) Cisco IOS Network Admission Control

2.13.29) Quality of Service per VPN Group

2.13.30) Cisco AutoSecure Rollback & Logging

2.13.31) Easy Secure Device Deployment Authentication, Authorization, and Accounting Integration

2.13.32) Cisco IOS Resilient Configuration

2.13.33) Call Admission Control for Internet Key Exchange

2.13.34) Certificate to Internet Security Association and Key Management Protocol Profile Mapping

2.13.35) Crypto Access Check On Clear Text Packet

2.13.36) RADIUS Attribute Screening support for Access-Request

2.13.37) Role-Based CLI Access

2.13.38) Control Plane Policing Enhancements

2.13.39) IP Source Tracker

2.13.40) Per VRF TACACS+ Support

2.13.41) Cisco IOS Firewall for IPv6

2.13.42) Transparent Cisco IOS Firewall

2.13.43) Extended Simple Mail Transport Protocol

2.13.44) Key Rollover for Certificate Renewal

2.13.45) PKI: Query Multiple Servers during Certificate Revocation Check


Page 159 of 218


All content

2.13.1) Cisco IOS Software Login Password Retry Lockout (per EAL4 Compliance)

Login password retry lockout conforms to the EAL4 requirement of providing these enhancements to Cisco IOS

Software-enabled devices:

• The administrator will specify an optional number of attempted logins before lockout. The default value will be

3 (and configurable).

• When a user makes the specified (as configured in the preceding item) number of unsuccessful attempts to log in,

that user will be locked out of the system until the administrator unlocks that user.

• Only the administrator or users with administrator-equivalent privileges are able to unlock users.

• Local AAA will maintain a list of locked-out users.

• This configuration is not user specific but is device (per-box) specific.

• Exception: The system does not allow the administrator to be placed on the locked-out list.

• The locked-out list will not be maintained by an external server such as a RADIUS server.

• The command-line interface (CLI) can be used to display a list of locked-out users by use of a show command.

Benefits

• Improves the security of the networking device.

• Helps the network administrator to prevent potential unwanted access to the networking device.

• Offers flexibility for the network administrator to allow networking device access that meets the security policies

and industry standards of individual corporations.

• Provides audit trail of locked-out users for security risk assessment.

Hardware

2.13.46) Virtual Private Network Routing and Forwarding Instance Integrated Dynamic Multipoint VPN

2.13.47) Network Address Translation (NAT)—Transparency Aware DMVPN

2.13.48) SEAL Encryption

2.13.49) Control Plane Policing

2.13.50) Secure Shell Version 2

2.13.51) Secure Access Mode—Silent Mode

2.13.52) Image Verification

2.13.53) Login Enhancements—Password Retry Delay

2.13.54) Router IP Traffic Export

2.13.55) Cisco IOS Easy VPN Remote Phase 3.2

2.13.56) Cisco IOS Certificate Server

2.13.57) VPN Access Control using 802.1x Authentication

2.13.58) Cisco IOS IPv6 IPsec Phase I—IPsec Authentication for Open Shortest Path First Version 3

2.13.59) Cisco IOS Firewall Access Control Lists Bypass

2.13.60) User Management Enhancements for Easy VPN Server

2.13.61) IPsec VPN Monitoring

2.13.62) Online Certificate Status Protocol


Sections


Page 160 of 218

All content


2.13.2) Cisco IOS Firewall: HTTP Inspection Engine

Cisco IOS Firewall has been enhanced with the introduction of Advanced Application Inspection and Control. Often

companies decide to permit common applications, such as Web browsing, through their firewalls. Unfortunately,

such access can result in non-HTTP applications, such as instant messaging (IM), attempting to take advantage of

hosts behind this opening in the firewall. Although traditional firewall enforcement blocks traffic based on source

and destination addresses and protocol and port numbers, the Cisco IOS Firewall HTTP Inspection Engine enforces

protocol conformance and prevents malicious or unauthorized behavior such as port 80 tunneling, malformed

packets, and Trojans from passing through. The HTTP Inspection Engine gives Cisco IOS Firewall the intelligence

not only to block non-HTTP traffic, but also to help ensure that traffic that is assumed to be HTTP is legitimate Web

browsing and not IM or similar traffic trying to gain access through the firewall. The net result is that network

administrators will have more granular control of applications passing through the firewall.

Benefits

• Defines and enforces security policies for port 80.

• Controls misuse of port 80 by rogue applications that tunnel traffic inside HTTP and use port 80 to avoid

scrutiny.

• Performs protocol anomaly detection services.

• Detects misuse of HTTP and Web connectivity.

• Prevents protocol masquerading.

• Provides strict RFC compliance enforcement.

• Allows RFC command control (for example, get or put ).

• Enforces URL-length and header-length policy.

• Supports real-time alarms and audit trail messages.

• Provides MIME-type filtering and content validation.

Hardware

Additional Information: http://www.cisco.com/en/US/products/sw/secursw/ps1018/index.html

Cisco IOS Packaging

The Cisco IOS Firewall HTTP Inspection Engine feature is positioned in the Advanced Security packages across

Cisco routers.


Product Management Contact: Hitesh Saijpal ([email protected])



Page 161 of 218


http://www.cisco.com/en/US/products/sw/secursw/ps1018/index.html



All content

2.13.3) Cisco IOS Firewall: Granular Protocol Inspection

With this feature, Cisco IOS Firewall can perform more granular protocol inspection of Transmission Control

Protocol (TCP) and User Datagram Protocol (UDP) traffic for most application types as defined in RFC 1700.

IP packets that contain most well-known ports defined in RFC 1700 plus user-defined ports and ranges that map to

specific applications can be inspected. Additionally, the current Cisco IOS Firewall feature called Port-to-Application

Mapping (PAM) has been enhanced to distinguish between TCP and UDP.

Benefits

• Greater flexibility by allowing more granularity in the selection of protocols to be inspected.

• Ease of use by providing for group inspection of multiple ports into a single, user-defined application keyword.

• Enhanced functionality with the addition of more well-known ports, user-defined applications, and user-defined

port ranges.

• Improved performance and reduced CPU load resulting from focused inspection selections.

Hardware

Considerations

• A single port can only be mapped to one application.

• Port ranges cannot be specified directly in the ip inspect name command; the PAM table should be used instead.


Cisco IOS Packaging

The Cisco IOS Firewall Granular Protocol Inspection feature is positioned in the Advanced Security packages across

Cisco routers.



2.13.4) Cisco IOS Firewall: Email Inspection Engine

Cisco IOS Firewall Advanced Application Inspection and Control features Inspection Engines to provide protocol

anomaly detection services. This latest enhancement adds support for Post Office Protocol 3 (POP3) and Internet

Message Access Protocol (IMAP) to the Email Inspection Engine in addition to the existing support for Simple Mail

Transfer Protocol (SMTP) and Extended Simple Mail Transfer Protocol (ESMTP).

Benefits

• Inspects SMTP, ESMTP, POP3, and IMAP.

• Detects misuse of email connectivity.

• Prevents protocol masquerading.

• Enforces strict RFC compliance.

• Performs protocol anomaly detection services.



Page 162 of 218




All content

Hardware

Considerations

Users will need to have sufficient free memory.


Cisco IOS Packaging

The Cisco IOS Firewall Email Inspection Engine feature is positioned in the Advanced Security packages across

Cisco routers.



2.13.5) Cisco IOS Firewall: Inspection of Router-Generated Traffic

The Inspection of Router-Generated Traffic feature enables the inspection of local router traffic to single-channel

TCP and UDP connections originated by or terminated at a router. Local H.323 connections are also supported.

Benefits

• Cisco IOS Firewall policy can now be applied to router local traffic.

• The inspection of local H.323 connections enables the deployment of Cisco CallManager Express and Cisco IOS

Firewall on the same router with a simplified access control list (ACL) configuration of the Cisco CallManager

Express interface through which H.323 connections are made.

Hardware

Considerations

• Inspection of Router-Generated Traffic is supported only on the following protocols: H.323, TCP, and UDP.

• Cisco IOS Firewall supports only Version 2 of the H.323 protocol.


Cisco IOS Packaging

The Cisco IOS Firewall Inspection of Router-Generated Traffic feature is positioned in the Advanced Security

packages across Cisco routers.






Page 163 of 218







All content

2.13.6) Virtual Routing and Forwarding Aware Cisco IOS Firewall

Virtual Routing and Forwarding (VRF) Aware Cisco IOS Firewall applies Cisco IOS Firewall functionality to

VRF interfaces when the firewall is configured on a service provider or large enterprise edge router. Service providers

can provide managed services to small and medium business markets. VRF-Aware Cisco IOS Firewall supports VRF-

aware URL filtering and VRF-lite (also known as multi-VRF customer edge [CE]).

Benefits

• Allows users to configure a per-VRF firewall. The firewall inspects IP packets that are sent and received within

a VRF.

• Allows service providers to deploy the firewall on the provider edge (PE) router.

• Supports overlapping IP address space, thereby allowing traffic from nonintersecting VRFs to have the same

IP address.

• Supports per-VRF (not global) firewall command parameters and denial-of-service (DoS) parameters so that the

VRF-aware firewall can run as multiple instances (with VRF instances) allocated to various VPN customers.

• Performs per-VRF URL filtering.

• Generates VRF-specific syslog messages that can be seen only by a particular VPN. These alert and audit trail

messages allow network administrators to manage the firewall; that is, they can adjust firewall parameters, detect

malicious sources and attacks, add security policies, and so on.

• Supports the ability to limit the number of firewall sessions per VRF.

Hardware

Considerations

• VRF-Aware Cisco IOS Firewall is not supported on MPLS interfaces.

• If two VPN networks have overlapping addresses, VRF-aware NAT is required for them to support VRF-aware

firewalls.

• When crypto tunnels belonging to multiple VPNs terminate on a single interface, per-VRF firewall policies cannot

be applied.


Cisco IOS Packaging

VRF-Aware Firewall is positioned in the Advanced Security packages across Cisco routers.





Page 164 of 218




All content

2.13.7) Intrusion Prevention Systems Signature Enhancements

This release adds the TCP, UDP, and Internet Control Message Protocol (ICMP) signature microengines (SMEs) to

the list of supported SMEs. This allows for Cisco IOS Software routers to defend networks against common worms

and viruses such as the following:

Also included in this release is the local shun action. This can be configured on any signature. A shun places an ACL-

type block on the interface from which the attacking traffic is entering the router to more quickly defend the network

from attack traffic.

Benefits

• Support for more than 400 more signatures for a total of more than 1275 from which to choose.

• Increased efficiency for traffic blocking with shun action.

Hardware

Cisco IOS Packaging

IPS Signature Enhancements are positioned in the Advanced Security packages across Cisco routers.


Product Management Contact: Tom Guerrette ([email protected])

2.13.8) Secure Device Provisioning Phase 4: Administrative Introducer

Secure Device Provisioning (SDP) Phase 4 allows an IT administrator to introduce and preprovision several end

routers without the need of an end user. Administrative login and device specification have been introduced into

the SDP framework.

SDP, formerly known as EZ Secure Device Deployment, simplifies introduction of a VPN device into the public key

infrastructure (PKI) network. SDP mechanisms assume a permanent relationship between the introducer and the

device. As a result, the introducer username is used to define the device hostname. Often the introducer username is

used as the database locator to determine the Cisco IOS Software configuration template, template variables (pulled

from the AA database and expanded into the template), and the appropriate subject name for the PKI certificates

issued to the device.

String TCP Worm and Virus Support

Agobot ANTS Apache/mod_ssl Worm Bagle Blaster

GaoBot Klez Minmai MyDoom Netsky

Norvag Phatbot Sober Worm Slapper (Buffer Overflow) ZAFI.D

String UDP Worm and Virus Support

Agobot Blaster GaoBot Phatbot Slammer

String ICMP Worm and Virus Support

Nachi



Page 165 of 218



All content

In some deployment scenarios, the introducer is an administrator (or an administrative service such as a CiscoWorks

VPN/Security Management Solution [VMS] or the Cisco IP Solution Center [ISC]) doing the introduction for many

devices. In this situation, the administrator’s username cannot be used as a database locator so the SDP GUI has been

enhanced to provide the username as a separate parameter.

Figure 66SDP Administrative Introducer

Benefits

Allows an IT administrator or security management solution to provision multiple devices.

Hardware

Cisco IOS Packaging

SDP Phase 4: Administrative Introducer is positioned in the Advanced Security packages across Cisco routers.


Product Management Contact: Jai Balasubramaniyan ([email protected])

2.13.9) Secure Device Provisioning Phase 4: Hierarchical Certificate Servers

PKI deployments have a certificate server that issues certificates to the nodes in the VPN installation. A root certificate

server is a CA server that holds a self-signed certificate, and its key pair is the root of the trust associations (digital

signatures in the certificates) of the whole VPN installation. Because the root RSA key pairs are extremely important


Introducer

IntroductionIntroduction

1) Welcome 2) Administrative Login 3) Introduction

Where HTML InterfaceProvides Device Name

4) Completion

User Routers Registrar

Post Introduction

Secure Communication

Performs theIntroduction“User”


Page 166 of 218



All content

in a PKI hierarchy, it is often advantageous to keep them offline or archived. To support such an arrangement, PKI

hierarchies allow for subordinate certificate authorities that have been signed by the root authority. In this way the

root authority can be kept offline (except to issue occasional Certificate Revocation List [CRL] updates) and the sub-

Certificate Authority (sub-CA) can be used during normal operation.

Figure 67SDP Hierarchical Certificate Server

Benefits

• Allows for hierarchical certificate servers, ensuring better scalability and availability.

• Simplifies PKI deployment in geographically distributed VPN installations where each location could have its

own certificate server handling the network beneath it.

Hardware

Cisco IOS Packaging

SDP Phase 4: Hierarchical Certificate Servers is positioned in the Advanced Security packages across Cisco routers.



2.13.10) OS Universal Serial Bus Token Support: Public Key Infrastructure Enhancements

The Cisco IOS Software Universal Serial Bus (USB) Token Support project provides support for USB cryptographic

tokens and flash drives on Cisco IOS Software. The USB token plugs into the router’s USB port.


End Host

End Host

End Host

SCEP

Cisco IOS SoftwareSubordinate CS

Cisco IOS SoftwareSubordinate CS

Cisco IOS SoftwareRoot Certificate Service

SCEPNew York

Tokyo

London

San Jose

SCEP


Page 167 of 218



All content

Tokens provide a secure place to store keys and configurations, where they can be protected with a PIN. Tokens do

not have enough storage to hold images or other bulk data. The tokens supported in this release have a capacity of

32 KB, of which about half is taken up by token and Cisco IOS Software system overhead. This size is suitable for a

small configuration and a few certificates and keys.

Flash drives can be used to store images, configurations, and other data, but are not suitable for private keys because

they have no security.

Figure 68USB Token: PKI

Benefits

• Simplifies secure initial deployment. Router can be drop-shipped by distributor, while the token containing

configuration and private keys is distributed by other means.

• Simplifies replacement of failed routers. The user just needs to remove the spare from the closet or have it drop-

shipped and plug in the token from the failed router, and it should work. This method assumes that the token

contains the configuration and keys.

• Helps in securing a VPN connection. The router may have access to the Internet at all times, but it can only use

the VPN when the token is present, because the keys on the token are used to set up the tunnel, and the tunnel is

torn down when the token is removed.

Hardware

Cisco IOS Packaging

OS USB Token Support: PKI Enhancements is positioned in the Advanced Security packages across Cisco routers.



2.13.11) Persistent Self-Signed Certificates

Cisco IOS Software has an HTTPS server that allows access to Web-based management pages using a SSL

connection. SSL requires the server to present its certificate to the client during the SSL handshake prior to

establishing a secure connection between the server and the client.

If the Cisco IOS Software does not have a certificate that the HTTPS server can use, it generates a self-signed

certificate by calling the PKI API. This API is then presented to the client, which prompts the user to accept the

certificate. If the user accepts, the certificate is stored in the browser for future use.

Routers • Cisco 1841 Routers and Cisco 2800 and 3800 Series


Page 168 of 218



All content

Future SSL handshakes require the same certificate. However, on reloads, this certificate is lost, and a new one

has to be generated and go through the same authentication sequence. The Persistent Self-Signed Certificate feature

overcomes these limitations by saving a certificate in the router’s startup configuration and having persistence using

HTTPS connections with clients.

Figure 69Persistent Self-Signed Certificates

Benefits

• Ease of use: a persistent self-signed certificate stored in the router’s startup configuration eliminates need for

manual user intervention to accept a certificate every time the router reloads.

• Improved performance: as user intervention is no longer necessary to accept the certificate, the secure connection

process is faster.

• Better security: having a persistent self-signed certificate stored in the router’s startup configuration (NVRAM)

lessens the opportunity for an attacker to substitute an unauthorized certificate.

Hardware

Cisco IOS Packaging

Persistent Self Signed Certificates is positioned in the Advanced Security packages across Cisco routers.



2.13.12) Easy VPN Remote Phase 4.1: Enhancements

Easy VPN Phase 4.1 supports two enhancements for Easy VPN Remote: Support for Reliable Static Routing using

Object Tracking and Tunnel Activation on Interesting Traffic on Easy VPN Remote.

Support for Reliable Static Routing using Object Tracking is a current feature the enables Cisco IOS Software to

identify when a Point-to-Point Protocol over Ethernet (PPPoE) or IPsec VPN tunnel goes down and initiate a dial-

on-demand routing (DDR) connection to a preconfigured destination from any alternative WAN/LAN port (for

example, T1, ISDN, analog, or AUX). This feature delivers a solution for deployments in which a remote router only

has a static route to the corporate network. The IP Static route-tracking feature allows an object to be tracked (by

IP address or host name) using ICMP, TCP, or other protocols and installs or removes the static route based on the

state of the tracked object. If this feature determines that Internet connectivity is lost, then the default route for the

primary interface is removed, and the floating static route for the backup interface is enabled.


HTTPS ServerHTTPS Server

Client (Web Browser)Client (Web Browser)

SSL ConnectionSSL Connection


Page 169 of 218



All content

This new enhancement delivers the capability to establish a secondary Easy VPN connection, if the primary Easy

VPN connection fails, using support of Reliable Static Routing using Object Tracking. However, it is based on the

dial backup interface only.

Two new Easy VPN Remote CLI configuration options support Reliable Static Routing using Object Tracking: a

connection to the backup Easy VPN remote configuration and a connection to the tracking system.

backup < ezvpn-cfg-name> specifies the Easy VPN configuration that will be activated when backup is triggered.

track <tracked-object-number> specifies the link to the tracking system so that the Easy VPN state machine can

get the notification to trigger backup.

crypto ipsec client ezvpn <ezvpn-cfg-name> backup <ezvpn-cfg-name> track <tracked-object-number>

Easy VPN Remote registers to the tracking system to get the notifications for change in the state of the object. The

above command will inform the tracking process that Easy VPN Remote is interested in tracking an object, identified

by the object number. The tracking process will in turn inform Easy VPN Remote when the state of this object

changes. This notification prompts Easy VPN Remote to bring up the backup connection when the tracked object

state is DOWN. When the tracked object is UP again, the backup connection is torn down, and Easy VPN Remote

will switch back to using the primary connection. The primary connection is not torn down when the tracked object

goes DOWN; however, it may timeout or reset eventually on its own. The pings will continue to be attempted to be

sent using the primary tunnel. If the tunnel is not up, the pings will be dropped. The primary tunnel will continue to

attempt to reestablish, and once it does, the pings will be successful, and the tracked object state will go UP again.

Benefits

• Allows flexibility to track an object and initiate dial backup.

Tunnel Activation on Interesting Traffic on Easy VPN Remote is a feature that introduces a new method of

activating Easy VPN tunnels based on user traffic. Prior to this feature there were two ways to bring up the tunnel:

manual entry of the XAuth user/password, and automatic activation of the tunnel with the user/password stored

in the configuration file. The new feature will only bring up the tunnel when user traffic needs to use it. It can be

used with an idle timer on the tunnel to bring the tunnel up and down only when it is needed for user traffic. This

arrangement can reduce the load on the Easy VPN concentrator, because tunnels are only brought up when

needed.

Figure 70Activation Triggered by Easy VPN Remote Traffic

Branch Office Corporate Headquarters

Easy VPNRemote

Easy VPNServer

Laptop(Corporate User)

CorporateNetwork

InternetIPsec Easy VPN Tunnel


Page 170 of 218

All content

Benefits

Reduces the load on the Easy VPN concentrator, because tunnels are only brought up when needed.

Hardware

Cisco IOS Packaging

Easy VPN Remote Phase 4.1: Enhancements is positioned in the Advanced Security packages across Cisco routers.


Product Management Contact: Siva Natarajan ([email protected])

2.13.13) IPsec Preferred Peer

IPsec Preferred Peer allows a user to tag a peer as the default peer in a multiple-set peer configuration. The provisions

include setting a peer with default option and setting an IPsec idle timer with default option.

Setting a peer with default option: a new keyword—default —has been added to mark the first peer in a multiple-

set peer configuration as the default peer. This peer will then be retried in certain failure cases before a connection to

the next peer on the list is attempted. If a failure is detected by dead peer detection (DPD), the default peer will be

tried once more before the next peer is tried. If the default peer is unresponsive, failure using retransmits of Internet

Key Exchange (IKE) initiation messages will set the new current peer to the next one on the list. Further connections

through that crypto map will then try this new current peer.

This feature is useful in a dial backup scenario in which transmission stops because of remote peer failure traffic on a

physical link. DPD will indicate that the remote peer is unavailable, although it will remain the current peer. The dial

backup link will come up. Once connectivity through the physical link is restored, the default peer will be tried again.

This procedure allows the user to always give preference to certain peers in the event of failover and is useful if the

original failure occurred because of a connectivity problem through the network, as opposed to the remote peer itself

failing. If the remote peer has indeed failed, retransmits to that peer (this process takes approximately 45 seconds)

will force the default peer to be skipped and the next peer on the list to be tried.

Benefits

Allows flexibility to use a primary peer when it is better (for example, closer, less expensive, or provides more

bandwidth).

Hardware

Additional Information

• The set a peer with default option must be used in conjunction with DPD. It is most effective on a remote site

running DPD in periodic mode. DPD will detect the failure of the other device quickly and reset the peer list

to try the default peer again on the next attempt.

• Only one peer may be designated the default on a crypto map.




Page 171 of 218



All content

• The default peer must be the first peer in the list.

• Use with the crypto map set peer default feature.

• Idle timers with the default keyword are only available on a per-crypto-map basis. This command will not work

with the global idle timer command.

• If a global idle timer is set, the crypto map idle timer value must be different from the global value; otherwise

it will not be added to the crypto map.

Cisco IOS Packaging

The Cisco IOS IPsec Preferred Peer feature is positioned in the Advanced Security packages across Cisco routers.



2.13.14) IPsec Antireplay Window Expansion and Disable Options

IPsec antireplay window is a 32-bit counter and a bitmap (or equivalent) used to describe whether an inbound

authentication header or ESP packet is a replay. The Expansion and Disable options supported in this feature give

IPsec users two additional options with which to control the antireplay mechanism in IPsec. Users can now choose

to expand the antireplay window size or, alternatively, disable antireplay checking completely. The default antireplay

window size and default enabling of antireplay checking for IPsec in Cisco IOS Software will be the same as in prior

Cisco IOS Software releases.

Figure 71IPsec Antireplay

Sender ReceiverClear TextPackets

EncryptedPackets

Clear TextPackets

Replay Attack: Packet#66 will be Dropped

Because it wasAlready Received

Moves to the Rightas New Packets areDecrypted

Anti-ReplaySliding Window

Size of this Windowcan be Expanded orAnti-Replay Checking can be Disabled

. . . . . .

1 2 3 4 64 65 66 67

(66)

6768100

66

101102n

(65)

68

CryptoEngine

CryptoEngine


Page 172 of 218



All content

Benefits

Allows an IT administrator flexibility to control antireplay window size or disable it.

Hardware


If the antireplay window is disabled, replay attack is possible.

Cisco IOS Packaging

IPsec Antireplay Window Expansion and Disable Options is positioned in the Advanced Security packages across

Cisco routers.



2.13.15) IPsec Virtual Tunnel Interface

VPNs are increasingly being recognized as a mainstream solution for secure WAN connectivity. They replace or

augment existing private networks using leased lines, Frame Relay, or ATM to connect remote and branch offices

and central sites more cost effectively and with increased flexibility. This new status requires that VPN devices deliver

higher performance, support for both LAN and WAN interfaces, and high network availability. IPsec virtual tunnel

interfaces (VTIs) are a new tool that can be used by customers to configure IPsec-based VPNs between site-to-site

devices. IPsec VTI tunnels provide a designated pathway across the shared WAN and encapsulate traffic with new

packet headers, ensuring delivery to specific destinations. The network is private because traffic can enter a tunnel

only at an endpoint. In addition, IPsec provides true confidentiality (as does encryption) and can carry encrypted

traffic.

With IPsec VTIs delivered by Cisco, enterprises can use cost-effective VPNs and continue to add voice and video

to their data networks without compromising quality and reliability.

Cisco IPsec VTIs provide secure connectivity for site-to-site VPNs combined with the Cisco Architecture for Voice,

Video and Integrated Data (AVVID) architecture for delivering converged voice, video, and data over IP networks.

VPNs deliver cost-effective, flexible wide-area connectivity, while providing a network infrastructure that supports

the latest converged network applications such as IP telephony and video.



Page 173 of 218



All content

Figure 72IPsec Static Virtual Tunnel Interfaces Between Two Sites

Benefits

• Simplified management—Customers can use Cisco IOS Software virtual tunnel constructs to configure an IPsec

VTI, thus simplifying VPN configuration complexity, which translates into reduced costs as the need for local IT

support is minimized. In addition, existing management applications that can monitor interfaces can be used for

monitoring purposes.

• Support for multicast encryption—Customers can use Cisco IOS Software IPsec VTIs to transfer the multicast

traffic, control traffic, or data traffic-for example, many voice and video applications,-from one site to another

securely.

• Routable interface—Cisco IOS Software IPsec VTIs can support all types of IP routing protocols. Customers can

use these capabilities of VTI to connect larger office environments, such as branch offices, complete with a PBX

extension.

• Improved scaling—IPsec virtual interfaces need fewer security associations to be established to cover different

types of traffic, both unicast and multicast, thus enabling improved scaling.

• Flexibility of defining features—An IPsec virtual interface is an encapsulation within its own interface. This

arrangement offers flexibility of defining features to run on either the physical or the IPsec interface.

Hardware

Cisco IOS Packaging

The Cisco IOS IPsec Virtual Tunnel Interface feature is positioned in the Advanced Security packages across

Cisco routers.




192.168.100.0/30

.1 .1

192.

168.

1.0/

24

192.

168.

2.0/

24

.1 .2Tunnel 0


Page 174 of 218



All content

2.13.16) Reverse Route Injection

Reverse Route Injection (RRI) is used to create static routes based on remote proxy IDs (subnet/mask) for remote

IPsec devices. It is platform independent (except for Cisco Catalyst 6000 Series and Cisco 7600 Series Router) and

is dynamic in that it saves the user from statically defining routes. It is remote agnostic as well and works on both

dynamic and static crypto maps. Typically in an RRI, routes are injected into the routing process.

RRI enhancements included in this release: Cisco IOS Software can now alter RRI behavior for static L2L. IPsec

tunnels and can retain RRI routes when a crypto ACL is modified. In addition, it is enhanced to retain RRI routes

for dynamic customer premises equipment CPE as well as remove RRI routes when same crypto map is applied to

two different interfaces.

Figure 73Reverse Route Injection

Benefits

Saves the user from statically defining routes.

Considerations

Cisco IOS Software will not allow RRI in the same crypto map on multiple interfaces.

Hardware



Cisco IOS Packaging

Reverse Route Injection is positioned in the Advanced Security packages across Cisco routers.



2.13.17) Easy VPN Remote Web-Based Activation

Easy VPN contains two primary hardware client applications: Teleworker and Branch Office. Teleworker allows

user-driven authentication of the client router (for example, interactive XAuth credential entry) with optional

authentication of devices behind the client router. Teleworker is also possibly useful for offices in which one person


10.1.1.1/32

RemoteSW Client

Head-End

Router S RRI: “I Can Reach 10.1.1.1”

S

Internet


Page 175 of 218



All content

is authorized to activate the office connection. The second application is Branch Office, where a client router connects

automatically without user intervention (XAuth credentials saved in configuration file). Optionally, it is possible to

authenticate devices behind the client router.

Easy VPN Remote Web-Based Activation allows the authentication of the remote router more easily by having a

Web-based interface in which to enter xAuth username/password.

Figure 74Easy VPN Remote Web-Based Activation

Benefits

Small office or home office (SOHO) users benefit greatly by using a Web-based interface to activate Easy VPN

Remote.


Page 176 of 218

All content

Hardware



Cisco IOS Packaging

Easy VPN Remote Web-Based Activation is positioned in the Advanced Security packages across Cisco routers.



2.13.18) WebVPN

WebVPN is an SSL-based VPN solution that provides clientless remote access by using a Web browser as the remote

user’s VPN client. Because most personal computers already have a Web browser installed, no further application

installation is required to securely access network resources. This feature can augment the existing IPsec remote

access (Easy VPN) functionality or, in environments with relatively simple remote access requirements, WebVPN may

offer sufficient functionality to address all remote access demands. Cisco IOS Software WebVPN makes it easy to

deploy remote access to internal applications on a single integrated network device.

The first release of WebVPN in Cisco IOS Software supports two functional modes:

• The first mode (clientless) provides secure access to private Web resources and will provide access to Web content.

This mode is useful for accessing most content that you would expect to use within a Web browser, such as Web

browsing, databases, or online tools that employ a Web interface.

• The second functional mode (thin client) extends the capability of the cryptographic functions of the Web

browser to enable remote access for email applications using POP3, SMTP, and IMAP.

Benefits

• Uses a standard Web browser to access the corporate network and does not require a client to be installed

on the client machine.

• SSL encryption native to browser provides transport security.

• Has granular access control.

• Additional client and server applications are accessed using a Java applet.

• Allows access from noncorporate machines such as airport kiosks.

• Allows easy firewall and network traversal from any location.

• Allows transparent wireless roaming.

• Integrated Cisco IOS Firewall provides enhanced security.

Hardware


Routers • Cisco 1800, 2800, 3700, 3800, and 7200 Series; Cisco 7301 Router


Page 177 of 218



All content

Considerations

• If WebVPN needs to be enabled on the router that is running HTTP Secure Server, the administrator must

configure an IP address for WebVPN using the gateway-addr keyword option of the webvpn enable command.

• The browsing of URLs that are referred by Macromedia Flash is not modified for secure retrieval by the WebVPN

gateway.

• This feature in Cisco IOS Software Release 12.3(14)T supports SSL Version 3. Transport Layer Security (TLS) is

not supported.

• Thin client used for TCP port-forwarding applications requires administrative privileges on the computer of the

end user.

Cisco IOS Packaging

WebVPN is positioned in the Advanced Security packages across Cisco routers.


Product Management Contact: Gary Sockrider ([email protected])

2.13.19) Cisco Router and Security Device Manager 2.1

Cisco Router and Security Device Manager (SDM) 2.1 combines routing and security services management with ease

of use, intelligent wizards, and in-depth troubleshooting capabilities to provide a tool that supports the benefits of

integrating services onto the router. Customers can now synchronize routing and security policies throughout the

network, enjoy a more comprehensive view of their router services status, and reduce their operational costs.

Benefits

• New hardware support

– Cisco Small Business 100 Series

– Cisco VPN Acceleration Module 2+ (VAM2+)

– High-speed WAN interface card 4T (HWIC-4T), HWIC-4A/S, HWIC-8A/S, HWIC-8A, and HWIC-16A

– Provides ability to recognize, configure, and monitor the new hardware

• Localized in six languages

– Cisco SDM user interface and online help translated into Japanese, simplified Chinese, French, German,

Spanish, and Italian (available in May 2005)

– Microsoft Windows OS support for these languages (available now)

– Simplifies router management for native language users

• Cisco SDM Express

– Wizard-based deployment of router

– Offers quick and easy router deployment for basic WAN access configurations

– Ideal router deployment tool for nonexpert users

• PC-based SDM

– Cisco SDM installed on Windows-based PC instead of router flash memory

– No extra flash memory space required on router for SDM

– Great tool to manage the installed base of Cisco routers


Page 178 of 218



All content

• PPP over ATM (PPPoA)

– Offers quick and easy deployment of xDSL router interfaces for PPPoA configurations

• Three new Intrusion Prevention Systems (IPS) engines

– STRING.TCP, STRING.UDP, STRING.ICMP

– Allows deployment of 500+ additional IPS signatures through SDM

• Dial-backup improvements

– Support for dial-back for dynamically addressed primary WAN interface

– Offers several fixes to make the configuration process more user friendly

Hardware

Cisco IOS Packaging

Router and Security Device Manager 2.1 is positioned in the Advanced Security packages across Cisco routers.

Product Management Contacts: [email protected], [email protected]

2.13.20) Role-Based CLI Access—Granular Interface Control

Cisco initially introduced Role-Based CLI Access—Granular Interface Control in Release 12.3(7)T. It enables the

network device administrator to set up views that define the set of CLI commands that can be accessed by each user.

With this enhancement, administrators can control user access and configure specific ports, logical interfaces, and

slots on a router.

Figure 75Role-Based CLI Access—Granular Interface Control

Benefits

With Role-Based CLI Access—Granular Interface Control, administrators can match user access to CLI commands

based on their operational roles in the organization.

• Security: Enhances the security of the device by defining the set of CLI commands that is accessible by a particular

user. This prevents a user from accidentally or purposely changing a configuration or collecting information to

which they should not have access.

• Availability: Prevents unintentional execution of CLI commands by unauthorized personnel, which could result

in undesirable results. This minimizes downtime.

Routers • Cisco 830, 1700, 1800, 2600XM, 2800, 3600, 3700, 3800, 7200VXR, and 7301 SeriesRouters

Security OperatorConfig AAA, NetFlowShow, Cisco IOS Firewall, IDS

WAN EngineerConfig RoutingConfig InterfacesShow


Page 179 of 218



All content

• Operational efficiency: Users will only see the CLI commands applicable to the ports and CLI to which they have

access; therefore, the router appears to be less complex and commands are easier to identify when using on device

help.

Hardware


2.13.21) 802.1x Supplicant

There are deployment scenarios in which a network device (a router acting as an 802.1X authenticator) is placed in

an unsecured location and cannot be trusted as an authenticator. This scenario mandates that a network device have

the ability to authenticate itself against another network device.

The 802.1x supplicant support functionality provides the following solutions:

• Extensible Authentication Protocol (EAP) framework: supplicant can “understand” and “respond” to EAP

requests. EAP-Message Digest 5 (EAP-MD5) is currently supported.

• Two network devices that are connected through an Ethernet link can act as simultaneously as supplicant and

authenticator, thus providing mutual authentication capability.

• A network device that is acting as a supplicant can authenticate itself with more than one authenticator (ie: a

single port on a supplicant can connect to multiple authenticators).

Figure 76802.1x Supplicant

Benefits

• Consistent, standards-based technology for insertion into any mixed multimedia, multi-vendor network.

• Enforcing corporate policy for network access at Layer 2.

• Single supplicant can connect to multiple authenticators, so different connectivity and security policies can

be implemented for different users.


• Cisco 1760, 2610XM, 2611XM, 3640A, and 3725 Routers

Authenticator

Supplicant

Authenticator


Page 180 of 218


All content

Hardware




2.13.22) Cisco IOS Intrusion Prevention System

Cisco IOS Intrusion Prevention System (IPS) utilizes inline deep packet inspection to enhance network attack

mitigation capabilities in Cisco IOS Software. By enabling IPS, customers can quickly protect their network from

known network attacks without disrupting router functions or other embedded security capabilities, such as protocol

anomaly detection.

The new Cisco IOS IPS capability enables the user to load and enable any of the 700+ IDS signatures that are

supported by the Cisco IDS Sensor to deter network attacks. In addition, Cisco IOS IPS allows the user to modify

any existing signature or create a new signature to deter newly discovered intrusions. Cisco IOS IPS enables the

following actions:

• Send an alarm

• Drop the packet

• Reset the connection

Figure 77Cisco IOS Intrusion Prevention System

Benefits

• Ubiquitous protection of network assets

Cisco IOS IPS is supported on a broad range of Cisco routers, enabling the user to protect network users and

assets deep into the network architecture. The router is a security enforcer.

• Inline deep packet inspection

Cisco IOS IPS enables users to stop known network attacks. By alerting the router to an event, Cisco IOS IPS will

intercept intrusion attempts to traverse the router. Cisco IOS IPS utilizes deep packet inspection to get into the

payload of a packet and uncover the known malicious activity.


NetworkManagement

Console

Attack1

Drop Packet

Alarm4

Reset Connection3

2

IPS


Page 181 of 218



All content

• IDS signature support

Cisco IOS IPS can now be enabled with any of the 700+ IDS signatures supported by the Cisco IDS Sensors to

mitigate today’s known network attacks. As attacks are identified in the Internet, these signatures are updated

and posted to Cisco.com so that they can be downloaded to the Cisco router by way of the VMS IDS MC 2.3

or SDM 2.0. IDS MC also provisions the Cisco IDS Sensor appliance products.

• Customized signature support

Cisco IOS IPS can now customize existing signatures, while also creating new ones. This Day 1 capability

mitigates attacks that try to capitalize on slight deviations of known or newly discovered attacks.

Hardware




2.13.23) Cisco IOS Security Device Event Exchange

Cisco IOS Software now supports the Security Device Event Exchange (SDEE) protocol. SDEE is a new standard that

specifies the format of messages and protocol used to communicate events generated by security devices. SDEE is

flexible, so that all vendors can support address compatibility. This allows mixed IDS vendor environments to have

one network management alert interface. TrueSecure (ICSA) is currently proposing as the unified industry protocol

format for all vendors to communicate with network management applications. SDEE uses a pull mechanism:

requests come from the network management application and the IDS/IPS router responds. SDEE utilizes HTTP

and XML to provide a standardized interface. The Cisco IOS IPS router will still send IDS alerts via syslog.

Figure 78Cisco IOS Security Device Event Exchange

Benefits

• Vendor Interoperability

SDEE will become the standard format for all vendors to communicate events to a network management

application. This lowers the cost of supporting proprietary vendor formats and potentially multiple network

management platforms.

• Secured transport

The use of HTTP over SSL or HTTPS ensures that data is secured as it traverses the network.


NetworkManagement

Alarm

SDEE ProtocolIPS


Page 182 of 218



All content

Hardware




2.13.24) Cisco IOS Firewall IPv6 FTP Support

Cisco IOS Software now performs stateful packet inspection of the IPv6 File Transfer Protocol (FTP). Cisco IOS

Firewall creates dynamic data channel monitors for FTP session RFC compliance and alerts the network about any

protocol anomalies performed by the end user trying to perform a malicious act as a result of stateful inspection of

FTP in order to allow return traffic traversing Cisco IOS Firewall back to the FTP client. Cisco IOS Firewall tracks

the initial FTP hand-shaking and session termination by ensuring that all users have been authenticated before any

data traverses the Cisco IOS Firewall. This enables Cisco IOS Firewall to prevent network intrusion by unauthorized

users who attempt to initiate a connection across the network or leverage the session of an authorized user. When

the user logs off or initiates other forms of session termination (abort), the Firewall immediately closes all open data

and control channels associated with the authorized user.

Additionally, Cisco IOS Firewall now supports Port to Address Mapping (PAM) for IPv6. PAM correlates TCP or

UDP port numbers to specific network services or applications. By mapping port numbers to network services or

applications, an administrator can force firewall inspection on custom configurations not defined by well-known

ports.

Benefits

• Investment Protection

A wide range of Cisco routers, from the Cisco 1700 Series through the Cisco 7200 Series, support Cisco IOS

Firewall. This further enhances the total return of investment in Cisco routers by providing a broad range of

network enforcement points, while coexisting in IPv4 and IPv6 environments.

• Protocol Anomaly Detection for FTP

Cisco IOS Firewall maintains the integrity of the network by monitoring it for network attacks that leverage

protocol RFC non-compliance.

• Authorized FTP users allowed

Only allows users who have been authorized by an end ftp server to initiate session creation. Cisco IOS Software

ensures that unauthorized users do not take advantage of data and control channels left open by a previous user.

This decreases network vulnerability to unauthorized users.

Hardware






Page 183 of 218




All content


2.13.25) Cisco Easy VPN 4.0

Release 12.3(11)T introduces several enhancements to the Easy VPN Remote:

• Easy VPN Remote with IEEE 802.1x Authentication

Cisco Easy VPN 4.0 adds support for configuration of 802.1x port-based authentication on the private interfaces

of the Easy VPN Remote router. This was not available in previous instances of Easy VPN Remote.

Cisco Easy VPN 4.0 also supports Public Key Infrastructure (PKI)/certificates. Previously, only pre-shared keys

could be used as key material for the Internet Key Exchange (IKE) (IPsec Phase 1) connection. Configuration is

the same as for standard site-to-site IPsec. When configuring PKI on the remote router, it is critical that the

subject-name command is set to the subject name in the certificate or PKI will fail.

• Easy VPN Remote Backup Server List Auto-Configuration

Easy VPN Remote allows the configuration of multiple servers (concentrators) to which the remote router will

attempt to connect. With this enhancement, the Easy VPN Server can “push” this server list to Easy VPN Remote

clients, eliminating the requirement to manually configure the list of servers on the Easy VPN Remote. Instead,

only one server needs to be preconfigured on the remote, and the rest of the server list will be pushed from the

server at connect time.

• Easy VPN Remote Management Enhancements

This feature simplifies the remote management of a Cisco IOS Router acting as an Easy VPN Remote. It does

this by making the IP address pushed from the server at connect time fully manageable. The pushed address is

automatically assigned to a loopback interface that is dynamically created. This enables ping, Telnet, SNMP, and

even dynamic routing to use the pushed address as the address to reach the router. The user can design central

site management solutions that use the pushed address as the address to reach the remote routers. This feature

can be enabled in both client and network extension modes; it is possible to push an address in NEM, although

users can manage the static IP address assigned to the private interface.

• Easy VPN Remote Load Balancing

When configured for load balancing, the Cisco VPN 3000 Series Concentrator with Easy VPN, accepts an

incoming request from the Easy VPN Remote router on its virtual IP address, and if required (for instance, if the

server is heavily loaded), it sends a “notify” message to the remote that contains an IP address that represents the

new peer to which the client should connect. The Easy VPN Remote router can receive this “redirect” message

and it attempts to connect a different server at the address contained in the notify message. Syslog messages

indicate when a transition from one peer to another occurs.

• Easy VPN Remote VLAN Support

It is now possible to define a VLAN as an Easy VPN Remote inside (private) interface. This may be an internal

VLAN on the remote router (for instance, switch ports in a Cisco 1711 Router). This means that upon definition,

IPsec Service Adapters will be established for the VLAN inside interface just as they are for the physical inside

interfaces.


Page 184 of 218



All content

• Easy VPN Remote Multiple Subnet Support

This enhancement allows multiple subnets on a single inside interface on the Easy VPN Remote router to be

defined to Easy VPN. Previously, only a single subnet could be defined for Easy VPN on each inside interface. The

subnets can be multiple hops away (cascaded) off the inside interface LAN (for example, the Easy VPN router

private interface is connected to a router that has a subnet behind it). The subnets must be configured manually;

they cannot be learned by dynamic routing.

• Easy VPN Remote and Server on Same Interface

Easy VPN Remote and server functions now can be configured on the same interface. A typical application would

be a remote router that acts as a client to the headquarters Easy VPN server, while it acts as a server for local

software clients. Such a router typically would have a single public interface to the Internet, and both the server

and client functions would be configured on this interface.

• Easy VPN Remote and Site-to-Site on Same Interface

Easy VPN Remote and site-to-site (standard IPsec) functions now can be configured on the same interface. A

typical application would be a remote router that acts as a client to the headquarters Easy VPN server while it

also has a site-to-site tunnel that is used strictly for management.

• Easy VPN Perfect Forward Secrecy (PFS) Using Policy Push

The PFS setting for the Easy VPN connection now can be dynamically set at connect time using MODCFG policy

push from the server. Previously, PFS had to be configured manually on the Easy VPN Remote.

Hardware

Additional Information: http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps5207/

products_feature_guide09186a00801541d5.html


2.13.26) Cisco Security and Router Device Manager 2.0

Cisco Security and Router Device Manager (SDM) 2.0 combines routing and security services management with ease

of use, intelligent wizards, and in-depth troubleshooting capabilities to provide a tool that supports the benefits of

integrating services onto the router. Customers can now synchronize the routing and security policies throughout the

network, enjoy a more comprehensive view of their router services status, and reduce their operational costs.

Key new features in Cisco SDM 2.0 includes support for:

• Inline IPS with updatable signatures and customization Dynamic Signature update and signature customization

(see Cisco IOS IPS)

• Role-Based Router Access

• Easy VPN Server and AAA

• Digital Certificates for IPsec VPNs

Routers • Cisco 800, 1700, 2600, 3700, 7200, and 7500 Series Routers

• Cisco 3640and 3660 Routers


Page 185 of 218

http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps5207/products_feature_guide09186a00801541d5.html

http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps5207/products_feature_guide09186a00801541d5.html


All content

• VPN and WAN connection troubleshooting

• QoS policy configuration and NBAR-based application traffic monitoring

Hardware

Additional Information: http://www.cisco.com/go/sdm


2.13.27) Dynamic Multipoint VPN Spoke to Spoke Functionality

Dynamic Multipoint VPN (DMVPN) Spoke to Spoke Functionality allows dynamic on-demand direct spoke to

spoke tunnels to be created between two DMVPN spoke CPEs without traversing the hub. This feature enables

production-ready spoke-to-spoke functionality in a single hub and multi-hub environment in a DMVPN network.

It also incorporates increased spoke to spoke resiliency and redundancy in multi-hub configurations.

Figure 79Dynamic Multipoint VPN Spoke to Spoke Functionality

Benefits

• Direct Spoke-to-Spoke Tunnels

This functionality allows direct spoke to spoke tunnel creation between two branch offices without the traffic

having to go through the hub. Spokes can take advantage of an internet connection directly available between

them. This leads to reduced latency and jitter for spoke to spoke traffic and improved bandwidth utilization.



Branch Office

Internet

Linux, MAC, MS-Windows PC

WLAN

WLAN

DataVPN

Gateway 2DataVPN

Gateway 1 Access toCorporateResources

Branch Office

PC, Linux, etc.

Branch Office

VPNGateway

Management Network

ISC,IE2100

PKI, AAA

InternalNetwork


Page 186 of 218

http://www.cisco.com/go/sdm


All content

DMVPN networks deliver a lower cost per MByte of Bandwidth than native IPsec networks because the spoke

to spoke traffic is not restricted by hub bandwidth utilization and at the same time it does not add any additional

overhead to the hub bandwidth utilization.

• Avoids Dual Encrypts and Decrypts

Native IPsec and IPsec + GRE networks are organized as hub and spoke networks. This results in all spoke to

spoke traffic going through the hub and requiring a dual encrypt and decrypt for all traffic putting an additional

burden on the hub CPU. DMVPN alleviates the problem by creating direct on-demand spoke to spoke tunnels.

• Smaller Spoke CPEs can Participate in a Virtual On-Demand Full Mesh

DMVPN allows smaller spoke CPE to participate in a virtual on demand full mesh. Creating and managing a full

mesh is often not possible for smaller spoke CPE which cannot handle more than a dozen IPsec tunnels. DMVPN

allows the spokes to create tunnels to other spokes on demand and tear down the tunnels after use.

Hardware


http://www.cisco.com/en/US/tech/tk583/tk372/technologies_white_paper09186a008018983e.shtml


2.13.28) Cisco IOS Network Admission Control

Cisco IOS Network Admission Control (NAC) adds vital access router support for the Cisco NAC solution, which

empowers organizations to contain security threats before they cause damage. Cisco IOS NAC, the software-based

portion of this solution, enables Cisco access routers to detect a user’s compliance with anti-virus policies, and thus

enforce network access privileges appropriately. Non-compliant devices can be denied access, placed in a quarantined

area, or given restricted access to computing resources. The access decision can be based on information such as the

endpoint’s anti-virus state and operating system patch level.

Cisco NAC now enables Cisco IOS Software devices to identify and isolate unprotected or infected hosts as they

connect to the network, thereby preventing them from potentially spreading viruses in the network. Network

administrators can define and enforce posture validation of endpoint devices connecting to the network.

The initial release of Cisco NAC consists of four components:

• Cisco Trust Agent: software that resides on the endpoint system. Cisco Trust Agent collects security state

information from multiple security software clients such as anti-virus clients and then communicated this

information back to the Cisco IOS network access device which enforces admission control.

• Network Access Devices: network devices (Cisco IOS Software routers) enforce admission control policy. These

devices demand host security “credentials” and relay the information to policy servers where network admission

control decisions are made. Decisions could include permit, deny, quarantine, or restrict.

• Policy Server (Cisco Secure Access Control Server [ACS]): evaluates the endpoint security information relayed

from the Cisco IOS Software device and determines the appropriate policy to implement. Cisco ACS is the

foundation of the policy server system.


Switches • Cisco Catalyst 6000 Series Switch with MWAM Card and VPNSM Module


Page 187 of 218

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_white_paper09186a008018983e.shtml


All content

• Management System: CiscoWorks VPN/Security Management Solution (VMS) provisions Cisco NAC elements,

while CiscoWorks Security Information Manager Solution (SIMS) provides monitoring and reporting tools.

This release of Cisco NAC addresses the two most pressing compliance tests required: anti-virus software state and

operating system information. These tests include anti-virus vendor software version, engine level, and signature file

levels as well as the operating system type and patch levels. Anti-virus vendors, such as Network Associates,

Symantec and Trend Micro, are integrating their applications with Cisco NAC.

Figure 80Cisco IOS Software Router Support for Cisco IOS NAC

• Improved Security

Cisco NAC helps ensure that all hosts comply with the latest corporate anti-virus and operating system patch

policies prior to obtaining normal network access. Vulnerable and noncompliant hosts may be isolated and

assigned reduced access until they are patched and secured, preventing them from being the targets of or the

sources for worm and virus infections.

• Investment Protection

Cisco NAC is supported on a broad range of Cisco IOS Software routers, ranging from the Cisco 800 Series to the

Cisco 7200 Series Routers. This solution integrates and increases the value of investments in the Cisco network

infrastructure, Cisco endpoint security, and anti-virus technology.

• Deployment Scalability

Cisco NAC provides comprehensive access control across all access methods that hosts use to connect to the

network. It also supports heterogeneous vendor scenarios. This solution also allows the setting of differentiated

access policy for responsive hosts (those running the Cisco trust agent) and non-responsive hosts.

• Increased Resilience and Availability

By taking information about endpoint security status and combining it with network admission enforcement,

Cisco NAC enables customers to dramatically improve the security of their computing infrastructures.

• Multiple Vendor Compatibility

In addition to the initial list of partners, Cisco will continue to work with more anti-virus and host-based

application vendors to allow customers greater flexibility in the choice of anti-virus vendors.

Network Access Devices

Policy Server DecisionPoints

Hosts AttemptingNetwork Access

EAP/UDPCisco Trust

Agent

Credentials

Notification

1

HTTPS

Anti VirusVendorServer

Credentials

2a

6 5

RADIUS

Credentials

Access Right

2

4Comply?

3Enforcement


Page 188 of 218

All content

Hardware




2.13.29) Quality of Service per VPN Group

Quality of Service (QoS) per VPN Group allows the application of Cisco IOS QoS mechanisms to group of IPsec

flows. Application of QoS per VPN session group means that all flows that belong to an ISAKMP profile, can be

classed together and may be policed on the interface with crypto map and service policy applied to it.

The QoS per VPN session group feature is well suited for situations where a head-end device has large groups of IPsec

peers. For e.g. in Figure 16, the IPsec peers of the head-end router are executives, engineers and sales. Each of these

groups are identified by an IPsec Security Association (SA). The QoS policies, applied to IPsec flows, are based on

a QoS group ID. The IDs are mapped to a QoS group, which is used in the definition of class maps for QoS. From

there, the QoS policies are applied on group level.

Figure 81QoS with Cisco IOS VPN

Routers • Cisco 831, 836 and 837 Routers

• Cisco 1701, 1711, 1712, 1721, 1751, 1751-V, and 1760 Routers

• Cisco 2600XM and 2691 Routers

• Cisco 3640, 3640 A, and 3660-ENT Series Routers



Access Servers • Cisco AS5350, AS5400, AS5850 Access Servers

Executives

Sales

Per Group QoS

Head-End Crypto Profile

QoS with Cisco IOS VPNQoS for Traffic Policing

Engineers


Page 189 of 218



All content

Benefits

QoS per VPN session group feature can provide several benefits to the user. This feature can be used to:

• Enable allocation of QoS policies on per group basis.

• Ensure equal access to available bandwidth across multiple links in a service provider environment.

• Guarantee certain customers a minimal amount of bandwidth.

Hardware




2.13.30) Cisco AutoSecure Rollback & Logging

Cisco AutoSecure, originally introduced in Cisco IOS Software Major Release 12.3 (May 2003), enables rapid

implementation of security policies and procedures to ensure secure networking services by offering a single

CLI command to lock down the device.

Cisco AutoSecure Rollback enhances the feature by providing a method to restore the system configuration back

to its state prior to execution of the autosecure command. This feature takes a snapshot of the current running

configuration and stores that in the ATA Disk prior to execution of the autosecure command. When rollback is

initiated, the system will be restored to the snapshot configuration.

Rollback could occur in either automated or manual mode. Automated rollback will be initiated if Cisco AutoSecure

experiences a failure during its operation. In manual mode, the user simply issues the standard CLI rollback

command and the rollback process will be initiated.

Cisco AutoSecure Logging initiates a syslog message when the autosecure set of commands are executed.

Benefits

• Simplifies Device Lockdown

With Cisco AutoSecure Rollback & Logging, users will feel more confident using the Cisco AutoSecure.

If the command was accidentally issued, one can easily restore the configuration back to its original state.

• Tracking of Cisco AutoSecure Execution

With the Cisco AutoSecure logging feature, a system administrator can track when autosecure has been executed.

Hardware


http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/products_feature_guide09186a008017d101.html




• Cisco 7200 Series with ATA Disk


Page 190 of 218




All content


2.13.31) Easy Secure Device Deployment Authentication, Authorization, and AccountingIntegration

Easy Secure Device Deployment (SDD) Authentication, Authorization, and Accounting (AAA) Integration allows

an end device to connect to another end device using Trusted Transitive Introduction (TTI) to deploy Public Key

Infrastructure (PKI) without having to be “introduced” by a third device, such as a system administrator. If the first

end device has an account on an AAA server, it can obtain authentication and authorization directly from the server

database, which eliminates the need to obtain an access password from the third device.

Figure 82Easy SDD AAA Integration

Benefits

• User does not need to enable passwords for devices, because AAA verifies the credentials.

• Simplified PKI enrollment and deployment, because the two end devices can now connect directly without

the intervention from a system administrator.

• User authentication and configuration update occurs through AAA.

Hardware





Cisco IOS CertifiedServer & TTI Registrar

Small Office/Home Office

AAAServer

Introducer:User Performs

Introduction

CertifiedEnrollment andConfiguration

Update


Page 191 of 218





All content

2.13.32) Cisco IOS Resilient Configuration

Cisco IOS Resilient Configuration provides a safeguard to restore the configuration after unwanted erasure of the

Cisco IOS Software configuration.

After an accidental or hostile intentional erasure of the configuration, the device will not be able to operate normally

resulting in network downtime. By using Cisco IOS Resilient Configuration feature as a precautionary measure,

administrators can quickly restore the system to a running state.

Cisco IOS Resilient Configuration CLI command operates by taking a snapshot of the running router configuration

and securely archives it in persistent storage. The archived file is hidden and cannot be viewed or removed but can

only be over-written. The restore option simply reproduces a copy of the secure configuration archive and the system

is restored.

This feature requires devices that support a PCMCIA ATA disk.

Benefits

• Enhances Protection of the Cisco IOS Software Configuration

Because the archived configuration file is not removable and it is hidden, even if the running configuration

is erased, whether accidental or intentional, a backup copy is stored on the device.

• Rapid Recovery of the System Configuration

Since a copy of the configuration is stored right on the device and Resilient configuration feature provides

a quick restore command, system administrators can quickly restore a system to a running state.

Hardware


http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a008022a7ce.html


2.13.33) Call Admission Control for Internet Key Exchange

This feature helps VPN tunnel stability and router resource usage by rate limiting the number of concurrent incoming

and outgoing Internet Key Exchange (IKE) requests to be processed depending on the available resources on the

router. The feature also allows for a hard limit to be applied for the number of IKE requests handled by a device.

Benefits

• Prevention of poor performance or resource overload.

• Protection of the router from Denial of Service (DoS) attacks, with respect to large number of IKE requests.



• Cisco 7200 Series with ATA Disk


Page 192 of 218


http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a008022a7ce.html


All content

Hardware


2.13.34) Certificate to Internet Security Association and Key Management Protocol ProfileMapping

Certificate to Internet Security Association and Key Management Protocol (ISAKMP) Profile Mapping is used in the

context of PKI deployment. This feature aids in uniquely identifying a group of users, by mapping the DN field or a

part of the DN fields in a certificate to groups of users. When certificates are used for authentication, the identity

payload contains the subject name from the certificate. However, some PKI deployments do not allow users to have

control on the SubjectName field in the Certificate; therefore, this feature can be used to resort to other fields in the

certificate to distinguish a user.

Mapping DN field can be used as an alternative for the identity field. Currently with this feature using the Cisco IOS

ISAKMP profiles, there is the ability to match on various fields (i.e.: fqdn, ip address, group name).

Benefits

An alternative means for identifying user authenticating with Certificates.

Hardware


2.13.35) Crypto Access Check On Clear Text Packet

Crypto Access Check on Clear-Text Packet provides for the removal of the double interface Access Control

List (ACL) checking against the outside interface for the inbound clear-text packets that are received as part

of an IPsec-encrypted packet.

ACL checking was performed at two spots for inbound packets with IPsec, both on encrypted and unencrypted

packets. This feature enables the second ACL checking for customers who require this on the decrypted clear text

packet. The command “crypto access checks ACL in” must be configured under the crypto map. This feature enables

the second ACL checking on clear text decrypted packets.

Benefits

• Enables the easier configuration of ACLs.

• Eliminates the configuration problems associated with a double ACL check.

• Gives customers the option of enabling/disabling the second ACL checking for more security in their networks.

Hardware





Page 193 of 218



All content




2.13.36) RADIUS Attribute Screening support for Access-Request

Description

The RADIUS Attribute Screening feature allows users to configure a list of “accept” or “reject” RADIUS attributes

on the network access server (NAS) for purposes such as authorization or accounting.

This new enhancement to the attribute screening provides support for filtering on Access-Request in addition to

Access-Accept & Accounting-Requested already supported in Cisco IOS Software.

Benefits

Improving Control Manageability—Better control of sending especially called-station ID’s in access request to ISP

based on the pre-arrangement.

Hardware


2.13.37) Role-Based CLI Access

Description

This feature enables the network device administrator to set up views defining the set of CLI commands that users

may access. It is a new user access control feature in addition to the current privilege feature, but it offers higher

degree of customization.

• On a single device, up to 16 views can be defined by the network device administrator.

• Network administrator can define whether users are in privilege mode or view mode when they log into the

device.

• Each user can be assigned with one or more views. Each view is associated with a password that is required when

user switches between views (if a person is assigned multiple views).

• Definition of Views are performed by the network administrator via CLI with keywords such as include (CLI

commands accessible by the view) or include-exclusive (CLI commands accessible exclusively by the view).

• Either local (on the device) or external (such as TACACS+/RADIUS) AAA server are used for authentication

& authorization thus a new VSA addition will be needed to support this feature.

Benefits

With the role-based CLI access control, users can match access to CLI commands based on their operational

job roles.

• Security—Greatly enhances security of the device by defining the set of CLI command that is accessible

by a particular user.

Routers • Cisco 7200, Cisco 7400 Series



Page 194 of 218




All content

• Availability—Prevents unintentional execution of CLI commands by unauthorized personnel resulting

in undesirable results. This feature can greatly improve the availability of the device.

• Operational Efficiency—Since users will only see the CLI commands that are accessible to them, this

greatly improves the operational usability of the device.

Hardware


2.13.38) Control Plane Policing Enhancements

Description

Control plane policing feature is a popular feature for many customers to protect the control plane of the device from

being overwhelmed with traffic (often from DoS attacks).

New enhancements in this release of Cisco IOS Software include providing SNMP access (by extending cbQos MIB)

to the policy applied to the control plane as well as enhancement to the policy descriptor of allowing specification of

Packet Per Second (vs. current Bits Per Second) in the policy map.

Benefits

• Ease of Management—now users can view control plane policies via SNMP.

• Operational Simplicity—with the addition of the Packet Per Second specification in the control plane policy map,

it may be easier for network administrators to describe the desired policy.

Hardware


2.13.39) IP Source Tracker

Description

The IP Source Tracker feature allows you to gather information about the traffic flowing to a host that is suspected

of being under attack. This feature also allows you to easily trace an attack back to its entry point into the network.

To trace attacks, NetFlow and access control lists (ACLs) are used together to determine the source. To block attacks,

committed access rate (CAR) and ACLs are been used.

Normally, when you identify the host that is subject to a DoS attack, you must determine the network ingress point

to effectively block the attack. This process starts at the router closest to the host.

The IP Source Tracker feature provides an easy, more scalable alternative to output ACLs for tracking DoS attacks.


• Cisco 1760, 2610XM, 2611XM, 3640A, and 3725 Routers



Page 195 of 218



All content
Cisco Systems, Inc.
The IP Source Tracker works as follows:

Step 1. After you identify the destination being attacked, enable tracking for the destination address on the

whole router by entering the ip source-track command.

Step 2. A special Cisco Express Forwarding (CEF) entry is created for the destination address being tracked. For

line cards or port adapters that use specialized ASICs to do packet switching, the CEF entry is used to

punt packets to the line card’s or port adapter’s CPU.

Step 3. Each line card CPU collects information about the traffic flow to the tracked destination (via utilization

of NetFlow).

Step 4. The data generated is periodically exported to the router. To display a summary of the flow information,

enter the show ip source-track summary command. To display more detailed information for each input

interface, enter the show ip source-track command.

Step 5. Statistics provide a breakdown of the traffic to each tracked IP address. This allows you to determine

which upstream router to analyze next. You can shut down the IP source tracker on the current router

by entering the no ip source-track command, and re-open it on the upstream router.

Step 6. Repeat Step 1 through Step 5 until you identify the source of the attack.

Step 7. Apply CAR or ACLs to limit or stop the attack.


All content

Figure 83IP Source Tracker

Benefits

• Complete Network Coverage: Because the IP Source Tracker feature is now supported on all platforms it allows

you to track DoS attacks across your entire network.

• Complete Tracking Information Provided: The IP source tracker generates all the necessary information in an

easy-to-use format to track the network entry point of a DoS attack.

• Tracking an Unlimited Number of IPs Simultaneously: Using the IP source tracker, you can track multiple IPs

at the same time. By default there is no limit. To limit the number of IPs that are simultaneously tracked, use the

ip source-track address-limit command.

Hardware


Routers • Cisco 800, 1700, 2600, 7200, and 7500 Series


Router C

AttackSource

Router B

Router A

Tracking DoS Attack SourceThrough Router A, B & C

Tracking

DoS Attack


Page 197 of 218


All content

2.13.40) Per VRF TACACS+ Support

Description

The Per VRF AAA functionality enables AAA services to be based on VPN routing and forwarding (VRF) instances.

The Provider Edge (PE) or Virtual Home Gateway (VHG) can now communicate directly with the customer’s

TACACS+ server.In this new version of Cisco IOS Software, TACACS+ protocol support is now VRF aware in

addition to RADIUS protocol that is already VRF aware in Cisco IOS Release 12.2(15)T.

Benefits

The new Per VRF support of TACACS+.

• Scalable Solution—Customers who are using TACACS+ can now support user assignment on a Per VRF level

making it much more scalable and manageable.

Hardware


2.13.41) Cisco IOS Firewall for IPv6

Cisco IOS Firewall provides advanced traffic filtering and stateful packet inspection functionality as an integral part

of a network. In addition to providing filtering of Layer 4 through Layer 7 traffic for IPv4 networks, Cisco IOS

Firewall now extends the same support for IPv6 topologies. Key features supported in this release include:

• Layer 4 inspection (ICMP, UDP, TCP) including IP fragment inspection of IPv6 packets. Simple TCP/IP

applications, such as a Web browser and telnet clients also covered by the layer 4 inspection.

• Track TCP sequence numbers and drop packets not within the range ICMP echo request/reply packets will

be inspected using ICMPv6.

• Support of IPv6 fragmented packets. The fragment header will be used to trigger fragment processing. The

Cisco IOS Firewall virtual fragment reassembly (VFR) will perform the following functions on fragments:

– Examine out of sequence fragments and switch the packets in order.

– Examine number of fragments from a single IP given a unique identifier (DoS attack).

– Perform virtual reassembly to handoff to upper layer protocols.

• IPv6 DoS attack mitigation mechanisms supported in the same fashion as for the current Ipv4 implementation.

• IPv6 packets tunnelled in going to an IPv4 destination will be terminated on the Cisco IOS Firewall router and

inspected.

For additional information, refer to Cisco IOS Firewall documentation at: http://www.cisco.com/en/US/products/sw/

iosswrel/ps5187/products_configuration_guide_chapter09186a00801d65f4.html

Routers • Cisco 7200 and 7500 Series


Page 198 of 218



http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/products_configuration_guide_chapter09186a00801d65f4.html


All content

Figure 84Cisco IOS Firewall for IPv6

Benefits

Cisco IOS Firewall now enables users to deploy firewalls in both IPv4 and IPv6 networks on the same platform.

Benefits include:

• Stateful packet inspection of TCP, UDP, ICMP sessions.

• Coexistence in IPv4 and IPv6 environments.

• Inspect traffic and mitigate network attacks trying to exploit IPv4 and IPv6 fragments.

• Stateful inspection of packets originating from the IPv4 network terminating in an IPv6 environment by providing

v4 to v6 translation services.

• Ability to interpret or recognize most IPv6 Extension Header information such as routing header, hop-by-hop

Options header, fragment header and Destination Option header.

Hardware


2.13.42) Transparent Cisco IOS Firewall

Description

This feature is sometimes referred to as Layer 2 Firewall. Conventional Layer 3 Firewalls require the existing network

architecture to be split into three subnets comprising of the inside, outside and DMZ segments. A network not

designed to accommodate this subnetted architecture would have to be rearchitected and/or renumbered to securely

deploy a Layer 3 firewall. This is time consuming and resource intensive and not technically feasible in some

deployment scenarios.


IPv6 Routerw/Cisco IOS Firewall

IPv6 Router w/Cisco IOS Firewall



DualStackRouter

IPv6Site 1

IPv4Site 3

IPv4Site 2

IPv6IPv6

Internet (IPv4)


Page 199 of 218




All content

Most commercial firewalls operate in either a transparent mode or the conventional L3 mode. The Cisco IOS Firewall

is designed to simultaneously interoperate in both modes and allows for better total ROI by reducing the firewall

requirements of an organization.

The following diagram depicts a retail store network with the Transparent Cisco IOS Firewall deployed. Cisco

now has a Firewall that can protect the network by applying the appropriate Layer 2 Mac access control lists and

Layer 3 IP access control lists.

Figure 85Transparent Cisco IOS Firewall Deployment

The transparent firewall is configured just like the current L3 firewall using the “ip inspect” command. The ‘inspect

in/out’ command can be configured on any of the bridged interfaces for L2 protection while also being configured

on any LAN or serial interfaces to provide traditional Layer 3 protection. The transparent firewall operates on the

bridged packets and the Layer 3 firewall continues to operate on the routed packets.

Wireless Range

WirelessDatabase

Corporate Office

Store Location

TransparentL2 Separation

Untrusted

Access


Page 200 of 218

All content

Benefits

The Transparent Cisco IOS Firewall offers several distinctive advantages over conventional Layer 3 Firewalls.

• Ability to insert a Stateful Layer 2 firewall within an existing network.

• No need to readdress statically addressed devices due to the introduction of a firewall into the network.

It can be deployed into existing networks without creating any L3 subnet separations and offers complete

Cisco IOS Firewall Functionality (tcp, udp, icmp and application support).

• Untrusted wireless access points that are part of existing network can be seamlessly deployed behind the

Transparent Cisco IOS Firewall to provide added security to wireless users.

• It can be deployed on vlan trunks running between switches and routers for added security.

• Users can allow selected devices from a subnet to traverse the firewall while denying access to other devices

on the same subnet.

• Ability to provide both Layer 2 and Layer 3 firewalling capabilities on the same router.

Hardware


2.13.43) Extended Simple Mail Transport Protocol

Description

Cisco IOS Firewall has always detected and blocked SMTP attacks (illegal SMTP commands) and issued alerts when

it detects an SMTP attack. The Firewall detects a limited number of SMTP attack signatures. A signature in a

SYSLOG message indicates a possible attack against the protected network, such as the detection of illegal SMTP

commands in a packet. Whenever a signature is detected, the connection will be reset.

The Cisco IOS Firewall now supports the inspection of ESMTP (Extended Simple Mail Transport Protocol) by

inspecting SMTP commands for legality. Commands that will be inspected include AUTH, DATA, EHLO, ETRN,

HELO, HELP, MAIL, NOOP, QUIT, RCPT, RSET, SAML, SEND, SOML and VRFY. All others are considered

illegal. RFC 1869 describes the SMTP Service Extensions.

Included in the current SMTP implementation is an IDS signature capability built into the Cisco IOS Firewall. SMTP

firewall currently scans for set of hard coded attack signatures. The detection of a signature causes the Cisco IOS

Firewall to raise an alert message and close the SMTP session. There are 11 “IDS Sensor” attack signatures and five

have always been integrated into the Cisco IOS Firewall SMTP implementation.


Signature Description

Mail: bad rcpt Triggers on any mail message with a “pipe” ( | ) symbol in the recipient field.

Mail: bad from Triggers on any mail message with a “pipe” ( | ) symbol in the “From:” field.

Mail: old attack Triggers when “wiz” or “debug” commands are sent to the SMTP port.

Mail: decode Triggers on any mail message with a “:decode@” in the header.

Majordomo A bug in the Majordomo program will allow remote users to execute arbitrary commands atthe privilege level of the server.


Page 201 of 218


All content

Benefits

• The Cisco IOS Firewall now dynamically supports the traversal of ESMTP messages.

• Able to identify ESMTP/SMTP attacks with built in IDS signature capability.

Hardware


2.13.44) Key Rollover for Certificate Renewal

Description

Automatic certificate enrollment was introduced to allow the router to automatically request a certificate from the

certification authority (CA) server. By default, the automatic enrollment feature requests a new certificate when the

old certificate expires. Connectivity can be lost while the request is being serviced because the existing certificate and

key pairs are deleted immediately after the new key is generated. The new key does not have a certificate to match it

until the process is complete and incoming Internet Key Exchange (IKE) connections cannot be established until the

new certificate is issued. The Key Rollover for Certificate Renewal feature allows the certificate renewal request to

be made before the certificate expires and retains the old key and certificate until the new certificate is available.

Figure 86Key Rollover for Certificate Renewal

Benefits

Certificate Autoenrollment with key rollover allows you to configure your router to automatically request a

certificate from the certification authority (CA) that is using the parameters in the configuration. Thus, operator

intervention is no longer required at the time the enrollment request is sent to the CA server. When the certificate

expires, a new certificate is requested. This provides unattended recovery from expiration of certificates.

Routers • Cisco 800–2600 Series

CA_B

Cisco IOS Router

CA_A

C

C

CC


Page 202 of 218


All content

Hardware


2.13.45) PKI: Query Multiple Servers during Certificate Revocation Check

Description

When validating an X.509 certificate presented by a peer, the Certificate Revocation List (CRL) is checked to make

sure the certificate has not been revoked by the issuing Certificate Authority (CA). The certificate usually contains a

Certificate Distribution Point (CDP) in the form of a URL. Cisco IOS Software uses the CDP to locate and retrieve

the CRL.

Previous versions of Cisco IOS Software make only one attempt to retrieve the CRL, even when the certificate

contains more than one CDP. If the CDP server does not respond, the Cisco IOS Software reports an error which

may result in the peer’s certificate being rejected.

Cisco IOS Software Release 12.3(103)T introduces the ability for the Cisco IOS Software to use all of the available

CDPs in a certificate. The Cisco IOS Software will attempt to retrieve a CRL until all of the CDPs in the certificate

have been tried. In addition this feature introduces the ability to override the CDPs in a certificate with a manually

configured CDP.

Figure 87Checking the Certificate Revocation List

Routers • Cisco 800, 1700, 2600, 3600, 7200, 7300, and 7400

Check CRL forValidity of 1’s

Certificate

Check CRL forValidity of 2’s

Certificate

Internet

1’s

2’s

Router 1

CA

CRL Server

Router 2


Page 203 of 218


All content

Benefits

This feature introduces the ability for Cisco IOS Software to make multiple attempts to retrieve the CRL, allowing

operations to continue when a particular server is not available. In addition, the ability to override the CDPs in a

certificate with a manually configured CDP has been introduced. Manually overriding the CDPs in a certificate

can be advantageous when a particular server may be unavailable for an extended period of time. The certificates

CDPs can be replaced with a URL or directory specification without re-issuing all of the certificates containing the

original CDP.

Hardware


2.13.46) Virtual Private Network Routing and Forwarding Instance Integrated DynamicMultipoint VPN

Virtual Private Network (VPN) Routing and Forwarding (VRF) Instance Integrated Dynamic Multipoint

VPN (DMVPN) enables users to map site-to-site DMVPN IPsec sessions into Multiprotocol Label Switching (MPLS)

VPNs. This allows service providers to extend their existing MPLS VPN service by mapping off-net sites (typically

a branch office) to their respective VPNs. IPsec sessions are terminated on the DMVPN PE device and traffic is placed

in VRFs for MPLS VPN connectivity. Specifically, work was done to extend the Next Hop Routing Protocol (NHRP)

to look into the VRF Tables while building the database of spoke addresses in the hub.

Figure 88Dynamic Multipoint VPN

Benefits

• DMVPNs can be used to extend the MPLS networks deployed by service providers to take advantage of the ease

of configuration of hub and spokes, support for dynamically addressed CPEs and zero touch provisioning for

adding new spokes into a DMVPN.

• DMVPN architecture can coalesce many spokes into a single multipoint GRE interface, removing the need for

a distinct physical/logical interface for each spoke in a native IPsec installation.

Routers • Cisco 800, 1700, 2600, 3600, 7200, 7300, and 7400

Customer A Head Office

MPLS Network

Customer A Branch Office

Customer B Branch Office

DMVPN

VPN A

Customer B Head Office

VPN BIPsec PE

MPLS VPN

PE


Page 204 of 218


All content

Hardware


2.13.47) Network Address Translation (NAT)—Transparency Aware DMVPN

When DMVPN spokes need to send a packet to a destination (private) subnet behind another spoke, it queries the

NHRP server for the real (outside) address of the destination spoke. The DMVPN hub maintains a NHRP database

of the tunnel endpoints and the physical address of the spokes. In the diagram, it is very likely for spokes in a

DMVPN cloud to be given the same physical address by the NAT Boxes sitting in front of them. As the spokes

oftentimes have no control over the addresses provided to them by the ISP, DMVPN was enhanced to work for

spokes behind a NAT Box.

Figure 89

Hardware


2.13.48) SEAL Encryption

The Software Encryption Algorithm (SEAL) Encryption feature adds support for the SEAL in IP Security

implementations. SEAL encryption is an alternative algorithm to Software based Data Encryption Standard (DES),

Triple DES (3DES), and Advanced Encryption Standard (AES). SEAL has a lower impact to the CPU, when compared

to other software based algorithms. It uses a 160-bit key for encryption and provide adequate encryption for many



Company A SpokeCompany A Spoke

Dynamic orStatic PublicIP Addresses Physical: (dynamic)

Tunnel 0: 10.0.0.12

Physical: 172.17.0.1Tunnel0: 10.0.0.1

10.0.0.11 dynamic10.0.0.12 dynamic... ...

Company B SpokePhysical: (dynamic)Tunnel 0: 10.0.0.11

NAT

Static Public IP Address

NAT

.1


Page 205 of 218



All content

applications. The SEAL encryption is recommended for use on IPsec peers without crypto accelerators hardware

present. Configuring SEAL also require the use of authentication transform. Also, SEAL transform cannot be used

with a manually keyed crypto map.

For additional information, please visit:

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801e9e7e.html


2.13.49) Control Plane Policing

Packets sent to an address of the networking device are processed by the control plane (Route Processor [RP]).

There is potential of a denial of service (DoS) on the router if the control plane overwhelmed with packets.

Cisco Control Plane Policing protects the control plane by using QoS Policies to limit the incoming traffic destined

to the control plane. Users define the policy most suitable for their environment using QoS Policy Maps to control

the volume of different types of traffic that will be processed by the control plane, therefore, reducing the incoming

processed traffic and alleviating potential of a successful DoS attack.

Benefits

• Control plane policing reduces the success of a DoS attack by policing incoming rate of traffic destined to the

control plane.

• Easily defined though Qos Policy maps.

Hardware


2.13.50) Secure Shell Version 2

Secure Shell Version 2 (SSHv2) provides strong authentication and encryption capabilities. It supports logging into

the router remotely for secure management and administration, executing commands remotely, and moving files

from one host to another.

Figure 90SSHv2

Routers • Cisco 800, 1700, 2600, 3700, 7200 Series


SSHv2


Page 206 of 218

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801e9e7e.html



All content
Cisco Systems, Inc.
Benefits

• Protects from host spoofing, password sniffing, and eavesdropping by providing a secure session.

• Provides capabilities to a network administrator for secure remote configuration and management.

• Improved security compared to SSHv1.

Hardware


2.13.51) Secure Access Mode—Silent Mode

When packets are destined to the processor, the control plane makes a decision that may include discarding the

packet. When a packet is discarded, the control plane may provide additional information as to why the packet

was dropped (ie: ICMP unreachable). Hackers use this drop information for reconnaissance when preparing for

an attack.

Silent Access Mode is a new feature that provides the means to define a policy (via QoS policy map) about the type

of information that will be communicated from discarded packets—basically outbound filtering on control plane.

Benefits

Improves the security posture of the Cisco IOS Software devices by returning no error messages for discarded

packets:

• Makes hacker reconnaissance more challenging.

• Policy definition offers flexibility to define relevant information to be communicated about discarded packets.

• Reduces the risk of an attack against the router.

Hardware

Additional Information: http://www.cisco.com/warp/public/732/Tech/security/


2.13.52) Image Verification

To verify the integrity of Cisco IOS Software images, Cisco uses the method of MD5 hash coding method for

Cisco IOS Software images. While the MD5 hash code is published on Cisco.com, users must perform Cisco IOS

Software image verification:

• Run an MD5 hash coding software either by using the Cisco IOS Software “verify” CLI command or generate

the MD5 hash coding using a MD5 software running on a separate server.

• Manually compare the MD5 coding with the code published on Cisco.com or include the Cisco.com value as part

of the verify command.


Routers • Cisco 800, 1700, 2600, 3700, 7200, and 7500 Series

• Cisco 3640, and 3660 Routers



http://www.cisco.com/warp/public/732/Tech/security/


http://www.cisco.com


All content

As of Cisco IOS Software Release 12.3(4)T, Cisco IOS Software images embed the MD5 hash coding within the

images to simplify this process:

• The “verify” command instead of generating MD5 hash coding, now return three MD5 coding values &

performs the verification:

1. Computed MD5—value of MD5 hash coding

2. Embedded MD5—value of MD5 value embedded in the IOS image

3. CCO MD5—value of MD5 value that is published on Cisco.com

4. If computed & embedded values are the same, image verification is considered successful

• Additionally, extensions to several common Cisco IOS Software image operational CLI commands are made:

1. copy command now has an extension “verify|noverify” which will automatically perform MD5 hash

validation.

2. Reload command will also have an extension “verify|noverify” that will also automatically perform MD5 hash

validation.

3. User can also use the new config command “file verify auto”, then the copy & reload command will

automatically include the “verify” option.

Benefits

Image Verification automates the validation process of the Cisco IOS Software image running on the router by

providing automated checks during the download process:

• Simplifies the Cisco IOS Software image verification process.

• Improves the security of the router by alleviating potential corrupted Cisco IOS Software images being loaded

to the router.

• Removes having to trust this process is done manually by network administrators upgrading a router.

Hardware


2.13.53) Login Enhancements—Password Retry Delay

Cisco IOS Login Enhancement increases the security of the networking device by offering a new time-based

dimension to user login. Network administrators can specify a time period between retries in order to alleviate

dictionary attacks. User account lockout can now include a time period in which a user must succeed in attempt

to logon to the device.


• Cisco 3640, and 3660 Routers


Page 208 of 218



All content

Benefits

Cisco IOS Login Enhancements adds a new dimension to the current Cisco IOS Software login/password method

by providing new tools to prevented unwanted accessibility to the networking device:

• Delay potential dictionary attacks.

• Adds new flexibility to Lock-out unwanted attempts to access the device.

Hardware


2.13.54) Router IP Traffic Export

Router IP Traffic Export feature is a lightweight mechanism to export IP packets as they arrive at or leave the router.

A designated Ethernet interface is used for exporting captured IP packets out of the router. The objective is to export

raw IP packets in their unaltered form to a designated server, analyzer, or security device connected directly to the

router’s designated export interface for further analysis.

• Filter capability (using ACL) to help focus on exporting only traffic of interest.

• Sampling option is available to minimize the volume of traffic exported.

• An Ethernet port using either a MAC/802.1q/ISL address associated with the destination host or an IP address

can be used.

• Syslog information is provided when the feature is activated or deactivated.

Benefits

• A lightweight mechanism embedded in Cisco IOS Software to export IP traffic.

• Alleviate the need to attach an in-line device to capture traffic destine to or from the network device.

• Ability to monitor multiple interfaces simultaneously by connecting to a single interface.

• Filtering capability to focus on only traffic of interest.

• Add or remove traffic analyzers for in-line analysis without disrupting the network connection.

Hardware


2.13.55) Cisco IOS Easy VPN Remote Phase 3.2

Cisco IOS Easy VPN Remote allows Cisco IOS Software routers to act like a PC IPsec Software client (Unity Client).

Cisco IOS Easy VPN simplifies router configuration and deployment dramatically by allowing IPsec VPN parameters

to be pushed down from the concentrator (Easy VPN Server), which can also be an Cisco IOS Software router.






Page 209 of 218



All content

Phase 3.2 introduces two new features:

• Xauth password & username saving option.

• Backup Peers (multiple peer support, stateless failover with Dead Peer Detection).

Figure 91Cisco IOS Easy VPN Remote Phase 3.2

Benefits

• Xauth Password and Username Saving Option

– Currently, when Xauth authentication is enabled, a user must telnet to CLI in order to type in the Xauth

username and password. The saving option allows the Cisco IOS Easy VPN Remote router to save the

Xauth username and password, so that user does not have to retype this information when the tunnel is

established again.

• Backup Peers (multiple peer support, stateless failover with Dead Peer Detection)

– The other new addition is the locally configured backup peer list. This is a list of multiple Easy VPN Servers

that will be attempted when building an IPsec tunnel, if the previous server on the list is unavailable. Also, a

failover to a new server on the list will occur if the Hello timers from the dead peer detection routines expire.

This feature increases VPN availability by allowing for backup servers to be used when the primary server is

unavailable.

Cable

Cisco IOSRouter with Unity Client

uBR900


800


Cisco IOS Router

1700

VPN3002

PIX501

= IPsec TunnelT1

Small Office

Home Office

Cisco Unity VPN Clients

Home Office Advantages:• Unity is the common language within Cisco VPN environment• Policy Push applies to CPE routers as well

Gateway Options:• Cisco VPN 30xx• Release 12.2(8)T• PIX 6.0

Single User

Internet


Page 210 of 218

All content

Hardware


http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t15/ftezvpnr.htm


2.13.56) Cisco IOS Certificate Server

Cisco IOS Certificate Server embeds a certificate server into the Cisco IOS Software. The router can now act as a

Certificate Authority on the network.

Figure 92Cisco IOS Certificate Server

Benefits

• Offers a simpler solution to deploy IPsec VPN with certificates.

• Provides relief from the expense and workload of configuring a full-function third-party Certificate Authority.

• Simpler, easier, and less expensive Public Key Infrastructure (PKI) deployment.

Hardware




Routers • Cisco 800, 1700, 2600, 3600, 3700, and 7200


VPNRouter

CRLServer

Cisco IOSCertificate

Server/VPN

CertificateEnrollment andVPN Tunnels

Remote Sites

Central Site


Page 211 of 218

http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t15/ftezvpnr.htm



All content

2.13.57) VPN Access Control using 802.1x Authentication

VPN Access Control using 802.1x Authentication allows Enterprise employees to access their enterprise networks

from home while allowing other household members to access only the Internet. The feature uses the Institute of

Electrical and Electronics Engineers (IEEE) 802.1x protocol framework to achieve the VPN access control. The

authenticated employee has access to the VPN tunnel and others (unauthenticated users on the same LAN) have

access only to the Internet. This feature is targeted to the SOHO/Telecommuter market segment.

Figure 93VPN Access Control using 802.1x Authentication

Benefits

• Enforcing corporate policy for network access to home/telecommuter/day time extender users.

• Authentication at Layer 2 to allow only authenticated traffic to access VPN tunnels to access corporate resources.

Hardware


http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123limit/123x/123xa/gt_802_1.htm


2.13.58) Cisco IOS IPv6 IPsec Phase I—IPsec Authentication for Open Shortest Path FirstVersion 3

IPv6 specifications mandate the implementation of IPsec to enable end-to-end security. First IPv6 IPsec

implementation in Cisco IOS Software ensures security between routers that run Open Shortest Path First version 3

(OSPFv3. In OSPFv3 (RFC 2740), authentication field has been removed from OSPF headers, instead OSPFv3 relies

on the IPv6 Authentication Header (AH) and IPv6 Encapsulating Security Payload (ESP) to ensure integrity,

authentication and confidentiality of routing exchanges. Data traffic encryption is not supported in this first phase

Reference: draft-ietf-ospf-ospfv3-auth

Routers • Cisco 806, 831, 836, 837, 1701, 1710, 1721, 1751-V, and 1760 Routers


Page 212 of 218


http://www.cisco.com/univercd/cc/td/doc/product/software/ios123/123newft/123limit/123x/123xa/gt_802_1.htm


All content

Figure 94Cisco IOS IPv6 IPsec Phase I—IPsec Authentication for OSPFv3

Benefits

Encrypting routing protocol exchange information increases the security of the internet infrastructure. OSPFv3 IPsec

support is another step in the Cisco IPv6 support strategy.

Hardware


2.13.59) Cisco IOS Firewall Access Control Lists Bypass

Cisco IOS Firewall Access Control Lists (ACL) Bypass enhances the performance of Cisco IOS Firewall by removing

multiple lookups on the return traffic passing through the router. The previous implementation performed multiple

checks of each packet of the return traffic of an existing firewall flow: the input ACL search, the output ACL search

and the inspection session search. Now a check is only done once and packets are marked if they belong to an existing

firewall session before the input ACL search, and this marking is used to skip the input and output dynamic

ACL searches.


IPv6Network IPv6

Backbone

IPv6Network

IPv6Network

IPsecTunnel

IPsecTunnel

IPsecTunnel


Page 213 of 218


All content
Cisco Systems, Inc.
Figure 95Cisco IOS Firewall ACL Bypass

Benefits

The primary benefit is that the throughput performance improvement of Cisco IOS Firewall will be approximately

10%. This feature is transparent to the user, because there are no associated configuration changes to enable or

disable.

Hardware


2.13.60) User Management Enhancements for Easy VPN Server

This feature includes the following enhancements:

• RADIUS Support for User Profiles:

– Radius attributes can now be applied on a per-user basis. If you apply attributes on a per-user basis, you can

override a group attribute value with the individual user attribute. The attributes are retrieved at the time that

user authentication via Xauth occurs. The attributes are then combined with group attributes and applied

during Mode Configuration.

• Session Monitoring for VPN Group Access:

– It is now possible to limit the maximum number of connections to a specific server group as well as limit the

number of simultaneous logins for users in that group. After user-defined thresholds are defined in each VPN

group, new connections will be denied until existing connections drop below these thresholds. This limit can

be specified in CLI or using a RADIUS server, such as CiscoSecure ACS. When enabling this feature on the

router itself, only connections to groups on that specific device are monitored.


INACL

INACL

INACL

Input Traffic Forwarding Path:

Return Traffic Forwarding Path: <Before>

Return Traffic Forwarding Path: <After>

OUTACL

OUTACL

OUTACL

OUTACL

NAT

NAT NAT INACL

NATRouting

Routing

Firewalle0 e1

Firewall

Firewall

OUTACL NAT NAT INACLRoutingFirewall



All content

Benefits

• Enables customized per user policy control when using RADIUS.

• Alleviate the need for local configuration on the router and enables user mobility with the use of radius.

• Ability to limit the number of users according to the available network resources.

For more information contact: [email protected]

2.13.61) IPsec VPN Monitoring

The IPsec Virtual Private Network (VPN) Monitoring feature provides VPN session monitoring enhancements that

will assist in troubleshooting the VPN and monitor the end-user interface. Session monitoring enhancements include

the following:

• Ability to specify an Internet Key Exchange (IKE) peer description in the configuration file.

• Summary listing of crypto session status.

• Syslog notification for crypto session up or down status.

• Ability to clear both IKE and IPsec security associations (SAs) using one command-line interface (CLI).

Benefits

• Simplified listing for current active IPsec tunnels.

• Granular control and monitoring on per session basis.

• Real time reporting of session changes activities with syslog.

For more information contact: [email protected]

2.13.62) Online Certificate Status Protocol

Online Certificate Status Protocol (OCSP) allows users to enable OCSP instead of certificate revocation lists (CRLs)

to check certificate status. Unlike CRLs, which provide only periodic certificate status, OCSP can provide timely

information regarding the status of a certificate.


Page 215 of 218



All content

Figure 96OSCP

Benefits

• OCSP provides revocation status information more frequently than CRLs, which provide only periodic updates.

• OCSP allows a network administrator to configure a central OCSP server to collect and update CRLs from

different certification authority (CA) servers; thus, the devices within the network can rely on the OCSP server

to check the certificate status without retrieving and caching each CRL for every device.

Hardware

Additional Information: http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/

products_feature_guide09186a00801a755b.html



2's

RouterRouter

1's

OCSP Server

C Check CRL forValidity of 1'sCertificate

Check CRL forValidity of 2'sCertificate

Internet


Page 216 of 218

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801a755b.html

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801a755b.html


All content
Cisco Systems, Inc.
2.14) Voice

Table 15 Voice Feature Highlights

2.14.1) Cisco CallManager Express

Cisco CallManager Express is a solution embedded in Cisco IOS Software that provides call processing for Cisco

IP phones. This solution enables the large portfolio of Cisco access routers to deliver telephony features similar to

those that are commonly used by business users to meet the requirements of the small office, thereby enabling

deployment of a cost-effective, highly reliable, IP Communications solution for the small office.

Customers can now scale IP telephony to a small site or branch office with a solution that is very simple to deploy,

administer, and maintain. Cisco CallManager Express is best suited for customers who are looking for a low-cost,

reliable, feature-rich solution for a deployment of up to one hundred users.

Figure 97Cisco CallManager Express

Benefits

IP telephony is currently undergoing tremendous growth, accelerated by access to value-added features and

applications only IP telephony can provide to the end user. Additionally, the cost benefits of converging voice,

video, and data onto a single network are fueling the rapid acceptance of this technology. Because it is integrated

into a router, Cisco CallManager Express enhances the advantages of convergence by offering the following unique

Benefits:

• Cost-effective operations through a single, integrated voice-and-data device for all branch office needs.

• Robust set of commonly used key system and low-end PBX capabilities.

• Investment protection and ease of upgrade to centralized call-processing solutions.

• Remote maintenance and troubleshooting using Cisco IOS Software CLI or Web-based Graphical User

Interface GUI.

Sections

2.14.1) Cisco CallManager Express

Cisco Access Router

ManagementGUI

Internet Data Connectivity

PSTN Interconnect—Analog or Digital Trunks



Corporate HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706USAwww.cisco.comTel: 408 526-4000

800 553-NETS (638Fax: 408 526-4100

Cisco Systems

Argentina • Australia • A

Denmark • Dubai, UAE

Korea • Luxembourg • M

Russia • Saudi Arabia •

United Kingdom • Unite

Copyright ® 2005 Cisco Systems,

and Learn, and iQuick Study are s

logo, Cisco IOS, Cisco Press, Cis

FormShare, GigaDrive, GigaStack

Academy, Network Registrar, Pac

TransPath are registered trademar

All other trademarks mentioned in

(0502R)206634.CA_ETMG_PI_7.

Hardware


Routers • Cisco 1751 and 1760 Access Routers

• Cisco 261xXM, 262xXM 265xXM Series Access Routers

• Cisco 2691, 3725, and 3745 Access Routers

Integrated Access Devices • Cisco IAD 2400 Series Integrated Access Devices

7)

European HeadquartersCisco Systems International BVHaarlerbergparkHaarlerbergweg 13-191101 CH AmsterdamThe Netherlandswww-europe.cisco.comTel: 31 0 20 357 1000Fax: 31 0 20 357 1100

Americas HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706USAwww.cisco.comTel: 408 526-7660Fax: 408 527-0883

Asia Pacific HeadquartersCisco Systems, Inc.168 Robinson Road#28-01 Capital TowerSingapore 068912www.cisco.comTel: +65 6317 7777Fax: +65 6317 7799

has more than 200 offices in the following countries and regions. Addresses, phone numbers, and fax numbers are listed on the

C i s c o W e b s i t e a t w w w . c i s c o . c o m / g o / o f f i c e s

ustria • Belgium • Brazil • Bulgaria • Canada • Chile • China PRC • Colombia • Costa Rica • Croatia • Cyprus • Czech Republic

• Finland • France • Germany • Greece • Hong Kong SAR • Hungary • India • Indonesia • Ireland • Israel • Italy • Japan

alaysia • Mexico • The Netherlands • New Zealand • Norway • Peru • Philippines • Poland • Portugal • Puerto Rico • Romania

Scotland • Singapore • Slovakia • Slovenia • South Africa • Spain • Sweden • Switzerland • Taiwan • Thailand • Turkey • Ukraine

d States • Venezuela • Vietnam • Zimbabwe

Inc. All rights reserved. CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play,

ervice marks of Cisco Systems, Inc.; and Access Registrar, Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert

co Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step,

, HomeLink, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo, Networking

ket, PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet, StrataView Plus, TeleRouter, The Fastest Way to Increase Your Internet Quotient, and

ks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company.

06


Date post:	17-Mar-2020
Category:	Documents
Upload:	others
View:	4 times
Download:	0 times

CISCO IOS SOFTWARE RELEASE 12.4 FEATURES AND HARDWAREcna.mamk.fi/Public/Cisco/Ohjeet/2852_pp.pdf ·...

Documents