Table Of Contents
Cisco IOS Software Release 12.3T New Features and Hardware
1) Introduction: Cisco IOS Software Release 12.3T
1.2) Release 12.3T Additional Information
2) Cisco IOS Software Release 12.3(14)T Highlights
2.2) Cisco IOS Software Infrastructure
2.4) Management and Provisioning
2.7) Multiprotocol Label Switching
3) Release 12.3(11)T Highlights
3.8) Embedded Network Management
3.9) IP Addressing and Services
4) Release 12.3(8)T Highlights
4.7) IP Addressing and Services
5) Release 12.3(7)T Highlights
5.6) Embedded Network Management
5.10) Multiprotocol Label Switching
6) Release 12.3(4)T Highlights
6.8) Embedded Network Management
7) Release 12.3(2)T Highlights
7.3) Embedded Network Management
8) Appendix: Release 12.3(8)T—New Feature Enhancements
9) Appendix: Release 12.3(7)T—New Feature Enhancements
10) Appendix: Release 12.3(4)T—New Feature Enhancements
11) Appendix: Release 12.3(2)T—New Feature Enhancements
11.1) Hardware Products and Modules Newly Supported in Cisco IOS Software Release 12.3(2)T
12) Appendix: Release 12.3(11)t—new Feature Enhancements
Product Bulletin, No. 2215
Cisco IOS Software Release 12.3T New Features and Hardware
This Product Bulletin introduces Cisco IOS Software Release 12.3T, and includes the following sections:
1) Introduction: Cisco IOS Software Release 12.3T
Cisco IOS® Software is the world's premiere network infrastructure software, delivering seamless integration of technology innovation, business-critical services, and hardware support. Currently operating on millions of active systems, from small home office routers to the core systems of the world's largest service provider networks, Cisco IOS Software is the most widely leveraged network infrastructure software in the world.
The Release 12.3T family will be issued as a series of individual releases, each of which will create significant new revenue opportunities and will include hundreds of business-critical features, the latest hardware support, and ongoing quality improvements. Cisco will ultimately consolidate all of these individual 12.3T releases to form a single major release.
With more than sixty new features, Cisco IOS Software Release 12.3(14)T extends the functionality and benefits of Cisco IOS Software.
Release 12.3(T) powers the new Cisco Integrated Services Routers, the first hardware/software system to deliver secure, wire-speed data, voice, video, and security services to small and medium-sized businesses, Enterprise branch offices, and Service Providers who offer managed services. By speeding application deployment and reducing operating complexity, customers realize a lower total cost of ownership.
Release 12.3(11)T, extends the benefits of Cisco IOS High Availability to the small and medium sized business and branch office by minimizing router downtime during planned or unplanned outages.
In order to maximize the value of the network, Cisco customers are continually integrating new technologies, hardware, and services into the existing infrastructure. In recognition of the challenges this can pose, Release 12.3(8)T delivers network intelligence with integrated features that secure branch office communications, automate the deployment of new applications, and optimize the flow of outbound traffic.
Release 12.3(7)T, the third release of this family, extends the robust suite of Cisco IOS Security capabilities with features that further reduce network vulnerability. The powerful new hardware support, enhanced security management capabilities, and enriched Cisco IOS Firewall functionality in Release 12.3(7)T protect sensitive data and corporate resources from malicious attacks.
Release 12.3(4)T, the second of the 12.3T releases, allows customers to leverage embedded Cisco IOS Software functionality to more easily deploy Security, Voice and Wireless applications. By enabling integrated small-scale deployment scenarios, Release 12.3(4)T provides the infrastructure for future expansion of small and medium business and Enterprise branch customers.
Release 12.3(2)T, the first of the 12.3T releases, greatly enhances customer productivity with nearly one hundred new features across more than thirty Cisco hardware products. Highlights of Release 12.3(2)T include the Cisco 830 Series Router and Cisco Security Device Manager.
Figure 1
Major Release and New Technology Release Relationship
1.1) Migration Guide
Cisco recommends that the customers who require features found in Release 12.2T upgrade to the latest version of Major Release 12.3 or 12.3T. Release 12.2T is scheduled for End of Sales on October 31, 2003. Software releases that End of Sales are no longer orderable, but are still available to customers under maintenance contract for downloading from Cisco.com and the Technical Assistance Center (TAC).
Figure 2 illustrates the migration path into Release 12.3T.
Figure 2
Release 12.3T Migration Path
Cisco IOS Software Release 12.3T will now continue to undergo an ongoing testing and review cycle to continuously improve and increase reliability and quality. Unlike the Major Release 12.3 family, Release 12.3T will integrate new features with every maintenance release. Release 12.3T will be updated via regular maintenance releases to include improvements resulting from the testing cycle. Maintenance for Release 12.2T ceased upon the introduction of Major Release 12.3 and 12.3T. Users of Release 12.2T should move to Major Release 12.3 or 12.3T in order to receive maintenance.
Each Cisco IOS Software new technology release is built upon the previous release. It adds new software features hardware support and software fixes for previous major releases and new technology releases. Release 12.3(4)T, for example, is built upon the existing functionality of Release 12.3(2)T. Customers interested in upgrading to Release 12.3T should determine their functionality needs and choose the corresponding release in the Release 12.3T family.
1.2) Release 12.3T Additional Information
•
Release 12.3T Information
http://www.cisco.com/go/release123t/
•
http://www.cisco.com/go/123tqa/
•
http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/prod_bulletin0900aecd801eda8a.html
•
Download Cisco IOS Software releases and access software upgrade planners.
http://www.cisco.com/public/sw-center/sw-ios.shtml
•
A web-based application that allows you to quickly match Cisco IOS Software releases to features to hardware.
http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp
•
Determine the minimum supported software for selected hardware.
http://www.cisco.com/pcgi-bin/front.x/Support/HWSWmatrix/hwswmatrix.cgi
•
View all major releases, hardware, and software features from a single interface.
http://www.cisco.com/pcgi-bin/Software/Iosplanner/Planner-tool/iosplanner.cgi
•
http://www.cisco.com/warp/public/732/feedback/release/
1.3) Cisco IOS Packaging
Cisco IOS Packaging simplifies the image selection process by consolidating the total number of packages and using consistent package names across all hardware products.
Figure 3
Cisco IOS Packaging for Cisco Routers
2) Cisco IOS Software Release 12.3(14)T Highlights
Tables 1and 2 describe and identify the feature highlights of Cisco IOS Software Release 12.3(14)T.
2.1) Security and VPN
2.1.1) Cisco IOS Software Login Password Retry Lockout (per EAL4 Compliance)
Login password retry lockout conforms to the EAL4 requirement of providing these enhancements to Cisco IOS Software-enabled devices:
•
•
•
•
•
•
•
•
Benefits
•
•
•
•
Hardware
Product Management Contact: ask-stg-ios-pm@cisco.com
2.1.2) Cisco IOS Firewall: HTTP Inspection Engine
Cisco IOS Firewall has been enhanced with the introduction of Advanced Application Inspection and Control. Often companies decide to permit common applications, such as Web browsing, through their firewalls. Unfortunately, such access can result in non-HTTP applications, such as instant messaging (IM), attempting to take advantage of hosts behind this opening in the firewall. Although traditional firewall enforcement blocks traffic based on source and destination addresses and protocol and port numbers, the Cisco IOS Firewall HTTP Inspection Engine enforces protocol conformance and prevents malicious or unauthorized behavior such as port 80 tunneling, malformed packets, and Trojans from passing through. The HTTP Inspection Engine gives Cisco IOS Firewall the intelligence not only to block non-HTTP traffic, but also to help ensure that traffic that is assumed to be HTTP is legitimate Web browsing and not IM or similar traffic trying to gain access through the firewall. The net result is that network administrators will have more granular control of applications passing through the firewall.
Benefits
•
•
•
•
•
•
•
•
•
•
Hardware
Additional Information: http://www.cisco.com/en/US/products/sw/secursw/ps1018/index.html
Cisco IOS Packaging
The Cisco IOS Firewall HTTP Inspection Engine feature is positioned in the Advanced Security packages across Cisco routers ( Figure 3).
Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Hitesh Saijpal ( ask-stg-ios-pm@cisco.com)
2.1.3) Cisco IOS Firewall: Granular Protocol Inspection
With this feature, Cisco IOS Firewall can perform more granular protocol inspection of Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) traffic for most application types as defined in RFC 1700.
IP packets that contain most well-known ports defined in RFC 1700 plus user-defined ports and ranges that map to specific applications can be inspected. Additionally, the current Cisco IOS Firewall feature called Port-to-Application Mapping (PAM) has been enhanced to distinguish between TCP and UDP.
Benefits
•
•
•
•
Hardware
Considerations
•
•
Additional Information: http://www.cisco.com/en/US/products/sw/secursw/ps1018/index.html
Cisco IOS Packaging
The Cisco IOS Firewall Granular Protocol Inspection feature is positioned in the Advanced Security packages across Cisco routers ( Figure 3).
Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Hitesh Saijpal ( ask-stg-ios-pm@cisco.com)
2.1.4) Cisco IOS Firewall: Email Inspection Engine
Cisco IOS Firewall Advanced Application Inspection and Control features Inspection Engines to provide protocol anomaly detection services. This latest enhancement adds support for Post Office Protocol 3 (POP3) and Internet Message Access Protocol (IMAP) to the Email Inspection Engine in addition to the existing support for Simple Mail Transfer Protocol (SMTP) and Extended Simple Mail Transfer Protocol (ESMTP).
Benefits
•
•
•
•
•
Hardware
Considerations
Users will need to have sufficient free memory.
Additional Information: http://.cisco.com/en/US/products/sw/secursw/ps1018/index.html
Cisco IOS Packaging
The Cisco IOS Firewall Email Inspection Engine feature is positioned in the Advanced Security packages across Cisco routers ( Figure 3).
Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Hitesh Saijpal ( ask-stg-ios-pm@cisco.com)
2.1.5) Cisco IOS Firewall: Inspection of Router-Generated Traffic
The Inspection of Router-Generated Traffic feature enables the inspection of local router traffic to single-channel TCP and UDP connections originated by or terminated at a router. Local H.323 connections are also supported.
Benefits
•
•
Hardware
Considerations
•
•
Additional Information: http://www.cisco.com/en/US/products/sw/secursw/ps1018/index.html
Cisco IOS Packaging
The Cisco IOS Firewall Inspection of Router-Generated Traffic feature is positioned in the Advanced Security packages across Cisco routers ( Figure 3).
Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Hitesh Saijpal ( ask-stg-ios-pm@cisco.com)
2.1.6) Virtual Routing and Forwarding Aware Cisco IOS Firewall
Virtual Routing and Forwarding (VRF) Aware Cisco IOS Firewall applies Cisco IOS Firewall functionality to VRF interfaces when the firewall is configured on a service provider or large enterprise edge router. Service providers can provide managed services to small and medium business markets. VRF-Aware Cisco IOS Firewall supports VRF-aware URL filtering and VRF-lite (also known as multi-VRF customer edge [CE]).
Benefits
•
•
•
•
•
•
•
Hardware
Considerations
•
•
•
Additional Information: http://www.cisco.com/en/US/products/sw/secursw/ps1018/index.html
Cisco IOS Packaging
VRF-Aware Firewall is positioned in the Advanced Security packages across Cisco routers ( Figure 3).
Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Hitesh Saijpal ( ask-stg-ios-pm@cisco.com)
2.1.7) Intrusion Prevention Systems Signature Enhancements
This release adds the TCP, UDP, and Internet Control Message Protocol (ICMP) signature microengines (SMEs) to the list of supported SMEs. This allows for Cisco IOS Software routers to defend networks against common worms and viruses such as the following:
Also included in this release is the local shun action. This can be configured on any signature. A shun places an ACL-type block on the interface from which the attacking traffic is entering the router to more quickly defend the network from attack traffic.
Benefits
•
•
Hardware
Cisco IOS Packaging
IPS Signature Enhancements are positioned in the Advanced Security packages across Cisco routers ( Figure 3).
Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Tom Guerrette ( ask-stg-ios-pm@cisco.com)
2.1.8) Secure Device Provisioning Phase 4: Administrative Introducer
Secure Device Provisioning (SDP) Phase 4 allows an IT administrator to introduce and preprovision several end routers without the need of an end user. Administrative login and device specification have been introduced into the SDP framework.
SDP, formerly known as EZ Secure Device Deployment, simplifies introduction of a VPN device into the public key infrastructure (PKI) network. SDP mechanisms assume a permanent relationship between the introducer and the device. As a result, the introducer username is used to define the device hostname. Often the introducer username is used as the database locator to determine the Cisco IOS Software configuration template, template variables (pulled from the AA database and expanded into the template), and the appropriate subject name for the PKI certificates issued to the device.
In some deployment scenarios, the introducer is an administrator (or an administrative service such as a CiscoWorks VPN/Security Management Solution [VMS] or the Cisco IP Solution Center [ISC]) doing the introduction for many devices. In this situation, the administrator's username cannot be used as a database locator so the SDP GUI has been enhanced to provide the username as a separate parameter.
Figure 4
SDP Administrative Introducer
Benefits
Allows an IT administrator or security management solution to provision multiple devices.
Hardware
Cisco IOS Packaging
SDP Phase 4: Administrative Introducer is positioned in the Advanced Security packages across Cisco routers
( Figure 3).Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Jai Balasubramaniyan ( ask-stg-ios-pm@cisco.com)
2.1.9) Secure Device Provisioning Phase 4: Hierarchical Certificate Servers
PKI deployments have a certificate server that issues certificates to the nodes in the VPN installation. A root certificate server is a CA server that holds a self-signed certificate, and its key pair is the root of the trust associations (digital signatures in the certificates) of the whole VPN installation. Because the root RSA key pairs are extremely important in a PKI hierarchy, it is often advantageous to keep them offline or archived. To support such an arrangement, PKI hierarchies allow for subordinate certificate authorities that have been signed by the root authority. In this way the root authority can be kept offline (except to issue occasional Certificate Revocation List [CRL] updates) and the sub-Certificate Authority (sub-CA) can be used during normal operation.
Figure 5
SDP Hierarchical Certificate Server
Benefits
•
•
Hardware
Cisco IOS Packaging
SDP Phase 4: Hierarchical Certificate Servers is positioned in the Advanced Security packages across Cisco routers ( Figure 3).
Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Jai Balasubramaniyan ( ask-stg-ios-pm@cisco.com)
2.1.10) OS Universal Serial Bus Token Support: Public Key Infrastructure Enhancements
The Cisco IOS Software Universal Serial Bus (USB) Token Support project provides support for USB cryptographic tokens and flash drives on Cisco IOS Software. The USB token plugs into the router's USB port.
Tokens provide a secure place to store keys and configurations, where they can be protected with a PIN. Tokens do not have enough storage to hold images or other bulk data. The tokens supported in this release have a capacity of 32 KB, of which about half is taken up by token and Cisco IOS Software system overhead. This size is suitable for a small configuration and a few certificates and keys.
Flash drives can be used to store images, configurations, and other data, but are not suitable for private keys because they have no security.
Figure 6
USB Token: PKI
Benefits
•
•
•
Hardware
Cisco IOS Packaging
OS USB Token Support: PKI Enhancements is positioned in the Advanced Security packages across Cisco routers ( Figure 3).
Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Jai Balasubramaniyan ( ask-stg-ios-pm@cisco.com)
2.1.11) Persistent Self-Signed Certificates
Cisco IOS Software has an HTTPS server that allows access to Web-based management pages using a SSL connection. SSL requires the server to present its certificate to the client during the SSL handshake prior to establishing a secure connection between the server and the client.
If the Cisco IOS Software does not have a certificate that the HTTPS server can use, it generates a self-signed certificate by calling the PKI API. This API is then presented to the client, which prompts the user to accept the certificate. If the user accepts, the certificate is stored in the browser for future use.
Future SSL handshakes require the same certificate. However, on reloads, this certificate is lost, and a new one has to be generated and go through the same authentication sequence. The Persistent Self-Signed Certificate feature overcomes these limitations by saving a certificate in the router's startup configuration and having persistence using HTTPS connections with clients.
Figure 7
Persistent Self-Signed Certificates
Benefits
•
•
•
Hardware
Cisco IOS Packaging
Persistent Self Signed Certificates is positioned in the Advanced Security packages across Cisco routers ( Figure 3).
Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Jai Balasubramaniyan ( ask-stg-ios-pm@cisco.com)
2.1.12) Easy VPN Remote Phase 4.1: Enhancements
Easy VPN Phase 4.1 supports two enhancements for Easy VPN Remote: Support for Reliable Static Routing using Object Tracking and Tunnel Activation on Interesting Traffic on Easy VPN Remote.
Support for Reliable Static Routing using Object Tracking is a current feature the enables Cisco IOS Software to identify when a Point-to-Point Protocol over Ethernet (PPPoE) or IPsec VPN tunnel goes down and initiate a dial-on-demand routing (DDR) connection to a preconfigured destination from any alternative WAN/LAN port (for example, T1, ISDN, analog, or AUX). This feature delivers a solution for deployments in which a remote router only has a static route to the corporate network. The IP Static route-tracking feature allows an object to be tracked (by IP address or host name) using ICMP, TCP, or other protocols and installs or removes the static route based on the state of the tracked object. If this feature determines that Internet connectivity is lost, then the default route for the primary interface is removed, and the floating static route for the backup interface is enabled.
This new enhancement delivers the capability to establish a secondary Easy VPN connection, if the primary Easy VPN connection fails, using support of Reliable Static Routing using Object Tracking. However, it is based on the dial backup interface only.
Two new Easy VPN Remote CLI configuration options support Reliable Static Routing using Object Tracking: a connection to the backup Easy VPN remote configuration and a connection to the tracking system.
backup < ezvpn-cfg-name> specifies the Easy VPN configuration that will be activated when backup is triggered. track <tracked-object-number> specifies the link to the tracking system so that the Easy VPN state machine can get the notification to trigger backup.
crypto ipsec client ezvpn <ezvpn-cfg-name>backup <ezvpn-cfg-name> track <tracked-object-number>Easy VPN Remote registers to the tracking system to get the notifications for change in the state of the object. The above command will inform the tracking process that Easy VPN Remote is interested in tracking an object, identified by the object number. The tracking process will in turn inform Easy VPN Remote when the state of this object changes. This notification prompts Easy VPN Remote to bring up the backup connection when the tracked object state is DOWN. When the tracked object is UP again, the backup connection is torn down, and Easy VPN Remote will switch back to using the primary connection. The primary connection is not torn down when the tracked object goes DOWN; however, it may timeout or reset eventually on its own. The pings will continue to be attempted to be sent using the primary tunnel. If the tunnel is not up, the pings will be dropped. The primary tunnel will continue to attempt to reestablish, and once it does, the pings will be successful, and the tracked object state will go UP again.
Benefits
•
Tunnel Activation on Interesting Traffic on Easy VPN Remote is a feature that introduces a new method of activating Easy VPN tunnels based on user traffic. Prior to this feature there were two ways to bring up the tunnel: manual entry of the XAuth user/password, and automatic activation of the tunnel with the user/password stored in the configuration file. The new feature will only bring up the tunnel when user traffic needs to use it. It can be used with an idle timer on the tunnel to bring the tunnel up and down only when it is needed for user traffic. This arrangement can reduce the load on the Easy VPN concentrator, because tunnels are only brought up when needed.
Figure 8
Activation Triggered by Easy VPN Remote Traffic
Benefits
Reduces the load on the Easy VPN concentrator, because tunnels are only brought up when needed.
Hardware
Cisco IOS Packaging
Easy VPN Remote Phase 4.1: Enhancements is positioned in the Advanced Security packages across Cisco routers ( Figure 3).
Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Siva Natarajan ( ask-stg-ios-pm@cisco.com)
2.1.13) IPsec Preferred Peer
IPsec Preferred Peer allows a user to tag a peer as the default peer in a multiple-set peer configuration. The provisions include setting a peer with default option and setting an IPsec idle timer with default option.
Setting a peer with default option: a new keyword—default—has been added to mark the first peer in a multiple-set peer configuration as the default peer. This peer will then be retried in certain failure cases before a connection to the next peer on the list is attempted. If a failure is detected by dead peer detection (DPD), the default peer will be tried once more before the next peer is tried. If the default peer is unresponsive, failure using retransmits of Internet Key Exchange (IKE) initiation messages will set the new current peer to the next one on the list. Further connections through that crypto map will then try this new current peer.
This feature is useful in a dial backup scenario in which transmission stops because of remote peer failure traffic on a physical link. DPD will indicate that the remote peer is unavailable, although it will remain the current peer. The dial backup link will come up. Once connectivity through the physical link is restored, the default peer will be tried again. This procedure allows the user to always give preference to certain peers in the event of failover and is useful if the original failure occurred because of a connectivity problem through the network, as opposed to the remote peer itself failing. If the remote peer has indeed failed, retransmits to that peer (this process takes approximately 45 seconds) will force the default peer to be skipped and the next peer on the list to be tried.
Benefits
Allows flexibility to use a primary peer when it is better (for example, closer, less expensive, or provides more bandwidth).
Hardware
Additional Information
•
•
•
•
•
•
Cisco IOS Packaging
The Cisco IOS IPsec Preferred Peer feature is positioned in the Advanced Security packages across Cisco routers ( Figure 3).
Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Siva Natarajan ( ask-stg-ios-pm@cisco.com)
2.1.14) IPsec Antireplay Window Expansion and Disable Options
IPsec antireplay window is a 32-bit counter and a bitmap (or equivalent) used to describe whether an inbound authentication header or ESP packet is a replay. The Expansion and Disable options supported in this feature give IPsec users two additional options with which to control the antireplay mechanism in IPsec. Users can now choose to expand the antireplay window size or, alternatively, disable antireplay checking completely. The default antireplay window size and default enabling of antireplay checking for IPsec in Cisco IOS Software will be the same as in prior Cisco IOS Software releases.
Figure 9
IPsec Antireplay
Benefits
Allows an IT administrator flexibility to control antireplay window size or disable it.
Hardware
Additional Information
If the antireplay window is disabled, replay attack is possible.
Cisco IOS Packaging
IPsec Antireplay Window Expansion and Disable Options is positioned in the Advanced Security packages across Cisco routers ( Figure 3).
Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Siva Natarajan ( ask-stg-ios-pm@cisco.com)
2.1.15) IPsec Virtual Tunnel Interface
VPNs are increasingly being recognized as a mainstream solution for secure WAN connectivity. They replace or augment existing private networks using leased lines, Frame Relay, or ATM to connect remote and branch offices and central sites more cost effectively and with increased flexibility. This new status requires that VPN devices deliver higher performance, support for both LAN and WAN interfaces, and high network availability. IPsec virtual tunnel interfaces (VTIs) are a new tool that can be used by customers to configure IPsec-based VPNs between site-to-site devices. IPsec VTI tunnels provide a designated pathway across the shared WAN and encapsulate traffic with new packet headers, ensuring delivery to specific destinations. The network is private because traffic can enter a tunnel only at an endpoint. In addition, IPsec provides true confidentiality (as does encryption) and can carry encrypted traffic.
With IPsec VTIs delivered by Cisco, enterprises can use cost-effective VPNs and continue to add voice and video to their data networks without compromising quality and reliability.
Cisco IPsec VTIs provide secure connectivity for site-to-site VPNs combined with the Cisco Architecture for Voice, Video and Integrated Data (AVVID) architecture for delivering converged voice, video, and data over IP networks. VPNs deliver cost-effective, flexible wide-area connectivity, while providing a network infrastructure that supports the latest converged network applications such as IP telephony and video.
Figure 10
IPsec Static Virtual Tunnel Interfaces Between Two Sites
Benefits
•
•
•
•
•
Hardware
Cisco IOS Packaging
The Cisco IOS IPsec Virtual Tunnel Interface feature is positioned in the Advanced Security packages across Cisco routers ( Figure 3).
Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Siva Natarajan ( ask-stg-ios-pm@cisco.com)
2.1.16) Reverse Route Injection
Reverse Route Injection (RRI) is used to create static routes based on remote proxy IDs (subnet/mask) for remote IPsec devices. It is platform independent (except for Cisco Catalyst 6000 Series and Cisco 7600 Series Router) and is dynamic in that it saves the user from statically defining routes. It is remote agnostic as well and works on both dynamic and static crypto maps. Typically in an RRI, routes are injected into the routing process.
RRI enhancements included in this release: Cisco IOS Software can now alter RRI behavior for static L2L. IPsec tunnels and can retain RRI routes when a crypto ACL is modified. In addition, it is enhanced to retain RRI routes for dynamic customer premises equipment CPE as well as remove RRI routes when same crypto map is applied to two different interfaces.
Figure 11
Reverse Route Injection
Benefits
Saves the user from statically defining routes.
Considerations
Cisco IOS Software will not allow RRI in the same crypto map on multiple interfaces.
Hardware
Additional Information
If the antireplay window is disabled, replay attack is possible.
Cisco IOS Packaging
Reverse Route Injection is positioned in the Advanced Security packages across Cisco routers ( Figure 3).
Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Siva Natarajan ( ask-stg-ios-pm@cisco.com)
2.1.17) Easy VPN Remote Web-Based Activation
Easy VPN contains two primary hardware client applications: Teleworker and Branch Office. Teleworker allows user-driven authentication of the client router (for example, interactive XAuth credential entry) with optional authentication of devices behind the client router. Teleworker is also possibly useful for offices in which one person is authorized to activate the office connection. The second application is Branch Office, where a client router connects automatically without user intervention (XAuth credentials saved in configuration file). Optionally, it is possible to authenticate devices behind the client router.
Easy VPN Remote Web-Based Activation allows the authentication of the remote router more easily by having a Web-based interface in which to enter xAuth username/password.
Figure 12
Easy VPN Remote Web-Based Activation
Benefits
Small office or home office (SOHO) users benefit greatly by using a Web-based interface to activate Easy VPN Remote.
Hardware
Additional Information
If the antireplay window is disabled, replay attack is possible.
Cisco IOS Packaging
Easy VPN Remote Web-Based Activation is positioned in the Advanced Security packages across Cisco routers ( Figure 3).
Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Siva Natarajan ( ask-stg-ios-pm@cisco.com)
2.1.18) WebVPN
WebVPN is an SSL-based VPN solution that provides clientless remote access by using a Web browser as the remote user's VPN client. Because most personal computers already have a Web browser installed, no further application installation is required to securely access network resources. This feature can augment the existing IPsec remote access (Easy VPN) functionality or, in environments with relatively simple remote access requirements, WebVPN may offer sufficient functionality to address all remote access demands. Cisco IOS Software WebVPN makes it easy to deploy remote access to internal applications on a single integrated network device.
The first release of WebVPN in Cisco IOS Software supports two functional modes:
•
•
Benefits
•
•
•
•
•
•
•
•
Hardware
Considerations
•
•
•
•
Cisco IOS Packaging
WebVPN is positioned in the Advanced Security packages across Cisco routers ( Figure 3).
Cisco IOS Packaging Contact: Fariba Farniam ( ffarniam@cisco.com)
Product Management Contact: Gary Sockrider ( ask-stg-ios-pm@cisco.com)
2.1.19) Cisco Router and Security Device Manager 2.1
Cisco Router and Security Device Manager (SDM) 2.1 combines routing and security services management with ease of use, intelligent wizards, and in-depth troubleshooting capabilities to provide a tool that supports the benefits of integrating services onto the router. Customers can now synchronize routing and security policies throughout the network, enjoy a more comprehensive view of their router services status, and reduce their operational costs.
Benefits
•
–
–
–
–
•
–
–
–
•
–
–
–
•
–
–
–
•
–
•
