cc/td/doc/product/software/ios120/relnote
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

Release Notes for Cisco 3600 Series for Cisco IOS Release 12.0 T

Release Notes for Cisco 3600 Series for Cisco IOS Release 12.0 T

December 13, 1999

These release notes for the Cisco 3600 series support Cisco IOS Release 12.0 T, up to and including Release 12.0(7)T. These release notes are updated as needed to describe new features, memory requirements, hardware support, software platform deferrals, and changes to the microcode or modem code and related documents.

For a list of the software caveats that apply to Release 12.0(7)T, see Caveats for Cisco IOS Release 12.0 T  that accompanies these release notes. This caveats document is updated for every maintenance release and is located on Cisco Connection Online (CCO) and the Documentation CD-ROM.

Use these release notes with Cross-Platform Release Notes for Cisco IOS Release 12.0  on CCO and the Documentation CD-ROM.

Contents

These release notes describe the following topics:

Introduction

The Cisco 3600 series includes the Cisco 3620, Cisco 3640, Cisco 3661, and Cisco 3662 routers. As modular solutions, the Cisco 3600 series routers enable corporations to increase dial-up intensity and take advantage of current and emerging WAN technologies and networking capabilities. The Cisco 3600 series routers are fully supported by Cisco IOS software, which includes dial-up connectivity, LAN-to-LAN routing, data and access security, WAN optimization, and multimedia features.

System Requirements

This section describes the system requirements for Release 12.0(7)T:

Memory Requirements


Table 1: Memory Requirements for the Cisco 3600 Series
Feature Set by Platform Image Name Minimum Flash Memory Minimum DRAM Memory Runs from In1
Cisco 3620

IP

c3620-i-mz

8 MB

32 MB

RAM

IP Plus

c3620-is-mz

8 MB

48 MB

RAM

IP Plus IPSec 56

c3620-is56i-mz

16 MB

48 MB

RAM

IP/FW/IDS

c3620-io3-mz

8 MB

32 MB

RAM

(5)

IP/FW/IDS Plus IPSec 56

c3620-io3s56i-mz

16 MB

48 MB

RAM

(5)

IP Plus IPSec 3DES

c3620-ik2s-mz

16 MB

48 MB

RAM

(2)

IP/FW/IDS Plus IPSec 3DES

c3620-ik2o3s-mz

16 MB

48 MB

RAM

(5)

IP/IPX/AT/DEC

c3620-d-mz

8 MB

32 MB

RAM

IP/IPX/AT/DEC Plus

c3620-ds-mz

16 MB

48 MB

RAM

IP/IPX/AT/DEC/FW/IDS Plus

c3620-do3s-mz

16 MB

48 MB

RAM

(5)

IP/H.323 Gtkpr Prxy

c3620-ix-mz

8 MB

32 MB

RAM

(3)

Enterprise Plus

c3620-js-mz

16 MB

48 MB

RAM

Enterprise Plus IPSec 56

c3620-js56i-mz

16 MB

48 MB

RAM

Enterprise/FW/IDS Plus IPSec 56

c3620-jo3s56i-mz

16 MB

48 MB

RAM

(5)

Enterprise Plus IPSec 3DES

c3620-jk2s-mz

16 MB

48 MB

RAM

(2)

Enterprise/FW/IDS Plus IPSec 3DES

c3620-jk2o3s-mz

16 MB

48 MB

RAM

(5)

Enterprise/SNASw Plus

c3620-a3js-mz

16 MB

48 MB

RAM

(7)

Enterprise/SNASw Plus IPSec 56

c3620-a3js56i-mz

16 MB

48 MB

RAM

(7)

Enterprise/SNASw Plus IPSec 3DES

c3620-a3jk2s-mz

16 MB

48 MB

RAM

(7)

Cisco 3640

IP

c3640-i-mz

8 MB

32 MB

RAM

IP Plus

c3640-is-mz

8 MB

48 MB

RAM

IP Plus IPSec 56

c3640-is56i-mz

16 MB

48 MB

RAM

IP/FW/IDS

c3640-io3-mz

8 MB

32 MB

RAM

IP/FW/IDS Plus IPSec 56

c3640-io3s56i-mz

16 MB

48 MB

RAM

(5)

IP Plus IPSec 3DES

c3640-ik2s-mz

16 MB

48 MB

RAM

(2)

IP/FW/IDS Plus IPSec 3DES

c3640-ik2o3s-mz

16 MB

48 MB

RAM

(5)

IP/IPX/AT/DEC

c3640-d-mz

8 MB

32 MB

RAM

IP/IPX/AT/DEC Plus

c3640-ds-mz

16 MB

48 MB

RAM

IP/IPX/AT/DEC/FW/IDS Plus

c3640-do3s-mz

16 MB

48 MB

RAM

(5)

IP/H.323 Gtkpr Prxy

c3640-ix-mz

8 MB

32 MB

RAM

(3)

Enterprise Plus

c3640-js-mz

16 MB

48 MB

RAM

Enterprise Plus IPSec 56

c3640-js56i-mz

16 MB

48 MB

RAM

Enterprise/FW/IDS Plus IPSec 56

c3640-jo3s56i-mz

16 MB

48 MB

RAM

(5)

Enterprise Plus IPSec 3DES

c3640-jk2s-mz

16 MB

48 MB

RAM

(2)

Enterprise/FW/IDS Plus IPSec 3DES

c3640-jk2o3s-mz

16 MB

48 MB

RAM

(5)

Enterprise/SNASw Plus

c3640-a3js-mz

16 MB

48 MB

RAM

(7)

Enterprise/SNASw Plus IPSec 56

c3640-a3js56i-mz

16 MB

48 MB

RAM

(7)

Enterprise/SNASw Plus IPSec 3DES

c3640-a3jk2s-mz

16 MB

48 MB

RAM

(7)

Cisco 3660

IP

c3660-i-mz

8 MB

32 MB

RAM

(5)

IP Plus

c3660-is-mz

8 MB

64 MB

RAM

(5)

IP Plus/IP Sec 56

c3660-is56i-mz

16 MB

64 MB

RAM

(5)

IP/FW/IDS

c3660-io3-mz

8 MB

32 MB

RAM

(7)

IP/FW/IDS Plus IPSec 56

c3660-io3s56i-mz

8 MB

64 MB

RAM

(7)

IP/H.323 Gtkpr Prxy

c3660-ix-mz

8 MB

32 MB

RAM

(5)

IP Plus/IP Sec/3DES

c3660-ik2s-mz

16 MB

64 MB

RAM

(5)

IP/FW/IDS Plus IPSec 3DES

c3660-ik2o3s-mz

16 MB

64 MB

RAM

(7)

IP/IPX/AT/DEC

c3660-d-mz

8 MB

32 MB

RAM

(5)

IP/IPX/AT/DEC Plus

c3660-ds-mz

16 MB

64 MB

RAM

(5)

IP/IPX/AT/DEC FW IDS Plus

c3660-do3s-mz

16 MB

64 MB

RAM

(7)

Enterprise/SNASw Plus

c3660-a3js-mz

16 MB

64 MB

RAM

(7)

Enterprise/SNASw Plus/IP Sec 56

c3660-a3js56i-mz

16 MB

64 MB

RAM

(7)

Enterprise/SNASw Plus IP Sec/3DES

c3660-a3jk2s-mz

16 MB

64 MB

RAM

(7)

Enterprise Plus

c3660-js-mz

16 MB

64 MB

RAM

(5)

Enterprise Plus IPSec 56

c3660-js56i-mz

16 MB

64 MB

RAM

(5)

Enterprise Plus/IP Sec 3DES

c3660-jk2s-mz

16 MB

64 MB

RAM

(5)

Enterprise/FW/IDS Plus IPSec 56

c3660-jo3s56i-mz

16 MB

64 MB

RAM

(7)

Enterprise/FW/IDS Plus IPSec 3DES

c3660-jk2o3s-mz

16 MB

64 MB

RAM

(7)

Telco

c3660-telco-mz

16 MB

64 MB

RAM

(5)

Telco Plus

c3660-telcoent-mz

16 MB

64 MB

RAM

(5)

1This column indicates in which maintenance release the image was introduced. For example, a (2) indicates the image was introduced in Release 12.0(2)T. If there is no number in the column, the image was introduced in the initial release.

Hardware Supported

Cisco IOS Release 12.0 T supports the Cisco 3600 series routers:

Note For important information about the ATM OC3 network modules and compatibility with the Cisco 3620 router, please review the field notice on CCO, at http://www.cisco.com/warp/customer/770/51.shtml 


Table 2: Supported Interfaces for the Cisco 3600 Series
Interface, Network Module, or Data Rate Platforms Supported
Dial Access Network Modules

16- and 32-port Asynchronous (NM-16A and NM-32A)

All Cisco 3600 series platforms

6- to 30-port Integrated Digital Modems network modules (NM-6DM, NM-12-DM, NM-18DM, NM-24DM, NM-40DM)

Cisco 3620 and 3640

6 Digital Modem Upgrade (MICA-6MOD)

Cisco 3620 and 3640

8- or 16-port Integrated Analog network modules (NM-8AM and NM16AM)

Cisco 3620 and 3640

LAN Interfaces

1- and 4-port Ethernet (AUI and 10BaseT, NM-4E and NM-8E)

All Cisco 3600 series platforms

1-port Fast Ethernet (100BaseTX and 100BaseFX, NM-1FE-TX and NM-1FE-FX)

All Cisco 3600 series platforms

Mixed Media Network Modules

1-port 10/100BaseTX with 1-port Channelized/PRI E1 balanced mode (NM-1FE1CE1B)

Cisco 3620 and 3640

1-port 10/100BaseTX with 1-port Channelized/PRI E1 unbalanced mode (NM-1FE1CE1U)

Cisco 3620 and 3640

1-port 10/100BaseTX with 1-port Channelized/PRI T1(NM-1FE1CT1)

Cisco 3620 and 3640

1-port 10/100BaseTX with 1-port Channelized/PRI T1 with CSU (NM-1FE1CT1-CSU)

Cisco 3620 and 3640

1-port 10/100BaseTX with 2-port Channelized/PRI E1 balanced mode (NM-1FE2CE1B)

Cisco 3620 and 3640

1-port 10/100BaseTX with 2-port Channelized/PRI E1 unbalanced mode (NM-1FE2CE1U)

Cisco 3620 and 3640

1-port 10/100BaseTX with 2-port Channelized/PRI T1 (NM-1FE2CT1)

Cisco 3620 and 3640

1-port 10/100BaseTX with 2-port Channelized/PRI T1 with CSU (NM-1FE2CT1-CSU)

Cisco 3620 and 3640

1 Ethernet and 2 WAN card slots (NM-1E2W)

All Cisco 3600 series platforms

1 Ethernet, 1 Token Ring, and 2 WAN card slots (NM-1E1R2W0

All Cisco 3600 series platforms

2 Ethernet and 2 WAN card slots (NM-2E2W)

All Cisco 3600 series platforms

Multiport T1/E1 ATM Network Modules with Inverse Multiplexing over ATM (IMA)1

4-port T1 ATM network module with IMA (NM-4T1-IMA)

All Cisco 3600 series platforms

4-port E1 ATM network module with IMA (NM-4E1-IMA)

All Cisco 3600 series platforms

8-port T1 ATM network module with IMA (NM-8T1-IMA)

All Cisco 3600 series platforms

8-port E1 ATM network module with IMA (NM-8E1-IMA)

All Cisco 3600 series platforms

Digital T1 Packet Voice Trunk Network Modules and Spare Components

1-port, 24-channel T1 voice/fax module, supports 24 channels of medium-complexity codecs: G.729a/b, G.726, G.711 and fax or 12 channels of G.726, G.729, G.723.1, G.728, G.729a/b, G.711, and fax. Consists of one NM-HDV, two PVDM-12s, and one VWIC-1MFT-T12. Part number: NM-HDV-1T1-24

All Cisco 3600 series platforms

1-port, enhanced 24-channel T1 voice/fax module, supports 24 channels of high- and medium-complexity codecs: G.729a/b, G.726, G.729, G.728, G.723.1, G.711, and fax. Consists of one NM-HDV, four PVDM-12s, and one VWIC-1MFT-T12. Part number: NM-HDV-1T1-24E

All Cisco 3600 series platforms

2-port, 48-channel T1 voice/fax module, supports add/drop multiplexing (drop and insert); 48 channels of medium-complexity codecs: G.729a/b, G.726,G.711, and fax; or 24 channels of G726, G729, G723.1, G.728, G729a/b, G711, and fax. Consists of one NM-HDV, four PVDM-12, and one VWIC-2MFT-T1-DI2. Part number: NM-HDV-2T1-48

All Cisco 3600 series platforms

High-density voice/fax network module spare (NM-HDV)

Digital T1 Packet Voice Trunk Network Modules spare component

12-channel packet voice DSP module upgrade spare (PVDM-12=)

Digital T1 Packet Voice Trunk Network Modules spare component

1-port RJ-48 MultiFlex Trunk - T1 (VWIC-1MFT-T1)2

Digital T1 Packet Voice Trunk Network Modules spare component

2-port RJ-48 MultiFlex Trunk - T1 (VWIC-2MFT-T1)2

Digital T1 Packet Voice Trunk Network Modules spare component

2-port RJ-48 MultiFlex Trunk with drop and insert - T1 (VWIC-2MFT-T1-DI(=))2

Digital T1 Packet Voice Trunk Network Modules spare component

T1/E1 Multiflex Voice/WAN Interface Cards

1-Port T1 multiflex trunk interface (VWIC-1MFT-T1)

All Cisco 3600 series platforms; Cisco 3620 and 3640 platforms in a 1- or 2-port network module (NM-1E2W, NM-2E2W, NM-1E1R2W)

1-Port E1 multiflex trunk interface (VWIC-1MFT-E1)

Cisco 3620 and 3640 platforms in a 1- or 2-port network module (NM-1E2W, NM-2E2W, NM-1E1R2W)

2-Port T1 multiflex trunk interface (VWIC-2MFT-T1)

All Cisco 3600 series platforms3

2-Port T1 multiflex trunk interface with Drop and Insert (VWIC-2MFT-T1-DI)

For Cisco 3660 series, only supported in T1 Digital Packet Voice Trunk Network Modules. For Cisco 3620 and 3640, supported in T1 Digital Packet Voice Trunk Network Modules or in 1- or 2-port network module (NM-1E2W, NM-2E2W, NM-1E1R2W)

2-Port E1 multiflex trunk interface with Drop and Insert (VWIC-2MFT-E1-DI)

Cisco 3620 and 3640 platforms in a 1- or 2-port network module (NM-1E2W, NM-2E2W, NM-1E1R2W).

Voice/Fax Interfaces and Network Modules1

1- and 2-port Voice/Fax network module (NM-1V and NM-2V)

All Cisco 3600 series platforms

2-port E&M Voice interface card (VIC-2E/M)

All Cisco 3600 series platforms with Voice/Fax network module

2-port FXO Voice interface card (VIC-2FXO, VIC-2FXO-M3, and VIC-2FXO-EU)

All Cisco 3600 series platforms with Voice/Fax network module

2-port FXS Voice interface card

All Cisco 3600 series platforms with Voice/Fax network module

2-port BRI Voice interface card (VIC-2BRI-S/T-TE)

Cisco 3620 and 3640 platforms with Voice/Fax network module

WAN Data Rates

48/56/64 kbps

All Cisco 3600 series platforms

1.544/2.048 Mbps

All Cisco 3600 series platforms

Up to 8 Mbps on 4-port serial network module

All Cisco 3600 series platforms

52 Mbps max using HSSI network module

All Cisco 3600 series platforms

155 Mbps on ATM OC3 network modules

All Cisco 3600 series platforms

Network Modules

1- and 2-port Channelized T1 modules without CSUs (NM-1CT1 and NM-1CT1)

Cisco 3620 and 3640

1- and 2-port Channelized T1 network modules with CSUs (NM-1CT1-CSU and NM-2CT1-CSU)

Cisco 3620 and 3640

1- and 2-port E1 network modules unbalanced mode NM-1CE1U and NM-2CE1U)

Cisco 3620 and 3640

1- and 2-port E1 network modules balanced mode (NM-1CE1B and NM-2CE1B)

Cisco 3620 and 3640

1-port ATM-25 network modules (NM-1ATM-25)1

Cisco 3620 and 3640

1-port High Speed Serial Interface (HSSI) network module

All Cisco 3600 series platforms

4- and 8-port BRI network module with NT1 (NM-4B-U and NM-8B-U)

Cisco 3620 and 3640

4- and 8-port BRI network module with S/T interface (NM-4B-S/T and NM-8B-S/T

Cisco 3620 and 3640

4- and 8-port Synchronous/Asynchronous (NM-4A/S and NM-8A/S)

All Cisco 3600 series platforms

16- and 32-port Asynchronous (NM-16A and NM-32A)

All Cisco 3600 series platforms

4-port Serial (NM-4T)

All Cisco 3600 series platforms

1-port ATM OC3 network module with multimode fiber (NM-1A-OC3MM)

All Cisco 3600 series platforms

1-port ATM OC3 network module with single-mode intermediate reach fiber (NM-1A-OC3SMI)

All Cisco 3600 series platforms

1-port ATM OC3 network module with single-mode long reach fiber (NM-1A-OC3SML)

All Cisco 3600 series platforms

Other Network Modules

Compression network module (NM-COMPR)

Cisco 3620 and 3640

4 E1 data compression Advanced Integration Module (AIM-COMPR4))

Cisco 3660 series platforms

WAN Interface Cards

1-port T1/Fractional T1DSU/CSU WAN interface card (WIC-1DSU-T1)

All Cisco 3600 series platforms

1-port T1/Fractional T1 56/64 kbps DSU/CSU WAN interface card (WIC-1DSU-56K4)

All Cisco 3600 series platforms

1-port ISDN with NT1 WAN interface card (WIC-1B-U)

All Cisco 3600 series platforms

1-port ISDN WAN interface card (WIC-1B-S/T)

All Cisco 3600 series platforms

1-port Serial WAN interface card (WIC-1T)

All Cisco 3600 series platforms

1Requires the Cisco IOS Plus feature sets.
2See T1/E1 Multiflex Voice/WAN Interface Cards in this table.
3Only supported in T1 Digital Packet Voice Trunk Network Modules.

Determining the Software Version

To determine the version of Cisco IOS software running on a Cisco 3600 series router, log in to the router and enter the show version EXEC command:

router>show version
Cisco Internetwork Operating System Software
IOS (tm) 3620 Software (C3620-JS-MZ), Version 12.0(7)T, RELEASE SOFTWARE

Upgrading to a New Software Release

For information about upgrading to a new software release, see the product bulletin Cisco IOS Software Release 12.0 T Upgrade Paths and Packaging Simplification (#819 1/99) on CCO at:

Service & Support: Software Center: Cisco IOS Software: Product Bulletins: Software

Feature Set Tables

Cisco IOS software is packaged in feature sets consisting of software images---depending on the platform. Each feature set contains a specific set of Cisco IOS features.


Table 3: Feature Sets Supported by the Cisco 3600 Series
Feature Set Feature Set Matrix Term Software Image Platforms In1

IP Standard
Feature Sets

IP

Basic2

c3620-i-mz, c3640-i-m, c3660-i-mz

Cisco 3620, Cisco 3640,
Cisco 3660 series

IP Plus

Plus3

c3620-is-mz, c3640-is-mz, c3660-is-mz

Cisco 3620, Cisco 3640,
Cisco 3660 series

IP Plus IPSec 56

Plus, IPSec 564

c3620-is56i-mz, c3640-is56i-mz, c3660-is56i-mz

Cisco 3620, Cisco 3640,
Cisco 3660 series

IP Plus IPSec 3DES

Plus, IPSec, 3DES5

c3620-ik2s-mz,
c3640-ik2s-mz, c3660-ik2s-mz

Cisco 3620, Cisco 3640,
Cisco 3660 series

(2)

IP/FW/IDS Plus IPSec 3DES

Plus, IPSec, 3DES

c3620-ik2o3s-mz,

c3640-ik2o3s-mz

Cisco 3620, Cisco 3640

(5)

IP/System Controller

Basic

c3640-c2is-mz, c3660-c2is-mz

Cisco 3640, Cisco 3660 series

IP/FW/IDS

Basic

c3620-io3-mz, c3640-io3-mz,
c3660-io3-mz

Cisco 3620, Cisco 3640
Cisco 3660 series

(5)

IP/FW/IDS Plus IPSec 56

Plus, IPSec 56

c3620-io3s56i-mz, c3640-io3s56i-mz,
c3660-io3s56i-mz

Cisco 3620, Cisco 3640
Cisco 3660 series

(5)

IP/H.323 Gtkpr Prxy

Basic, H323

c3620-ix-mz, c3640-ix-mz, c3660-ix-mz

Cisco 3620, Cisco 3640,
Cisco 3660 series

(3)

Desktop IBM
Standard
Feature Sets

IP/IPX/AppleTalk/DEC

Basic

c3620-d-mz, c3640-d-mz, c3660-d-mz

Cisco 3620, Cisco 3640,
Cisco 3660 series

IP/IPX/AppleTalk/DEC Plus

Plus

c3620-ds-mz, c3640-ds-mz, c3660-ds-mz

Cisco 3620, Cisco 3640,
Cisco 3660 series

IP/IPX/AppleTalk/DEC/FW/IDS Plus

Plus

c3620-do3s-mz, c3640-do3s-mz,
c3660-do3s-mz

Cisco 3620, Cisco 3640
Cisco 3660 series

(5)

Enterprise Standard
Feature Sets

Enterprise Plus

Plus

c3620-js-mz, c3640-js-mz, c3660-js-mz

Cisco 3620, Cisco 3640,
Cisco 3660 series

Enterprise Plus IPSec 56

Plus, IPSec 56

c3620-js56i-mz, c3640-js56i-mz,
c3660-js56i-mz

Cisco 3620, Cisco 3640
Cisco 3660 series

Enterprise/FW/IDS Plus IPSec 56

IPSec 56

c3620-jo3s56i-mz, c3640-jo3s56i-mz,
c3660-jo3s56i-mz

Cisco 3620, Cisco 3640
Cisco 3660 series

(5)

Enterprise Plus IPSec 3DES

Plus, IPSec, 3DES

c3620-jk2s-mz,
c3640-jk2s-mz, c3660-jk2s-mz

Cisco 3620, Cisco 3640,
Cisco 3660 series

(2)

Enterprise/FW/IDS Plus IPSec 3DES

Plus, IPSec, 3DES

c3620-jk2o3s-mz
c3640-jk2o3s-mz,
c3660-jk2o3s-mz

Cisco 3620, Cisco 3640
Cisco 3660 series

(5)

Enterprise/SNASw
Standard
Feature Sets

Enterprise/SNASw Plus

Plus

c3620-a3js-mz, c3640-a3js-mz, c3660-a3js-mz

Cisco 3620, Cisco 3640,
Cisco 3660 series

(7)

Enterprise/SNASw Plus IPSec 56

Plus, IPSec 56

c3620-a3js56i-mz, c3640-a3js56i-mz, c3660-ajs56i-mz

Cisco 3620, Cisco 3640,
Cisco 3660 series

(7)

Enterprise/SNASw Plus IPSec 3DES

Plus, IPSec, 3DES

c3620-a3jk2s-mz,

c3640-a3jk2s-mz, c3660-a3jk2s-mz

Cisco 3620, Cisco 3640,
Cisco 3660 series

(7)

1This column indicates in which maintenance release the image was introduced. For example, a (2) indicates the image was introduced in Release 12.0(2)T. If this column is blank, the image was introduced in the initial release.
2This feature set is offered in the basic feature set.
3This feature set is offered in the Plus feature set.
4This feature set is offered in the encryption feature sets which consist of IPSec 56-bit (Plus IPSec 56) data encryption feature sets.
5This feature set is offered in the encryption feature sets which consist of Triple DES (3DES) Encryption data encryption feature sets.

Caution Cisco IOS images with strong encryption (including, but not limited to 168-bit (3DES) data encryption feature sets) are subject to United States government export controls and have limited distribution. Strong encryption images to be installed outside the United States are likely to require an export license. Customer orders may be denied or subject to delay due to United States government regulations. When applicable, purchaser/user must obtain local import and use authorizations for all encryption strengths. Please contact your sales representative or distributor for more information, or send an e-mail to export@cisco.com.

Tables 4, 5, 6 and 7 list the features and feature sets supported by the Cisco 3600 series in Cisco IOS Release 12.0(7)T and use the following conventions:

Note These feature set tables only contain a selected list of features. The tables are not cumulative---nor do they list all the features in each image.


Table 4: Feature Lists by Feature Sets for the Cisco 3620 and 3640 Routers, Part 1 of 2
Features In Feature Sets
IP IP/ H.323 IP Plus IP Plus IPSec 56 IP/
FW/IDS 		IP/
FW/IDS Plus IPSec 56 		IP Plus IPSec 3DES1 IP/FW/ IDS Plus IPSec 3DES IP/IPX/
AT/
DEC 		IP/ IPX/
AT/
DEC Plus 		IP/IPX/AT/
DEC/
FW/ IDS Plus
Connectivity
Layer 2 Tunnel Protocol (L2TP)

No

No

Yes

Yes

No

Yes

Yes

Yes

No

Yes

Yes

L2TP Dial Out

(5)

No

No

Yes

Yes

No

Yes

Yes

Yes

No

Yes

Yes

RIP Enhancements

Yes

No

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

SNMP version 3

(3)

Yes

No

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

IBM Support
DLSw+ Enhanced Load Balancing

(3)

No

No

Yes

Yes

No

Yes

Yes

Yes

No

Yes

Yes

DLSw+ Ethernet Redundancy

(5)

No

No

Yes

Yes

No

Yes

Yes

Yes

No

Yes

Yes

DLSw+ Peer Clusters

(3)

No

No

Yes

Yes

No

Yes

Yes

Yes

No

Yes

Yes

DLSw+ RSVP

(3)

No

No

Yes

Yes

No

Yes

Yes

Yes

No

Yes

Yes

SNA Switching Services

(7)

No

No

No

No

No

No

No

No

No

No

No

Token Ring Interswitch Link

(3)

Yes

No

Yes

Yes

No

Yes

Yes

No

Yes

Yes

No

IP/IPX Routing
Airline Product Set Enhancements

(5)

Yes

No

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Async over UDP

(5)

Yes

No

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Easy IP Phase 2- DHCP Server

Yes

No

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Flow-based WRED

(3)

Yes

No

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

IP RTP Priority

(5)

Yes

No

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

IS-IS Multiarea Support

(5)

No

No

No

No

No

No

No

No

No

No

No

Multilayer Switching for IP Multicast

(5)

No

No

Yes

Yes

No

Yes

Yes

Yes

Yes

Yes

Yes

Multilayer Switching for IPX

(5)

Yes

No

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

OSPF Packet Pacing

Yes

No

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

OS_IFSS

Yes

No

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

PGM Router Assist

(5)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Service Assurance Agent (formerly Response Time Reporter)

(3)

Yes

No

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Web Cache Communications Protocol V2 (WCCPv2)

(3)

Yes

No

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Management
CNS Client for Cisco IOS (IPSec Policy Agent II)

(5)

No

No

No

No

No

No

No

No

No

No

No

ISDN MIB RFC 2127

Yes

No

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Multicast Routing Monitor

(5)

Yes

No

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Network Director Forwarding Agent

(5)

No

No

Yes

Yes

No

Yes

Yes

Yes

No

Yes

Yes

Process MIB

(3)

Yes

No

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Subnetwork Bandwidth Manager

(5)

Yes

No

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Quality of Service
Class-Based Weighted Fair Queueing

(5)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

CLI String Search

Yes

No

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Express RTP and TCP Header Compression

(7)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

IP to ATM Class of Service (CoS

(7)

No

No

Yes

Yes

No

Yes

Yes

Yes

No

Yes

Yes

Security
Cisco Secure Integrated Software

(7)

No

No

No

No

Yes

Yes

No

Yes

No

No

Yes

IOS Firewall Feature Set

No

No

No

No

Yes

Yes

No

Yes

No

No

Yes

IOS Firewall Feature Set Enhancements

(5)

No

No

No

No

Yes

Yes

No

Yes

No

No

Yes

Switching
Cisco IOS STP Enhancements

No

No

Yes

Yes

No

Yes

Yes

Yes

No

Yes

Yes

Voice and Multimedia
1- and 2-Port T1/E1 Multiflex VWICs

(7)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

BRI Voice over IP: VIC-2BRI-S/T-TE

(3)

No

No

Yes

Yes

No

Yes

Yes

Yes

No

Yes

Yes

Busyout Monitor

(7)

No

No

Yes

Yes

No

Yes

Yes

Yes

No

Yes

Yes

Digital T1 Packet Voice Trunk Network Modules

(7)

No

No

Yes

Yes

No

Yes

Yes

Yes

No

Yes

Yes

Gateway Support for Alternate Gatekeeper

(7)

No

Yes

No

No

No

No

No

No

No

No

No

H.235 Accounting and Security Enhancements for Cisco Gateways

(7)

No

Yes

No

No

No

No

No

No

No

No

No

H.323 Version 2

(5)

No

Yes

No

No

No

No

No

No

No

No

No

H.323 Multizone Enhancements

(7)

No

Yes

No

No

No

No

No

No

No

No

No

Interactive Voice Response for Cisco Access

(7)

No

No

Yes

Yes

No

Yes

Yes

Yes

No

Yes

Yes

Voice Over Frame Relay Enhancements (FRF.11 and FRF.12)

(4)

No

No

Yes

Yes

No

Yes

Yes

Yes

No

Yes

Yes

WAN Services
Annex-G (X.25 over Frame Relay)

(3)

Yes

No

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

ATM OC3 NM

(3)

No

No

Yes

Yes

No

Yes

Yes

Yes

No

Yes

Yes

ATM LANE FSSR Protocol

(5)

No

No

Yes

Yes

No

Yes

Yes

Yes

No

Yes

Yes

Debit Card for Packet Telephony

(7)

No

No

Yes

Yes

No

Yes

Yes

Yes

No

Yes

Yes

DNS-Based X.25 Routing

(5)

Yes

No

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Frame Relay End-to-End Keepalive

(5)

Yes

No

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Interface MIB for ATM Subinterfaces

(7)

No

No

Yes

Yes

No

Yes

Yes

Yes

No

Yes

Yes

IOS IEEE 802.1Q Support

No

No

Yes

Yes

No

Yes

Yes

Yes

Yes

Yes

Yes

ISDN Dynamic Multiple Encaps for Dial-in

(4)

Yes

No

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

ISDN Dynamic Multiple Encaps for Dial-in with Frame Relay Support

(7)

Yes

No

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

ISDN LAPB-TA

(4)

Yes

No

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Mobile IP

No

No

Yes

Yes

No

Yes

Yes

Yes

No

Yes

Yes

Modem over ISDN BRI2

(3)

Yes

No

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

MPLS Traffic Engineering

(7)

No

No

No

No

No

No

No

No

No

No

No

Multicast Source Discovery Protocol (MSDP)

(7)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Multiport T1/E1 ATM Network Module with Inverse Multiplexing over ATM

(5)

No

No

Yes

Yes

No

Yes

Yes

Yes

No

Yes

Yes

Packet Telephony Settlement

(7)

No

No

No

No

No

No

No

No

No

No

No

PPP Over Frame Relay

Yes

No

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

No

Time-based Access Lists

Yes

No

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

No

X.25 Closed User Groups

(7)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

X.25 Load Balancing

(3)

Yes

No

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

X.25 Switch Local Acknowledgment

(7)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

1This image was introduced in Release 12.0(2)T.
2Cisco 3620 router only.


Table 5: Feature Lists by Feature Sets for the Cisco 3620 and 3640 Routers, Part 2 of 2
Features In Feature Sets
Enter-
prise Plus 		Enter-
prise Plus IPSec 56 		Enter-
prise/
FW/IDS Plus IPSec 56 		Enter-
prise
Plus IPSec 3DES1 		Enter-
prise/
FW/IDS Plus IPSec 3DES 		Enter-
prise/
SNASw Plus 		Enter-
prise/
SNASw Plus IPSec
56 		Enter-
prise
/SNASw Plus IPSec 3DES
Connectivity
Layer 2 Tunnel Protocol (L2TP)

(1)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

RIP Enhancements

(1)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

SNMP version 3

(3)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

IBM Support
DLSw+ Enhanced Load Balancing

(3)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

DLSw+ Ethernet Redundancy

(5)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

DLSw+ Peer Clusters

(3)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

DLSw+ RSVP

(3)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

SNA Switching Services

(7)

No

No

No

No

No

Yes

Yes

Yes

Token Ring Interswitch Link

(3)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

IP/IPX Routing
Airline Product Set Enhancements

(5)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Async over UDP

(5)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Easy IP Phase 2-DHCP Server

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

IP RTP Priority

(5)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Flow-based WRED

(3)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

IS-IS Multiarea Support

(5)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Multilayer Switching for IP Multicast

(5)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Multilayer Switching for IPX

(5)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

OSPF Packet Pacing

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

OS_IFSS

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

PGM Router Assist

(5)

Yes

Yes

Yes

Yes

Yes

No

No

No

Service Assurance Agent (formerly Response Time Reporter)

(5)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Web Cache Communications Protocol V2 (WCCPv2)

(3)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Management
CNS Client for Cisco IOS (IPSec Policy Agent II)

(5)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

ISDN MIB RFC 2127

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Multicast Routing Monitor

(5)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Network Director Forwarding Agent

(5)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Process MIB

(3)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Subnetwork Bandwidth Manager

(5)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Quality of Service
Class-Based Weighted Fair Queueing

(5)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

CLI String Search

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Express RTP and TCP Header Compression

(7)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

IP to ATM Class of Service (CoS

(7)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Security
Cisco Secure Integrated Software

(7)

No

No

Yes

No

Yes

No

No

No

IOS Firewall Feature Set

No

No

Yes

No

Yes

No

No

No

IOS Firewall Feature Set Enhancements

(5)

No

No

Yes

No

Yes

No

No

No

Switching
Cisco IOS STP Enhancements

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Voice and Multimedia
1- and 2-Port T1/E1 Multiflex VWICs

(7)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

BRI Voice over IP: VIC-2BRI-S/T-TE

(3)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Busyout Monitor

(7)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Digital T1 Packet Voice Trunk Network Modules

(7)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Gateway Support for Alternate Gatekeeper

(7)

No

No

No

No

No

No

No

No

H.235 Accounting and Security Enhancements for Cisco Gateways

(7)

No

No

No

No

No

No

No

No

H.323 Version 2

(5)

No

No

No

No

No

No

No

No

H.323 Multizone Enhancements

(7)

No

No

No

No

No

No

No

No

Interactive Voice Response for Cisco Access

(7)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Voice Over Frame Relay Enhancements (FRF.11 and FRF.12)

(4)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

WAN Services
Annex-G (X.25 over Frame Relay)

(3)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

ATM OC3 NM

(3)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

ATM LANE FSSR Protocol

(5)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Debit Card for Packet Telephony

(7)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

DNS-Based X.25 Routing

(5)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Frame Relay End-to-End Keepalive

(5)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Interface MIB for ATM Subinterfaces

(7)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

IOS IEEE 802.1Q Support

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

ISDN Dynamic Multiple Encaps for Dial-in

(4)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

ISDN Dynamic Multiple Encaps for Dial-in with Frame Relay Support

(7)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

ISDN LAPB-TA

(4)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Mobile IP

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Modem over ISDN BRI2

(3)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

MPLS Traffic Engineering

(7)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Multicast Source Discovery Protocol (MSDP)

(7)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Multiport T1/E1 ATM Network Module with Inverse Multiplexing over ATM

(5)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Packet Telephony Settlement

(7)

No

Yes

No

No

No

No

No

No

PPP Over Frame Relay

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Time-Based Access Lists

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

X.25 Closed User Groups

(7)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

X.25 Load Balancing

(3)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

X.25 Switch Local Acknowledgment

(7)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

1This image was introduced in Cisco IOS Release 12.0(2)T.
2 Cisco 3640 routers only.


Table 6: Feature Lists by Feature Sets for the Cisco 3661 and 3662 Routers, Part 1 of 2
Features In Feature Sets
IP IP/ FW/
IDS 		IP/ FW/ IDS Plus IPSec 56 IP/ H.323 IP Plus IP Plus IPSec 56 IP/FW /IDS Plus IPSec 3DES IP Plus IPSec 3DES IP/ IPX/
AT/
DEC 		IP/ IPX/
AT/
DEC FW IDS Plus 		IP/ IPX
/AT/
DEC Plus 		Telco Telco Plus
Connectivity
L2TP Dial Out

(5)

No

No

Yes

No

Yes

Yes

Yes

Yes

No

Yes

Yes

Yes

Yes

IBM Support
DLSw+ Ethernet Redundancy

(5)

No

No

Yes

No

Yes

Yes

Yes

Yes

No

Yes

Yes

No

Yes

SNA Switching Services

(7)

No

No

No

No

No

No

No

No

No

No

No

No

No

IP /IPX Routing
Airline Product Set Enhancements

(5)

Yes

Yes

Yes

No

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Async over UDP

(5)

Yes

Yes

Yes

No

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

IP RTP Priority

(5)

Yes

Yes

Yes

No

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

IS-IS Multiarea Support

(5)

No

No

No

No

No

No

No

No

No

Yes

No

Yes

Yes

Multilayer Switching for IP Multicast

(5)

No

Yes

Yes

No

Yes

Yes

Yes

Yes

Yes

Yes

Yes

No

Yes

Multilayer Switching for IPX

(5)

Yes

Yes

Yes

No

Yes

Yes

Yes

Yes

Yes

Yes

Yes

No

Yes

PGM Router Assist

(5)

Yes

Yes

Yes

No

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Service Assurance Agent (formerly Response Time Reporter)

(5)

Yes

Yes

Yes

No

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Management
CNS Client for Cisco IOS (IPSec Policy Agent II)

(5)

No

No

No

No

No

No

No

No

No

No

No

No

Yes

Multicast Routing Monitor

(5)

Yes

Yes

Yes

No

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Subnetwork Bandwidth Manager

(5)

Yes

Yes

Yes

No

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Quality of Service
Class-Based Weighted Fair Queueing

(5)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Express RTP and TCP Header Compression

(7)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

No

No

IP to ATM Class of Service (CoS

(7)

No

No

Yes

No

Yes

Yes

Yes

Yes

Yes

Yes

Yes

No

No

Security
Cisco Secure Integrated Software

(7)

No

Yes

Yes

No

No

No

Yes

No

No

Yes

No

No

No

Digital T1 Packet Voice Trunk Network Modules

(7)

No

No

Yes

No

Yes

Yes

Yes

Yes

Yes

Yes

Yes

No

No

H.235 Accounting and Security Enhancements for Cisco Gateways

(7)

No

No

No

Yes

No

No

No

No

No

No

No

No

No

Interactive Voice Response for Cisco Access

(7)

No

No

Yes

No

Yes

Yes

Yes

Yes

No

Yes

Yes

No

Yes

WAN Services
ATM LANE FSSR Protocol

(5)

No

No

Yes

No

Yes

Yes

Yes

Yes

No

Yes

Yes

No

Yes

Debit Card for Packet Telephony

(7)

No

No

Yes

No

Yes

Yes

Yes

Yes

No

Yes

Yes

No

Yes

DNS for X.25

(5)

Yes

Yes

Yes

No

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Frame Relay End-to-End Keepalive

(5)

Yes

Yes

Yes

No

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Interface MIB for ATM Subinterfaces

(7)

No

No

Yes

No

Yes

Yes

Yes

Yes

No

Yes

Yes

No

Yes

ISDN Dynamic Multiple Encaps for Dial-in with Frame Relay Support

(7)

Yes

Yes

Yes

No

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

MPLS Traffic Engineering

(7)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

No

No

Packet Telephony Settlement

(7)

No

No

No

No

No

No

No

No

No

No

No

No

No

X.25 Closed User Groups

(7)

No

No

No

No

No

No

No

No

No

No

No

No

No

X.25 Switch Local Acknowledgment

(7)

No

No

No

No

No

No

No

No

No

No

No

No

No


Table 7: Feature Lists by Feature Sets for the Cisco 3661 and 3662 Routers, Part 2 of 2
Features In Feature Sets
Enter-
prise Plus 		Enter-
prise
/FW IDS Plus IPSec 56 		Enter-
prise/ FW IDS Plus IPSec 3DES 		Enter-
prise
Plus/ IPSec 56 		Enter-
prise
Plus IPSec 3DES 		Enter-
prise /SNASw Plus 		Enter-
prise
/SNASw Plus IPSec 3DES 		Enter-
prise
/SNASw Plus
IPSec 56
Connectivity
L2TP Dial Out

(5)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

IBM Support
DLSw+ Ethernet Redundancy

(5)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

SNA Switching Services

(7)

No

No

No

No

No

Yes

Yes

Yes

IP /IPX Routing
Airline Product Set Enhancements

(5)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Async over UDP

(5)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

IP RTP Priority

(5)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

IS-IS Multiarea Support

(5)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Multilayer Switching for IP Multicast

(5)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Multilayer Switching for IPX

(5)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

PGM Router Assist

(5)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Service Assurance Agent (formerly Response Time Reporter)

(5)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Management
CNS Client for Cisco IOS (IP Sec Policy Agent II)

(5)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Multicast Routing Monitor

(5)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Subnetwork Bandwidth Manager

(5)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Quality of Service
Class-Based Weighted Fair Queueing

(5)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Express RTP and TCP Header Compression

(7)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

IP to ATM Class of Service (CoS

(7)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Security
Cisco Secure Integrated Software

(7)

No

Yes

Yes

No

No

No

No

Voice and Multimedia
Busyout Monitor

(7)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Digital T1 Packet Voice Trunk Network Modules

(7)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Gateway Support for Alternate Gatekeeper

(7)

No

No

No

No

No

No

No

No

H.235 Accounting and Security Enhancements for Cisco Gateways

(7)

No

No

No

No

No

No

No

No

H.323 Version 2

(5)

No

No

No

No

No

No

No

No

H.323 Multizone Enhancements

(7)

No

No

No

No

No

No

No

No

Interactive Voice Response for Cisco Access

(7)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

WAN Services
ATM LANE FSSR Protocol

(5)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

No

Debit Card for Packet Telephony

(7)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

DNS for X.25

(5)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Frame Relay End-to-End Keepalive

(5)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Interface MIB for ATM Subinterfaces

(7)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

No

ISDN Dynamic Multiple Encaps for Dial-in with Frame Relay Support

(7)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

MPLS Traffic Engineering

(7)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Multicast Source Discovery Protocol (MSDP)

(7)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Packet Telephony Settlement

(7)

No

No

No

Yes

No

No

No

No

X.25 Closed User Groups

(7)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

X.25 Switch Local Acknowledgment

(7)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

New and Changed Information

The following sections list the new hardware and software features supported by the Cisco 3600 series for Release 12.0 T.

New Hardware Features in Cisco IOS Release 12.0(7)T

Release 12.0(7)T supports the following new hardware features for the Cisco 3600 series.

1- and 2-Port T1/E1 Multiflex Voice/WAN Interface Cards on Cisco 2600 and 3600 Series Routers

Cisco T1/E1 Multiflex Voice/WAN interface cards (VWICs) support voice and data applications in the Cisco 2600 and 3600 series routers. The VWICs offer the WAN interface card (WIC) and the voice interface card (VIC) functionality in a variety of applications for enterprises and for service providers who supply customer premises equipment.

Note On the Cisco 3660 series routers, Multiflex VWICs are supported only when installed in digital T1 packet voice trunk network modules.

Multiflex VWICs support the following applications:

The following Multiflex VWICs are available:

Multiflex VWIC features include:

Per-channel T1/E1 data rates of 64 or 56 kbps for WAN services (Frame Relay or leased line)

For details, see "Hardware Supported," and the online feature module .

Digital T1 Packet Voice Trunk Network Modules on Cisco 2600 and 3600 Series Routers

Digital T1 packet voice trunk network modules for the Cisco 2600 and 3600 series routers allow enterprises or service providers, who supply the equipped routers as customer premises equipment, to deploy digital voice and fax relay. These modules receive constant bit-rate telephony information over T1 interfaces and can convert that information into a compressed format, so that the information can be transmitted as voice over IP.

The following high-density T1 network modules are available:

T1 digital voice over IP includes the following functionality:

For details, see the online feature module .

New Software Features in Cisco IOS Release 12.0(7)T

Release 12.0(7)T supports the following new software features for the Cisco 3600 series.

Busyout Monitor on Cisco 2600 and 3600 Series Routers

The Busyout Monitor feature is one aspect of Call Admission Control (CAC) that allows network administrators to use both a data network and the public switched telephone network (PSTN) to provide the best possible quality for Voice over IP (VoIP) calls. Although voice calls are routed across the data network whenever possible to take advantage of the cost savings provided by integrated applications, the Busyout Monitor allows network administrators to provide voice services through the PSTN in the event of a network interface failure.

If a locally connected LAN or WAN interface on a VoIP gateway fails, it busies out voice ports. This means that a connected private-branch exchange (PBX) or key system reroutes the call through the local PSTN.

For details, see the online feature module .

Cisco H.235 Accounting and Security Enhancements for Cisco Gateways

The Cisco H.323 gateway now supports the use of CryptoH323Tokens for authentication.

The CryptoH323Token Is defined in H.225 Version 2 and supports the following features:

With this release, Cisco H.323 gateways support three levels of authentication:

You can configure the level of authentication for the gateway by using the Cisco IOS software command line interface.

CryptoTokens for registration requests (RRQ), unregistration request (URQ), disengage request (DRQ) and the terminating side of admission request (ARQ) messages contain information about the gateway that generated the token, including the gateway ID (which is the H.323 ID configured on the gateway) and the gateway password.

CryptoTokens for the originating side ARQ messages contain information about the user who is placing the call, including the user ID, and personal identification number (PIN).

Cisco H.323 Multizone Enhancements

Cisco H.323 Multizone enhancements allow a Cisco gateway to provide information to the gatekeeper with additional fields in the RAS (registration, admission, and status) messages.

Previously, the source gateway attempted to set up a call to a destination IP address as provided by the gatekeeper in an Admission Confirm (ACF) message. If the gatekeeper was unable to resolve the destination E.164 phone number to an IP address, the incoming call was terminated.

This version of the H.323 software adds support to allow a gatekeeper to provide additional destination information and modify the destinationInfo field in the ACF. The gateway includes the canMapAlias associated destination information in setting up the call to the destination gateway.

With the canMapAlias functionality, this version includes support for the gatekeeper to indicate to the gateway that the call should be sent to a new E.164 number. The gatekeeper indicates this by sending an Admission Confirm message with an IP address of 0.0.0.0 in the destCallSignalAddress field and the new destination E.164 phone number in the destinationInfo field.

The gateway receiving such an ACF falls back to routing the call based on this new E.164 address and performing a new lookup of the gateway's configured dial plan. This can result in the call being routed back to the PSTN or to an H.323 endpoint.

Cisco Secure Integrated Software H.323 V2 and RTSP Protocol Inspection

Cisco Secure Integrated Software (Cisco Secure IS, previously known as the Cisco IOS Firewall Feature Set) enhancements provide audio, video, and multimedia application support.

The Cisco Secure IS H.323 V2 and Real-Time Streaming Protocol (RTSP) inspection feature provides firewall support for multimedia applications that require delivery of data with real-time properties such as audio and videoconferencing.

Cisco Secure IS has been enhanced to inspect these multimedia application protocols:

RTSP
H.323
H.323 V2

Debit Card for Packet Telephony on Cisco Access Platforms

The Debit Card feature provides:

Dynamic Multiple Encapsulations for Dial-In over ISDN with Frame Relay Support

The Dynamic Multiple Encapsulations feature allows incoming calls over ISDN to be assigned an encapsulation type such as Frame Relay, PPP, and X.25 based on calling line identification (CLID) or DNIS. It also allows various encapsulation types and per-user configurations on the same ISDN B channel at different times according to the type of incoming call.

The Dynamic Multiple Encapsulations feature allows per-user configuration for each dial-in caller on any ingress ISDN B channel on which encapsulation can be run independently from other B channels on the same ISDN link. The caller is identified by CLID (caller ID) or DNIS to ensure that only incoming calls with authorization and valid user profiles are accepted. When PPP is used, authentication and profile binding can also be done by PPP name.

In addition, a large set of user profiles can be stored in dialer profiles locally or on a remote AAA server. (For large scale dial-in, storing user-specific configurations on a remote server becomes necessary for enhancing expandability and local memory efficiency.) However, whether stored locally or on a remote AAA server, the user-specific encapsulation and configuration can be applied to individual B channels dynamically and independently.

Dynamic multiple encapsulation is especially important in Europe where ISDN is relatively inexpensive and maximum use of all 30 B channels on the same ISDN link is desirable. Further, the feature removes the need to statically dedicate channels to a particular encapsulation and configuration type, and improves channel usage.

Express RTP and TCP Header Compression

Formerly, if compression of TCP or Real-Time Transport Protocol (RTP) headers was enabled, compression was performed in the process-switching path. That meant that packets traversing interfaces that had TCP or RTP header compression enabled, were queued and passed up to the process to be switched. This procedure slowed down transmission of the packet; therefore, some users preferred to fast switch uncompressed TCP and RTP packets.

Now, if TCP or RTP header compression is enabled, compression occurs by default in the fast-switched path or the Cisco Express Forwarding-switched (CEF-switched) path, depending on which switching method is enabled on the interface. Furthermore, the number of TCP and RTP header compression connections was increased to a thousand connections each.

If neither fast switching nor CEF switching is enabled and TCP or RTP header compression is enabled, compression occurs in the process-switched path as before.

Gateway Support for Alternate Gatekeeper

The Alternate Gatekeeper feature provides redundancy for a gatekeeper in a system where gatekeepers are used. This enhancement allows a gateway to use up to two alternate gatekeepers as a backup in case a primary gatekeeper failure.

A gatekeeper manages H.323 endpoints in a consistent manner, allowing the endpoints to register with the gateway and to locate another gatekeeper.

The gatekeeper provides logic variables for proxies or gateways in a call path to:

You can configure multiple gatekeepers to communicate with one another either by integrating their addresses into the Domain Naming System (DNS) or by using Cisco IOS configuration options.

Interactive Voice Response for Cisco Access

Cisco is building voice gateways to connect more traditional telephone networks to voice over IP (VoIP) networks. Customers who are installing VoIP networks often need a mechanism at the gateway to present a customized interface to the caller. The Interactive Voice Response (IVR) feature was first made available to customers with Cisco IOS Release 11.(3)NA2 with the Service Provider VoIP feature set. IVR, with the addition of scripts using Tool Command Language (TCL), is being introduced. These TCL IVR scripts are the default scripts that must be used with the IVR application in Cisco IOS Release 12.0(7)T and future releases.

IVR consists of simple voice prompting and digit collection to gather caller information for authenticating the user and identifying the destination. IVR provides the ability to:

Interface MIB Implementation for ATM Subinterfaces

The Interface MIB Implementation for ATM Subinterfaces feature implements the Interface MIB (RFC 2233) for ATM subinterfaces, which enables the ATM subinterfaces to be visible in the ifTable.

Network managers can now query the MIB variables on a per-subinterface basis.

Since the implementation of this feature is in platform-independent code, this feature is supported on all Cisco ATM interfaces/port adapters where speeds are equal to or higher than OC-3.

IP to ATM Class of Service (CoS)

The IP to ATM Class of Service feature maps quality of service (QoS) characteristics between IP and ATM, using network modules on the Cisco 2600 and 3600 series routers. The resulting feature makes it possible to support different service classes (sometimes termed "differential service classes") in network service provider environments.

IP to ATM CoS is designed to provide a true working solution to class-based services, without the investment of new ATM network infrastructures. Now networks can offer different services across the entire wide-area network, not just the routed portion. Mission-critical applications can be given exceptional service during periods of high network usage and congestion. In addition, noncritical traffic can be restricted in its network usage, which ensures greater QoS for more important traffic and user types.

IP to ATM CoS supports configuration of both a single ATM virtual circuit (VC) and VC bundles. IP to ATM CoS support for a single ATM VC allows network managers to use existing features, such as committed access rate (CAR) or policy-based routing to classify and mark different IP traffic by modifying the IP Precedence field in the IPv4 packet header (PBR). Subsequently, Weighted Random Early Detection (WRED) can be configured on a per-VC basis so that the IP traffic is subject to different drop probabilities (and therefore priorities) as IP traffic coming into a router competes for bandwidth on a particular VC.

The Cisco 2600 and 3600 series ATM network modules provide the ability to shape traffic on each VC according to the ATM service category and traffic parameters employed. When you use the IP to ATM CoS feature, congestion is managed entirely at the IP layer by WRED running on the routers at the edge of the ATM network.

ATM VC Bundle Support and Management

ATM VC bundle management allows users to configure multiple VC's that have different QoS characteristics between any pair of ATM-connected routers. ATM VC bundle management allows you to define an ATM VC bundle and add VCs to it. Each VC of a bundle has its own ATM traffic class and ATM traffic parameters. You can apply attributes and characteristics to discrete VC bundle members or you can apply them collectively at the bundle level.

Using VC bundles, you can create differentiated service by flexibly distributing IP Precedence levels over the different VC bundle members. You can map a single precedence level or a range of levels to each discrete VC in the bundle, thereby enabling individual VCs in the bundle to carry packets marked with different precedence levels. You can use WRED to further differentiate service across traffic that has different IP Precedence but that uses the same VC in a bundle.

To determine which VC in the bundle to use to forward a packet to its destination, the ATM VC bundle management software matches precedence levels between packets and VCs. IP traffic is sent to the next hop address for the bundle because all VCs in a bundle share the same destination, but the VC used to carry a packet depends on the value set for that packet in the IP Precedence bits of the ToS byte of its header. The ATM VC bundle management software matches the packet's IP Precedence to the IP Precedence value or range of values assigned to a VC, sending the packet out on the appropriate VC. Moreover, the ATM VC bundle management feature allows you to configure how traffic will be redirected when the VC the packet was matched to goes down.

The support of multiple parallel ATM VCs allows you to create stronger service differentiation at the IP layer. For instance, you might want to provide IP traffic belonging to real-time CoS (such as Voice over IP traffic) on an ATM VC with strict constraints constant bit rate (CBR) or variable bit rate (VBR-rt PVC, for example), while transporting traffic other than real-time traffic over a more elastic ATM available bit rate (ABR) permanent virtual circuit (PVC). Using a configuration such as this would allow you to fully utilize your network capacity. You could also elect to transport best effort IP traffic over a uncommitted bit rate (UBR) PVC---UBR is effectively ATM's version of best-effort service.

Benefits
Restrictions

The IP to ATM CoS feature is supported on both the 2600 and 3600 series routers with the following restrictions:

Prerequisites

The IP to ATM CoS feature requires ATM PVC management and Cisco Express Forwarding (CEF) switching functionality. It also requires that the remote router run a version of Cisco IOS software that supports IP to ATM CoS with VC bundle management.

To use this feature, you should be familiar with the following QoS features:

Per-VC WRED applies the WRED algorithm independently to each per-VC queue. The WRED parameters are configurable on a per-VC basis so that congestion management can be configured as appropriate for each VC. Per-VC WRED statistics maintain per-flow and per-VC statistics based on IP Precedence.
Per-VC Class-Based WFQ (CBWFQ) allows you to apply CBWFQ functionality, normally applicable at the interface or subinterface levels only, to an individual VC configured for IP to ATM CoS. You can use this extension to IP to ATM CoS to apply either class-based WFQ (CBWFQ) or flow-based WFQ on a per-VC basis.
CBWFQ extends the flow-based WFQ functionality to provide support for user-defined classes. CBWFQ allows you to define traffic classes that are based on certain match criteria such as access control lists, input interfaces names, protocols, and quality of service (QoS) labels. Once a class has been defined according to its match criteria, you can assign it characteristics. To characterize a class, you assign it bandwidth, weight, and maximum packet limit. The bandwidth assigned to a class is the minimum bandwidth delivered to the class during congestion. Also, to characterize a class, you specify the queue limit for that class, which is the maximum number of packets allowed to accumulate in its queue. Packets belonging to a class are subject to the bandwidth and queue limits that characterize the class.
After you define traffic classes, you can configure one or more of them in a policy map to be attached as a service policy. CBWFQ allows you to create policy maps and attach them to interfaces or subinterfaces as service policies. The IP to ATM CoS, per-VC WFQ and CBWFQ feature allows you to create a policy map using standard CBWFQ, then apply the map to a VC to be used as a service policy for that VC. For complete information on CBWFQ, refer to the Cisco IOS Release 12.0(5)T feature module titled Class-Based Weighted Fair Queueing .

Documentation for these features can be found on the Documentation CD-ROM and on Cisco Connection Online (CCO).

Low Latency Queueing (CSCdm84810)

The Low-Latency Queueing (LLQ) featurette brings strict priority queueing to Class-Based Weighted Fair Queueing (CBWFQ). Strict priority queueing allows delay-sensitive data, such as voice, to be dequeued and sent first (before packets in other queues are dequeued), giving delay-sensitive data preferential treatment over other traffic.

Without LLQ, CBWFQ provides weighted fair queueing based on defined classes with no strict priority queue available for real-time traffic. CBWFQ allows you to define traffic classes and then assign characteristics to that class. For example, you can designate the minimum bandwidth delivered to the class during congestion. This scheme poses problems for voice traffic, which is largely intolerant of delay---especially variation in delay. The delay introduces irregularities of transmission manifesting as jitter in the heard conversation.

The LLQ feature provides strict priority queueing for CBWFQ, reducing jitter in voice conversations. Configured by using the priority command, LLQ enables use of a single, strict priority queue within CBWFQ at the class level, allowing you to direct traffic belonging to a class to the CBWFQ strict priority queue.

Although it is possible to enqueue various types of real-time traffic to the strict priority queue, we strongly recommend that you direct only voice traffic to it. Voice traffic is well-behaved, whereas other types of real-time traffic are not. Furthermore, voice traffic requires that delay be nonvariable in order to avoid jitter. Real-time traffic, such as video, can introduce variation in delay, thereby thwarting the steadiness of delay required for successful voice traffic transmission.

When the bandwidth has been exceeded during congestion, policing is used to drop packets. Voice traffic enqueued to the priority queue is UDP-based; therefore it is not adaptive to the early packet drop characteristic of Weighted Random Early Detection (WRED).

When congestion occurs, traffic destined for the priority queue is metered to ensure that the bandwidth allocation configured for the class to which the traffic belongs is not exceeded.

MPLS Traffic Engineering

Multiprotocol Label Switching (MPLS) traffic engineering software:

Traffic engineering is essential for service provider and Internet service provider (ISP) backbones that support a high-transmission capacity, and the networks must be resilient to withstand link or node failures.
With MPLS, traffic engineering capabilities are integrated into Layer 3, which optimizes the routing of IP traffic, given the constraints imposed by backbone capacity and topology.

Multicast Source Discovery Protocol

Multicast Source Discovery Protocol (MSDP):

Each PIM-SM domain uses its own RPs and does not depend on RPs in other domains. An RP runs MSDP over TCP to discover multicast sources in other domains.
An RP in a PIM-SM domain has an MSDP peering relationship with MSDP-enabled routers in another domain. The peering relationship occurs over a TCP connection where primarily a list of sources sending to multicast groups is exchanged. The TCP connections between RPs are achieved by the underlying routing system. The receiving RP uses the source lists to establish a source path.
The purpose of this topology is to have domains discover multicast sources in other domains. If the multicast sources are of interest to a domain that has receivers, multicast data is delivered over the normal source-tree building mechanism in PIM-SM.

Packet Telephony Settlement

Open Settlement Protocol (OSP) Clearinghouse solution for Cisco Packet Telephony Gateway allows similar service providers to exchange traffic with other service providers without establishing multiple bilateral peering agreements.

SNA Switching Services

SNASw provides an easier way than earlier methods to design and implement networks with Systems Network Architecture (SNA) routing requirements. Previously, this network design was accomplished using Advanced Peer-to-Peer Networking (APPN) with full network node (NN) support in the Cisco router. This type of support provided the SNA routing functionality needed, but was inconsistent with the trends in Enterprise networks today. The corporate intranet is replacing the SNA WAN. Enterprises are replacing their traditional SNA network with an IP infrastructure that supports traffic from a variety of clients, using a variety of protocols, requiring access to applications on a variety of platforms, including SNA applications on Enterprise servers.

While SNA routing is still required when multiple servers must be accessed, the number of nodes required to perform this function is decreasing as the IP infrastructure grows and as the amount of native SNA traffic in the network decreases.

SNASw enables an enterprise to develop their IP infrastructure, while meeting SNA routing requirements.

TCLWare

The Debit Card for Packet Telephony on Cisco Access Platforms feature requires the use of both Audio Files and TCL Scripts. Unzip and download the files to your TFTP server.

In addition, download the audio files and TCL scripts from the Access Products Service and Support site on CCO at the following "TCLWare" location:

http://www.cisco.com/kobayashi/sw-center/sw-access.shtml

X.25 Closed User Groups

The X.25 specification for Closed User Groups (CUG):

Note Previously, Cisco supported only the ability to specify the CUG value but did not enforce restriction. Cisco currently enforces this security restriction.

X.25 Switch Local Acknowledgment

Cisco offers an X.25 switch function that creates virtual connections (VC) by connecting channels between X.25 class services.

The following X.25 class services are supported:

The current Cisco implementation provides end-to-end acknowledgment, which means that flow control or window and packet size acknowledgment is between the originating and terminating data terminal equipment (DTE).

Acknowledgment is not local to the DTE and data communications equipment (DTE), and the overall effect is low throughput.

VPN Tunnel Management (CSCdk51134 and CSCdm52604)

The Virtual Private Network (VPN) Tunnel Management feature provides network administrators with two new functions for managing VPN tunnels:

These functions can be used on either end of a VPN tunnel---the Network Access Server (NAS)---or on the home gateway.

When this feature is enabled, Multichassis Multilink PPP (MMP) Layer 2 Forwarding (L2F) tunnels can still be created and established.

New Hardware Feature in Cisco IOS Release 12.0(5)T

Release 12.0(5)T supports the following new hardware feature for the Cisco 3600 series.

Multiport T1/E1 ATM Network Modules with Inverse Multiplexing over ATM on Cisco 2600 and 3600 Series Routers

Four- and eight-port T1 and E1 Inverse Multiplexing for ATM (IMA) network modules for the Cisco 2600 series and Cisco 3620 and 3640 routers provide four or eight T1 or E1 ATM links that can be combined to appear as a single physical link. Aggregation of multiple T1/E1 links by IMA increases bandwidth inexpensively to allow WAN uplinks at high speeds, ranging to 12.288 Mbps for T1, and to 15.36 Mbps for E1.

The Multiport T1/E1 ATM IMA network modules support the following features:

New Software Features in Cisco IOS Release 12.0(5)T

Release 12.0(5)T supports the following new software features for the Cisco 3600 series.

AAA Server Group

The AAA server-group feature introduces a way to group existing server hosts. The server-group feature allows the user to select a subset of the configured server hosts and use them for a particular service.

A server-group is a list of server hosts of a particular type. Currently supported server host types are Remote Authentication Dial In User Service (RADIUS) server hosts and Terminal Access Controller Access Control System+ (TACACS+) server hosts. Server-group is used in conjunction with a global server host list. The server-group lists the IP addresses of the selected server hosts.

Airline Product Set Enhancements

The Airline Product Set Enhancements feature, ALPS phase III, supports Mapping of Airline Traffic over Internet Protocol (MATIP). MATIP is an industry-standard protocol for transporting airline protocol traffic across a TCP/IP network. This feature enables the end-to-end delivery of ALC and UTS data streams between a Cisco router and the mainframe using TCP/IP. This feature removes the X.25 (AX.25 or EMTOX) requirements for communication with the airline host reservation system by enabling TCP/IP communication between the router and the host reservation system.

Asynchronous Serial Traffic over UDP

The Asynchronous Serial Traffic over UDP feature provides the ability to encapsulate asynchronous data into UDP packets, and then unreliably send this data without needing to establish a connection with a receiving device.

You load the data you want to send through an asynchronous port, and then send it, optionally, as a multicast or a broadcast. The receiving device(s) can then receive the data whenever it wants. If the receiver ends reception, the transmission is unaffected.

This process is referred to as UDP Telnet (UDPTN), although it does not (and cannot) use the Telnet protocol. UDPTN is similar to Telnet in that both are used to send data, but UDPTN is unique in that it does not require that a connection be established with a receiving device.

ATM LANE Fast Simple Server Redundancy Protocol

To improve the ATM LAN Emulation (LANE) Simple Server Redundancy Protocol (SSRP), Cisco has introduced the ATM LANE Fast Simple Server Redundancy Protocol (FSSRP). FSSRP differs from LANE SSRP in that all configured LANE servers of an emulated LAN (ELAN) are always active. FSSRP-enabled LANE clients have VCs linked to up to four LANE server broadcast-and-unknown servers (BUSs). If a LANE server goes down, the LANE client quickly switches over to a new LANE server and BUS resulting in no data or LE-ARP table entry losses and no extraneous signalling.

Class-Based Weighted Fair Queuing

The Class-Based Weighted Fair Queuing (CBWFQ) feature extends the standard WFQ functionality to provide support for user-defined traffic classes. For CBWFQ, you define traffic classes based on match criteria including protocols, access control lists (ACLs), and input interfaces. Packets satisfying the match criteria for a class constitute the traffic for that class. A queue is reserved for each class, and traffic belonging to a class is directed to the queue of that class.

CNS Client for Cisco IOS Software

Cisco Networking Services (CNS) Client feature for Cisco IOS software enables authenticated directory access. CNS Client for Cisco IOS software includes the following components:

LDAP V.3 client functionality enables Cisco IOS software-based applications to securely authenticate to a CNS for Active Directory (CNS/AD) server using Kerberos V.5 as security protocol to retrieve or store information such as policy and configuration data. Cisco IOS software-based applications publish or subscribe to events using CNS event services client, enabling external applications using the application programming interface (API) features of CNS to receive events or publish events to the Cisco IOS device. This Cisco IOS software-based device will use CNS locator services client to locate the nearest directory server using Domain Name System. The administrator need not configure the device to locate the nearest directory server.

All the above-mentioned functionality is intended for use by internal Cisco IOS application developers. CNS IPSec VPN provisioning agent enables the router to retrieve IPSec policies stored in the CNS/AD server and configure itself, automating the provisioning of customer premises equipment devices for IPSec VPN. CNS provisioning agent enables Cisco IOS device to be provisioned using CNS event services.

DLSw+ Ethernet Redundancy

The DLSw+ Ethernet Redundancy feature provides redundancy in an Ethernet environment. It enables DLSw+ to support parallel paths between two points in an Ethernet environment, ensuring resiliency in the case of a router failure and providing load balancing for traffic load.

DLSw+ could provide redundancy prior to this feature in a Token Ring environment or via backup peers. When an end station on an Ethernet LAN had multiple active paths into a DLSw+ network, problems occurred.

Redundancy is not possible in an Ethernet environment because, unlike Token Ring, it does not have a RIF field in its packet. The RIF notifies a router of the path a packet has traveled by tracking each ring number and bridge it travels along a path. If a bridge notices that the next ring matches a ring already in the RIF, then the frame is not copied on to that ring. The RIF prevents unreliable local reachability information, circuit contention, and undetected looping explorers.

Dynamic Multiple Encapsulations for Dial-In over ISDN

The Dynamic Multiple Encapsulations feature is updated to include Frame Relay support and has the following capabilities:

Dynamic multiple encapsulation is especially important in Europe where ISDN is relatively inexpensive and maximum use of all 30 B channels on the same ISDN link is desirable.

DNS-Based X.25 Routing

Managing a large TCP/IP network requires accurate and up-to-date maintenance of IP addresses and X.121 address mapping information on each router database in the network. Currently, this data is managed manually. Because these addresses are constantly being added and removed in the network, the routing table of every router frequently needs to be updated, which is a time-consuming and error-prone task.

X.25 has long operated over an IP network, specifically using Transmission Control Protocol (TCP) as a reliable transport mechanism. This method is known as X.25 over TCP (XOT). However, large networks and financial legacy environments experienced problems with the amount of route configuration that needed to be performed manually because each router switching calls over TCP needed every destination configured. Every destination from the host router needed a static IP route statement, and for larger environments, these destinations could be as much as several thousand per router. Until now, the only way to map X.121 addresses and IP addresses was on a one-to-one basis using the x25 route x121address xot ipaddress command.

The solution to this problem was to centralize route configuration that routers could then access for their connectivity needs. This centralization is the function of the DNS-Based X.25 Routing feature, because the DNS server is a database of all domains and addresses on a network.

Firewall Feature Set Enhancements

The Cisco IOS Firewall feature set, available for a wide range of Cisco router platforms, adds more depth and flexibility to existing Cisco IOS software security capabilities, enriching features such as authentication, encryption, and failover with robust firewall functionality and intrusion detection. A Cisco IOS software-based, integrated firewall solution scales to meet the bandwidth and performance requirements of any network. It also maximizes a Cisco router investment by combining multiprotocol routing functionality with sophisticated security policy enforcement throughout the network.

The Cisco IOS Firewall feature set delivers cost-effective perimeter security packaged with advanced features like stateful, application-based filtering, dynamic per-user authentication and authorization, defense against network attacks, Java blocking, and real-time alerts. Because it is completely interoperable with Cisco IOS software features including NAT, VPN tunneling protocols, Cisco Express Forwarding (CEF), AAA extensions, Cisco encryption technology, and Cisco IOS IPSec, it is a complete, integrated VPN solution.

Frame Relay End-to-End Keepalive

The Frame Relay End-to-End Keepalive feature enables the router to keep track of permanent virtual circuit (PVC) status, independent of the switches in the Frame Relay network. The routers at both ends of a PVC in a Frame Relay network engage in a keepalive session where one router issues keepalive messages and the router at the other end of the PVC connection responds. The time interval for the keepalive is configurable and is enabled on a per-PVC basis. As long as the keepalive-issuing router receives response messages, the PVC status is up. When response messages are not received (because of line failure, a faulty switch in the Frame Relay network, or a router failure), the PVC is down. This mechanism enables bidirectional communication of PVC status to both routers at the ends of a PVC connection.

H.323 Version 2 Support (Gatekeeper and Proxy Features)

The H.323 Version 2 Support feature upgrades Cisco IOS software to comply with the mandatory requirements in the version 2 specification. This upgrade enhances the existing Voice over IP (VoIP) Gateway, the Multimedia Conference Manager  (gatekeeper and proxy), and the DTMF digital relay using H.245.

DTMF is the tone generated on a touch-tone telephone when you press keypad digits. The tones are compressed into a single stream at one end of a call and decompressed at the other end by using H.245 messages. However, this compression and decompression can lead to distortion, depending upon the codec used. Thus, the DTMF-relay is used to configure one of three methods to transport DTMF tones generated after the call is established out-of-band. The three methods are:

H.323 Version 2 defines a lightweight registration procedure that requires full registration for initial registration, but uses an abbreviated renewal procedure to update the gatekeeper and minimize overhead. Lightweight registration requires each endpoint to specify a Time To Live (TTL) value in its Registration Request (RRQ) message.

The H.323 Version 2 gateway supports the registration of fully qualified E.164 numbers with the gatekeeper for telephones connected directly to the gateway. Tunneling through H.225 User-to-User Information Element (UUIE) facilitates transparent handling of supplementary services between two endpoints through a VoIP network. This tunneling eliminates the need to interpret various supplementary signaling messages in the VoIP gateways.

H.323 Version 2 Gatekeeper selects a destination gateway by choosing from among all gateways registered in a zone by allowing you to assign selection priorities to these gateways based on the dialed prefix. Gateway resource reporting allows the gateway to notify the gatekeeper when H.323 resources are getting low. The gatekeeper uses this information to determine which gateway it will use to complete a call. The gatekeeper maintains a separate gateway list, ordered by priority, for each of its zone-prefixes.

IP Multicast Multilayer Switching

The IP Multicast Multilayer Switching (MLS) feature provides high-performance, hardware-based, Layer 3 switching of IP multicast traffic for routers connected to Catalyst 5000 series LAN switches.

An IP multicast flow is a unidirectional sequence of packets between a multicast source and the members of a destination multicast group. Flows are based on the IP address of the source device and the destination IP multicast group address.

IP multicast MLS switches IP multicast data packet flows between IP subnets using advanced, application-specific integrated circuit switching hardware, thereby off-loading processor-intensive, multicast packet routing from network routers.

The packet forwarding function is moved onto the connected Layer 3 switch whenever a supported path exists between a source and members of a multicast group. Packets that do not have a supported path to reach their destinations are still forwarded in software by routers. Protocol Independent Multicast is used for route determination.

IP RTP Priority

The new IP RTP Priority feature provides a strict priority queueing scheme for delay-sensitive data such as voice. Voice traffic can be identified by its Real-Time Transport Protocol (RTP) port numbers and classified into a priority queue configured by the ip rtp priority command. The result is that voice is serviced as strict priority in preference to other nonvoice traffic.

This feature extends and improves on the functionality offered by the IP RTP Reserve feature by allowing you to specify a range of UDP/RTP ports whose voice traffic is guaranteed strict priority service over any other queues or classes using the same output interface. Strict priority means that if packets exist in the priority queue, they are dequeued and sent first---that is, before packets in other queues are dequeued. It is recommended that you use the ip rtp priority command instead of the ip rtp reserve command for voice configurations.

IPX Multilayer Switching

The IPX Multilayer Switching (IPX MLS) feature provides high-performance, hardware-based, Layer 3 switching. IPX data packet flows are switched between networks, off-loading processor-intensive packet routing from network routers.

Whenever a partial or complete switched path exists between two hosts, packet forwarding occurs on Layer 3 switches. Packets without such a path are still forwarded by routers to their destinations. Standard routing protocols---such as Routing Information Protocol, Enhanced Interior Gateway Protocol, and NetWare Link Services Protocol---are used for route determination.

IPX MLS also allows you to debug and trace flows in your network. Use MLS explorer packets to identify which switch is handling a particular flow. These packets aid you in path detection and troubleshooting.

ISDN Cause Code Override

the ISDN Cause Code Override function overrides cause codes that are sent to ISDN applications. Currently, the Cisco IOS software contains ISDN cause codes that handle specific functions such as modem availability and resource pooling. The ISDN Cause Code Override feature is more general in its functionality and will override the specific ISDN cause codes.

When the command associated with this feature is implemented, the configured cause codes are sent to the switch; otherwise, default cause codes of the application are sent.

To override an ISDN cause code, enter the following command:

isdn disconnect-cause {cause-code-number | busy | not-available}

where cause-code-number is a cause code number from 1 to 127.

IS-IS Multiarea Support

As IS-IS networks grow, they are usually organized into a backbone area (Level 2) connected to local areas (Level 1). Routers establish Level 1 adjacencies to perform local area routing, and Level 2 adjacencies to perform routing between Level 1 areas. Previously, a Cisco router could route between the backbone (Level 2) area and at most a single Level 1 area.

The IS-IS Multiarea Support feature supports configuration of multiple Level 1 IS-IS areas on a single router. This configuration is especially useful in networks where devices support only Level 1 routing and are organized in a number of small Level 1 areas that cannot be aggregated for performance reasons.

Layer 2 Tunneling Protocol Dial-Out

The Layer 2 Tunneling Protocol (L2TP) Dial-Out feature enables L2TP Network Servers (LNSs) to tunnel dial-out VPDN calls using L2TP as the tunneling protocol. This feature enables a centralized network to efficiently and inexpensively establish a virtual point-to-point connection with any number of remote offices.

Using the L2TP Dial-Out feature, Cisco routers can carry both dial-in and dial-out calls in the same L2TP tunnels.

Previously, only dial-in VPDN calls were supported.

L2TP dial-out involves two devices: an LNS and an L2TP Access Concentrator (LAC). When the LNS wants to perform L2TP dial-out, it negotiates an L2TP tunnel with the LAC. The LAC then places a PPP call to the client(s) the LNS wants to dial-out to.

Maximum User Links

This feature provides a method to limit the number of inbound connections a user can establish with a device. This maximum connection limit is only imposed on links that have name authnetication configured. Each PPP multilink connection is counted as one connection.

The User Maxlink features enables ISPs to limit the number of inbound connections a user can establish so that they can provide various levels of subscriptions at different costs. Users who desire more bandwidth can be charged a higher rate to establish multiple connections, while users who require only a single connection can be charged a discounted rate.

Multicast Routing Monitor

The Multicast Routing Monitor (MRM) feature is a management diagnostic tool that provides network fault detection and isolation in a large multicast routing infrastructure. It is designed to notify a network administrator of multicast routing problems in near real time.

MRM has three components that play different roles: the Manager, the Test Sender, and the Test Receiver. The Manager can reside on the same device as the Test Sender or Test Receiver. You can test a multicast environment using test packets (perhaps before an upcoming multicast event), or you can monitor existing IP multicast traffic.

You create a test based on various test parameters, name the test, and start the test. The test runs in the background and the command prompt returns. If the Test Receiver detects an error (such as packet loss or duplicate packets), it sends an error report to the router configured as the Manager. The Manager immediately displays the error report. Also, by issuing a certain show command, you can see the error reports, if any. You then troubleshoot your multicast environment as normal, perhaps using the mtrace command from the source to the Test Receiver. If the show command displays no error reports, the Test Receiver is receiving test packets without loss or duplicates from the Test Sender.

Multimedia Conference Manager Enhancements

Multimedia Conference Manager provides gatekeeper and proxy capabilities required for service provisioning and management of H.323-compliant networks. It conforms to the H.323 standard (version 1) for transmitting audio, video, and data conferencing data on an IP-based internetwork. The Multimedia Conference Manager Enhancements feature provides additional functionality for the gatekeeper endpoint. It provides:

Network Director Forwarding Agent

The Network Director Forwarding Agent feature is an IOS-based packet redirector component of Cisco Network Director, the latest offering in the Cisco family of load balancing solutions. The Network Director Forwarding Agent feature implements two new architectures, the Cisco Applications and Services Architecture and the Cisco-patented Multinode Load Balancing Architecture.

Each Forwarding Agent "learns" the destination of specific connection requests and forwards packets between the appropriate client and chosen destination. When a Forwarding Agent receives a connection request, the request is forwarded to the Services Manager, the LocalDirector-based component of Cisco Network Director. The Services Manager makes the load balancing decision and instructs the Forwarding Agents with the optimal destination. After destination selection, session data is forwarded directly to the destination without further Services Manager participation. There is no limit to the number of Forwarding Agents that can be configured in the Network Director solution.

PAD French Enhancement

Extended dialog mode for packet assembler/disassembler (PAD) service signals is now available in the French language as well as English with the PAD French Enhancement. The French language service signals will be maintained in a table. When configured for French language via PAD parameter 6, the PAD service signals will map to this table, giving the appropriate French equivalent output. The internal table maintenance will be based upon the contents of the Annex-C/X.28 standard. Section 3.5/X.28 outlines Parameter 6 and how it relates to extended mode dialog in multiple languages.

PGM Router Assist

The PGM Router Assist feature allows Cisco routers to support the optimal operation of Pragmatic General Multicast (PGM). The PGM Reliable Transport Protocol itself is implemented on the hosts of the customer.

PGM is a reliable multicast transport protocol for applications that require ordered, duplicate-free, multicast data delivery from multiple sources to multiple receivers. PGM guarantees that a receiver in a multicast group either receives all data packets from transmissions and retransmissions, or can detect unrecoverable data packet loss. PGM is intended as a solution for multicast applications with basic reliability requirements. It is network-layer independent; The Cisco implementation of the PGM Router Assist feature supports PGM over IP.

Service Assurance Agent

The Service Assurance (SA) Agent is both an enhancement to and a new name for the Response Time Reporter (RTR) feature that was introduced in Cisco IOS Release 11.2. The feature allows you to monitor network performance by measuring key Service Level Agreement metrics such as response time, network resources, availability, jitter, connect time, packet loss, and application performance.

With Cisco IOS Release 12.0(7)T, the SA Agent provides new capabilities that enable you to:

Subnetwork Bandwidth Manager

Resource Reservation Protocol (RSVP) is a signalling mechanism that supports request of specific levels of service such as reserved bandwidth from the network. RSVP and its service class definitions are largely independent of the underlying network technologies. This independence requires that a user define the mapping of RSVP onto subnetwork technologies.

The Subnetwork Bandwidth Manager (SBM) feature answers this requirement for RSVP in relation to IEEE 802-based networks. SBM specifies a signalling method and protocol for LAN-based admission control for RSVP flows. SBM allows RSVP-enabled routers and Layer 2 and Layer 3 devices to support reservation of LAN resources for RSVP-enabled data flows. The SBM signalling method is similar to that of RSVP itself. SBM protocol entities have the following features:

Tunnel Endpoint Discovery

IP Security Protocol (IPSec) requires a peer router to be statically configured before initiating an Internet Key Exchange (IKE). An IKE is necessary to encrypt and decrypt packets. The Cisco router crypto maps require the capability to dynamically determine the IPSec peer. The Tunnel Endpoint Discovery protocol automatically discovers remote tunnel endpoints and enables secure IPSec communications.

Dynamic Tunneling Endpoint Discovery allows IPSec to scale to larger networks by reducing the multiple encryptions, reducing the setup time, and allowing for simple configurations on participating peer routers. Each node has a simple configuration that defines the local network that the router is protecting and the IPSec transforms required, if any.

Voice over Frame Relay Queuing Enhancement

When there are multiple sets of flows being handled by weighted fair queueing (WFQ), the algorithm provides the low weight/reserved queued voice packets with higher priority but only until some of the other data packets have waited enough time and therefore it is now their turn to be dequeued. Even if interleaving is active, the WFQ algorithm will not dequeue a voice packet until these data packets are transmitted. This causes voice quality problems.

The solution consists of adding a special queue at the PVC level where all VoFR packets will be queued. This special queue runs in parallel to the WFQ and is serviced before any of the WFQs.

As of this release, reserved queues are no longer required to support VoFR.

VPDN Group Reorganization

The VPDN Group Reorganization feature organizes the VPDN group commands into a new hierarchy.

Along with one of the four VPDN services, VPDN groups can now suppor the following LNS VPDN services:

VPDN groups can now suppor the following LAC VPDN services:

A VPDN group can act as either an LNS or a LAC, but not both. But individual routers can have both LNS VPDN groups and LAC VPDN groups.

To facilitate this reorganization, the VPDN group now includes four new command modes to support the service. These new command modes are accessed from VPDN group mode and are generically called VPDN subgroups.

VPDN Per-User Configuration

In a VPDN that uses remote AAA, when a user dials in, the access server that receives the call forwards information about the user to its remote AAA server. With basic VPDN, the access server only sends the user's domain name (when performing domain name-based authentication) or the telephone number the user dialed in from (when performing DNIS-based authentication).

The VPDN Per-User Configuration feature sends the entire structured username to the AAA server the first time the router contacts the AAA server. This enables the Cisco IOS software to customize tunnel attributes for individual users who use a common domain name or dialed number identification service (DNIS).

Previously, Cisco IOS sent only the domain name or DNIS to determine VPDN tunnel attribute information. Then, if no VPDN tunnel attributes were returned, Cisco IOS sent the entire username string. Because of this behavior, there was no way to define specific tunnel attributes for a particular user within a domain. It also limited the types of connections that were possible in a RADIUS proxy VPDN roaming environment. All VPDN users were forwarded to the tunnel endpoint, even if they just needed generic Internet access.

X.25 Remote Failure Detection

Static routes are used over a packet-switched data network in order to reduce volume-based costs of the network. Until now, if two routers were connected through multiple X.25 links (a primary and a secondary), a router could not detect failure of the primary link. If a failure occurred, the data was not transferred to the second link because X.25 was unable to determine whether remote links were up or down. Therefore X.25 could not use an alternate connection to a destination.

The X.25 Remote Failure Detection feature is important for X.25 users because after a primary link failure the router can establish a secondary link and continue sending data. This feature is a way for the router to detect a call failure and to use a secondary route to send subsequent packets to the remote destination; at the same time, it makes periodic attempts to reconnect to its primary link.

New Software Features in Cisco IOS Release 12.0(4)T

Release 12.0(4)T supports the following new software enhancements for the Cisco 3600 series.

Dynamic Multiple Encapsulations for Dial-in over ISDN

The Dynamic Multiple Encapsulations feature has the following capabilities:

ISDN LAPB-TA

To carry asynchronous traffic over ISDN, you need a terminal adapter to convert that traffic and forward it over synchronous connections. This is normally implemented by the V.120 protocol, which carries asynchronous traffic over ISDN. However, several countries in Europe---Germany, Switzerland, and some Eastern European countries---use Link Access Procedure, Balanced (LAPB) as the protocol to forward their asynchronous traffic over synchronous connections. (LAPB is sometimes referred to as "X.75," because LAPB is the link layer specified in the ITU-T X.75 recommendation for carrying asynchronous traffic over ISDN.)

The Link Access Procedure, Balanced-Terminal Adapter (LAPB-TA) includes the following capabilities:

Voice over Frame Relay Using FRF.11 and FRF.12

The Voice over Frame Relay (VoFR) capabilities that were introduced on the Cisco MC3810 multiservice access concentrator beginning with IOS Release 11.3 are now extended to the Cisco 3600 series router platforms.

The following additional functionality is supported in Release 12.0(4)T:

When VoFR is implemented on a Cisco router, the router can carry voice traffic, such as telephone calls and faxes over a Frame Relay network.

New Hardware Features in Release 12.0(3)T

Release 12.0(3)T supports the following new hardware enhancements for the Cisco 3600 series.

BRI Voice Interface Cards (VICs)

Basic Rate Interface (BRI) voice interface cards (VICs) allow branch offices and enterprises to route incoming public switched telephone network (PSTN) ISDN BRI calls over an IP network or send outgoing digital fax and voice calls over an IP network. Support for the ISDN BRI signaling type allows a Cisco 2600 or Cisco 3600 series router to provide voice access connectivity to either an ISDN telephone network or a digital interface on a PBX or key communications system. The voice or data also crosses an IP network to which the router connects. The Voice over IP (VoIP) feature enables the Cisco 2600 and Cisco 3600 series of modular routers to carry voice traffic simultaneously with data traffic.

ATM OC-3 Network Modules

The ATM OC-3 network modules allow your Cisco 3600 series router to concentrate data, voice, and video traffic onto an ATM uplink. The ATM OC-3 network module is available in a data-only version, or by installing a Voice Processing Deck (VPD) expansion card, you enable traditional time division multiplexing (TDM) voice transport over ATM.

The following models are available:
Table 8: Models of ATM OC-3 Network Modules
Network Module Description

NM-1A-OC3MM

This network module has a multimode fiber, 155 Mbps OC3 uplink port.

NM-1A-OC3SMI

This network module has a single mode intermediate reach fiber, 155 Mbps OC3 uplink port (VPD).

NM-1A-OC3SML

This network module has a single mode long reach fiber, 155 Mbps OC3 uplink port.

The ATM OC-3 is a full-function ATM network module designed for Optical Carrier-Level-3 (OC3) high bandwidth data and voice/data integration applications over SONET/SDH at speeds of 155.520 Mbps (STM-1). The ATM OC-3 network module can combine router packets with constant bit rate data onto an ATM uplink.

Note For important information about the ATM OC-3 network modules and compatibility with the Cisco 3620 router, please review the field notice on CCO, at http://www.cisco.com/warp/customer/770/51.shtml 

New Software Features in Release 12.0(3)T

Release 12.0(3)T supports the following new software enhancements for the Cisco 3600 series.

Annex G (X.25 over Frame Relay)

Annex G (X.25 over Frame Relay) facilitates the migration from an X.25 backbone to a Frame Relay backbone by permitting encapsulation of CCITT X.25/X.75 traffic within a Frame Relay connection. Annex G has developed to accommodate the many Cisco customers in Europe, where X.25 still is a popular protocol. With Annex G, the process of transporting X.25 over Frame Relay has been simplified, by allowing direct X.25 encapsulation over a Frame Relay network.

This simple process is largely achieved using X.25 profiles (similar to dialer profiles), which were created to streamline the configuration of X.25 on a per DLCI basis. X.25 profiles can contain any existing X.25 command and, once created and named, can be simultaneously associated with more than one Annex G DLCI connection, just using the profile name.

CDP Additions for Cisco IOS

The Cisco Discovery Protocol (CDP) is a media-independent device discovery protocol that runs on all Cisco-manufactured equipment, including routers, bridges, access servers, and switches. Each device sends periodic messages to a multicast address. Each device listens to the periodic messages sent by others in order to learn about neighboring devices and determine when their interfaces to the media go up or down. With CDP, network management applications can learn the device type and the SNMP agent address of neighboring devices. This process enables applications to send SNMP queries to neighboring devices.

CDP runs on all media that support Subnetwork Access Protocol (SNAP), including local-area network (LAN), Frame Relay, and Asynchronous Transfer Mode (ATM) media. CDP runs over the data link layer only. Therefore, two systems that support different network-layer protocols can learn about each other.

Each device configured for CDP sends periodic messages to a multicast address. Each device advertises at least one address at which it can receive SNMP messages. The advertisements also contain time-to-live, or holdtime, information, which indicates the time a receiving device should hold CDP information before discarding it.

Additions for Cisco Discovery Protocol (CDP) include the following:

The benefits include, transparent support of X.25 encapsulation over the Frame Relay network; direct X.25 configurations on a per DLCI basis; multiple Annex G DLCIs can use the same X.25 profile; multiple logical X.25 SVCs per Annex G link, and the fact that Cisco routers already contain the functionality necessary to perform the framing and frame removal required by Annex G.

SLIP-PPP Banner and Banner Tokens

The SLIP-PPP Banner section of this feature enables you to configure the banner that is displayed when making a SLIP connection. This improves compatibility with non-Cisco SLIP dial-up software.

The Banner Tokens section of this feature introduces the use of tokens to all existing banner commands. Tokens allow you to display current information from the configuration, such as the router's hostname, IP address, encapsulation type, and MTU size.

DLSw+ Enhanced Load Balancing

In a network with multiple capable paths, the DLSw+ Load Balancing Enhancements feature improves traffic load balancing between peers by distributing new circuits based on existing loads and the desired ratio.

For each capable peer (peers that have the lowest or equal cost specified), the DLSw+ Load Balancing feature calculates the difference between the desired and the actual ratio of circuits being used on a peer. It detects the path that is underloaded in comparison to the other capable peers and assigns new circuits to that path until the desired ratio is achieved.

DLSw+ Peer Clusters

The DLSw+ Peer Clusters feature reduces the explorer packet replication that typically occurs in a large DLSw+ Peer Group design, where there are multiple routers connected to the same LAN.

The DLSw+ Peer Clusters feature associates DLSw+ peers (that are connected to the same LAN) into logical groups. Once the multiple peers are defined in the same peer group cluster, the DLSw+ Border Peer recognizes that it does not have to forward explorers to more than one member within the same peer group cluster.

DLSw+ RSVP Bandwidth Reservation

The DLSw+ RSVP Bandwidth Reservation feature allows DLSw+ to reserve network bandwidth for the DLSw+ TCP connection between DLSw+ peers.

Although it has been possible in the past to reserve bandwidth for a particular existing DLSw+ peer connection through the RSVP CLI support in Cisco IOS software, the CLI required prior knowledge of the TCP ports for which the reservation was being made. Because DLSw+ uses one well-known port and one randomly assigned port, the reservation could not be made until after the peer connection was active.

The DLSw+ RSVP feature permits new DLSw+ peer connections to automatically request bandwidth reservations upon connection, thereby removing the need for user intervention after the peer is connected. This feature assures the reservation will survive a network or device failure and that the DLSw+ traffic carried over a TCP connection is not affected by congestion.

Flow-Based WRED

This feature provides a mechanism to penalize the flows that do not respond to Weighted Random Early Detection (WRED) drops. This feature is provided as an extension to the existing WRED functionality and can be turned on after WRED is turned on.

Flow-WRED ensures that no single flow can hog all the buffer resources at the output interface queue. With WRED alone, this can occur in the presence of traffic sources that do not back off during congestion. Flow-WRED maintains minimal information about the buffer occupancy per flow. Whenever a flow exceeds its share of the output interface buffer resource the packets of the flow are penalized by increasing the probability of their drop (by WRED).

ISDN BRI Voice over IP for Cisco 2600 and 3600 Series Routers

The Voice over IP feature enables the Cisco 2600 and Cisco 3600 series of modular routers to carry voice traffic simultaneously with data traffic over an IP network. Voice over IP (VoIP) is primarily a software feature, supporting both voice and fax calls. Support for the ISDN BRI signaling type allows a Cisco 2600 or Cisco 3600 series router to provide voice access connectivity to either an ISDN telephone network or to a digital interface on a PBX/key communications system. The voice or data also crosses an IP network to which the router connects. This allows branch offices and enterprises to route incoming public switched telephone network (PSTN) ISDN BRI calls over an IP network or send outgoing digital fax and voice calls via an IP network.

Large-Scale Dialout

Large-scale dialout eliminates the need to configure dialer maps on every network access server (NAS) for every destination. Instead, you create remote site profiles containing outgoing call attributes (telephone number, service type, maximum number of links, and so on) on an authentication, authorization, and accounting (AAA) server. The profile is downloaded by the NAS when packet traffic requires a call to be placed to a remote site. Large-scale dialout also takes advantage of features previously only available for incoming calls, such as dialer and virtual profiles, Multichassis Multilink PPP (MMP) support, and the ability to use an AAA server to store dial out attributes. MMP allows NASes to be stacked together and appear as a single NAS chassis so that if one NAS fails, another NAS in the stack can accept calls. Additionally, large-scale dialout addresses congestion management by seeking an uncongested, alternative NAS when the designated primary NAS experiences port congestion.

Modem over ISDN BRI for the Cisco 3640 Router

The Modem over Integrated Services Digital Network (ISDN) Basic Rate Interface (BRI) feature for the Cisco 3640 modular access router lowers the cost of remote access by offering high-speed modem and ISDN connectivity for mobile customers, home-offices, and other remote-access users. Branch offices and enterprises can support analog modem users who call over the public switched telephone network (PSTN) into BRI interfaces in Cisco 3640 routers.

Analog modem calls arrive at a speed of 33.6 kilobits per second (kbps) via the PSTN. The router's digital modems accept the modem calls at connection speeds as fast as 56 kbps, adhering to the V.90 standard. The Cisco 3640 router in this way provides rapid access to email and other network services.

Multimedia Conference Manager

Use the Multimedia Conference Manager to enable your current internetwork to route bit-intensive data such as audio telephony, video and audio telephony, and data conferencing using existing telephone and ISDN links, without degrading the network's current level of service. The Multimedia Conference Manager feature provides H.323 application options previously unavailable. Using Multimedia Conference Manager, you can implement H.323-compliant applications on existing networks in an incremental fashion without upgrades.

This feature also provides rich networking capability, including:

The Multimedia Conference Manager feature provides network administration mechanisms to support H.323 applications without impacting the mission critical applications running on today's networks. Multimedia Conference Manager is implemented on Cisco IOS software. Multimedia Conference Manager provides the network administrator with these abilities:

Multimedia Conference Manager has two principal functions: gatekeeper and proxy. This document describes the value of the Multimedia Conference Manager gatekeeper and proxy functions for end-to-end implementation of H.323-compliant multimedia applications. These functions are unique to Multimedia Conference Manager. Similar robust features are currently not available in other vendor solutions.

Gatekeeper subsystems provide:

Starting with Cisco IOS Releases 11.3(6)Q and 11.3(7)NA and later, you can configure Cisco gatekeepers to use the Cisco Hot Standby Routing Protocol (HSRP), so that when one gatekeeper fails, the standby gatekeeper assumes its role.

Proxy subsystems provide:

NetFlow Policy Routing

IP policy routing now works with Cisco Express Forwarding (CEF), Distributed CEF (DCEF), NetFlow, and NetFlow with flow acceleration. IP policy routing was formerly supported only in fast-switching and process-switching. Now that policy routing is integrated into CEF, policy routing can be deployed on a wide scale and on high-speed interfaces.

Process MIB

The addition of the CISCO-PROCESS-MIB and changes to the CISCO-MEMORY-POOL-MIB allow the retrieval of additional CPU and memory statistics and their reporting by SNMP. The CISCO-PROCESS-MIB provides CPU 5-second, 1-minute, and 5-minute statistics. In addition, this MIB provides CPU utilization and memory allocation/deallocation statistics for each process on each CPU listed in the CISCO-PROCESS-MIB.

The CISCO-PROCESS-MIB is enabled when the first SNMP command is configured. The background statistics collection for VIP cards and the master CPU occurs even if the SNMP subsystem is not initialized.

Response Time Reporter Enhancements

The Response Time Reporter (RTR) feature allows you to monitor network performance, network resources, and applications by measuring response times and availability. RTR statistics can be used to perform troubleshooting, problem notifications and pre-problem analysis. The RTR enhancements extend IP support, such as Type of Service, and allow you to measure various types of IP traffic, such as UDP, TCP, and HTTP.

Service Provider Features for Voice over IP

The 12.0(3)T Cisco voice service provider features include enhancements to the functionality and configuration of both the H.323 Voice over IP (VoIP) gateway and the VoIP gatekeeper. The architecture of these features provides the Quality of Service (QoS), stability, and functionality necessary for carrier class, real-time IP communications services.

The Cisco VoIP gateway is a high-performance, H.323-compliant gateway optimized for VoIP applications. Supporting up to two T1/E1 digital channels, it connects with existing telephones and fax machines through the Public Switched Telephone Network (PSTN), key systems, and PBXs, making the process of placing calls over the IP network transparent to users.

The gateway capability allows the Cisco VoIP gateway to function as an H.323 endpoint. Therefore, the gateway provides admission control, address lookup and translation, and accounting services.

The gatekeeper manages H.323 endpoints in a consistent manner, allowing them to register with the gatekeeper and to locate another gatekeeper. The gatekeeper provides logic variables for proxies or gateways in a call path to provide connectivity with the Public Switched Telephone Network (PSTN), to improve Quality Of Service (QoS), and to enforce security policies. Multiple gatekeepers may be configured to communicate with one another, either by integrating their addressing into Domain Naming System (DNS), or by using Cisco I OS configuration options.

SNMP Version 3

Simple Network Management Protocol version 3 (SNMPv3) addresses issues related to the large scale deployment of SNMP for configuration, accounting and fault management. Currently SNMP is predominantly used for monitoring and performance management. The primary goal of SNMPv3 is to define a secure version of the SNMP protocol. SNMPv3 also facilitates remote configuration of the SNMP entities which make remote administration of SNMP entities a much simpler task. SNMPv3 builds on top of SNMPv1 and SNMPv2 to provide a secure environment for the management of systems and networks.

SNMPv3 provides an identification strategy for SNMP devices to facilitate communication only between known SNMP strategy. Each SNMP device has an identifier called the SNMP EngineID which is a copy of SNMP. Each SNMP message contains an SNMP EngineID. SNMP communication is possible only if an SNMP entity knows the identity of its peer SNMP device.

SNMPv3 also contains a security model or security strategy that exists between an SNMP user and the SNMP group to which the user belongs. A security model may define the security policy within an administrative domain or a intranet. The SNMPv3 protocol consists of the specification for the User based Security Model (USM).

Definition of security goals where the goals of message authentication service includes the following protection strategies:

Support for Token Ring-Interswitch Link Protocol

Interswitch Link (ISL) is a Layer 2 protocol that enables switches and routers to transport Ethernet frames from multiple VLANs across fast Ethernet or gigabit Ethernet links. Cisco's TRISL (Token Ring-Interswitch Link) protocol extends the ISL model to include the transport of Token Ring frames from multiple VLANs across these same links.

TRISL support on Cisco routers provides inter-VLAN routing and bridging across a 100Mb fast Ethernet link. ISL and TRISL together provide routing and bridging between Token Ring and Ethernet LANs, ELANS, and VLANs.

TRISL is available when one of the following network modules is installed:

To enable the TRISL, use the following subinterface configuration command:

encapsulation tr-isl trbrf-vlan vlanid bridge-num bridge-number

vlanid is a number identifying the VLAN; bridge-number is a bridge number assigned to the ISL trunk. Valid values are from 01 to 15. The following example illustrates the command usage:

ip routing
interface TokenRing 3/1
  ip address 4.4.4.1 255.255.255.0
!
interface FastEthernet4/0.1
  ip address 5.5.5.1 255.255.255.0
  encapsulation tr-isl trbrf 999 bridge-num 14

This is the only TRISL command that is implemented in Release 12.0(3)T for the Cisco 3600 series routers. For more information about TRISL, see the Cisco IOS Release 12.0 Bridging and IBM Networking Configuration Guide  and the Bridging and IBM Networking Command Reference.  

Web Cache Communications Protocol Version 2 (WCCPv2)

The Web Cache Communications Protocol enables Cisco IOS routing platforms to transparently redirect content requests (for example, web requests) from clients to a locally connected Cisco Cache Engine (or Cache Cluster) instead of the intended origin server. When a Cache Engine receives such a request, it attempts to service it from its own local cache if the requested information is present. If not, the Cache Engine issues its own request to the originally requested origin server to get the required information. When the Cache Engine retrieves the requested information, it forwards it to the requesting client and caches it to fulfill future requests, thus maximizing download performance and significantly reducing WAN transmission costs.

WCCPv2 provides enhancements to WCCPv1, including:

X.25 Load Balancing

As the number of users accessing the same host has grown, competition for these application resources has become a problem. Internet service providers (ISPs) have had to increase the number of users they could support by increasing the number of X.25 lines to the host.

In order to support a large number of virtual circuits (VCs) to a particular destination, configuration of more than one serial interface to that destination was needed. When a serial interface is configured to support X.25, there is a fixed number of VCs available for use.

Using a facility called "hunt-group" (the method for X.25 load balancing), a switch is able to view a pool of X.25 lines going to the same host as one address and assign VCs on an "idle logical channel" basis. With this feature, X.25 calls can be load-balanced among all configured outgoing interfaces to fully use and balance all managed lines. The benefits include, the choice of two load-balancing distribution methods (rotary or vc-count) and improved performance of serial lines.

New Software Feature in Release 12.0(2)T

The following new software feature is supported by the Cisco 3600 series in Cisco IOS Release 12.0(2)T and later releases.

Five New Feature Sets

Five new feature sets to support IPSec Triple DES encryption have been created for the Cisco 3640 and the Cisco 3620 in Release 12.0(2)T. These feature sets include the following:

Triple DES (3DES) is a strong form of encryption that allows sensitive information to be transmitted over untrusted networks. It enables customers, particularly in the finance industry, to utilize network layer encryption. IPSec supports the Triple DES encryption algorithm (168-bit) in addition to 56-bit encryption.

New Software Features in Release 12.0(1)T

The Cisco 3600 series supports the following new software features in Cisco IOS Release 12.0(1)T and later releases.

Cisco IOS Firewall Feature Set Platform Support

The Cisco IOS Firewall  feature set extends the security technology currently available in Cisco IOS software to provide firewall specific capabilities:

The Cisco IOS Firewall feature set adds advanced filtering capabilities to existing security functionality in Cisco routers. Some existing Cisco IOS security features include packet filtering by using access control lists (ACLs), Network Address Translation (NAT), network-layer encryption, and TACACS+ authentication.

Cisco IOS IEEE 802.1Q Support

Cisco IOS IEEE 802.1Q provides support for IEEE 802.1Q encapsulation for Virtual LANs (VLANs). Use this feature for VLANs consisting of IEEE 802.1Q compliant switches.

Cisco IOS STP Enhancements

Cisco IOS Spanning Tree Protocol enhancements broaden the original Cisco IOS STP implementation with increased port identification capability, improved path cost determination, and support for a new VLAN bridge spanning-tree protocol.

CLI String Search

The Command Line Interface (CLI) String Search feature allows you to search or filter any show or more command's output. This is useful when you need to sort though large amounts of output, or if you want to exclude output that you do not need to see. CLI String Search also allows for searching and filtering at --More-- paging prompts.

With the search function, you can begin unfiltered output at the first line that contains a regular expression you specify. You can specify a maximum of one filter per command to either include or exclude output lines that contain the specified regular expression.

A regular expression is any word, phrase, number, or other component that appears in show or more command output.

Easy IP Phase 2-DHCP Server

With the introduction of Easy IP Phase 2, Cisco IOS software also supports Intelligent DHCP Relay functionality. A DHCP Relay Agent is any host that forwards DHCP packets between clients and servers. A DHCP Relay Agent enables the client and server to reside on separate subnets. If the Cisco IOS DHCP server cannot satisfy a DHCP request from its own database, it can forward the DHCP request to one or more secondary DHCP servers defined by the network administrator using standard Cisco IOS ip helper-address functionality.

ISDN MIB RFC 2127

The new Integrated Services Digital Network (ISDN) Management Information Base (MIB) RFC 2127 has been designed to provide useful information in accordance with the IETF's new standard for the management of ISDN interfaces. RFC 2127 provides information on the physical Basic Rate interfaces, control and statistical information for B (bearer) and D (signaling) channels, terminal endpoints, and directory numbers.

The ISDN MIB RFC2127 controls all aspects of ISDN interfaces. It consists of five groups:

The ISDN MIB RFC 2127 enables you to use any commercial SNMP network management application to support ISDN call processing in Cisco IOS software. You can integrate management of dial access products using ISDN with your existing network management systems.

Layer Two Tunneling Protocol (L2TP)

Layer Two Tunneling Protocol (L2TP) is an emerging Internet Engineering Task Force (IETF) standard that combines the best features of two existing tunneling protocols: Cisco's Layer Two Forwarding (L2F) and Microsoft's Point-to-Point Tunneling Protocol (PPTP). L2TP is an extension to the Point-to-Point Protocol (PPP), which is an important component for Access Virtual Private Networks (VPNs). Access VPNs allow mobile users to connect to their corporate intranets or extranets, thus improving flexibility and reducing costs.

Traditional dial-up networking services only supported registered IP address, which limited the types of applications that could be implemented over Virtual Private Networks (VPNs). L2TP supports multiple protocols and unregistered and privately administered IP addresses over the Internet. This allows the existing access infrastructure, such as the Internet, modems, access servers, and ISDN terminal adaptors (TAs), to be used.

L2TP can be initiated wherever PPTP or L2F is currently deployed and can be operated as a client initiated tunnel, such as PPTP, or a network access server (NAS) initiated tunnel, such as L2F.

Mobile IP

Mobile IP provides users the freedom to roam beyond their home subnet while consistently maintaining their home IP address. This enables transparent routing of IP datagrams to mobile users during their movement, so that data sessions can be initiated to them while they roam; it also enables sessions to be maintained in spite of physical movement between points of attachment to the Internet or other networks. Cisco's implementation of Mobile IP is fully compliant with the Internet Engineering Task Force's (IETF's) proposed standard defined in Request for Comments (RFC) 2002.

OSPF Packet Pacing

The former OSPF implementation for sending update packets needed to be more efficient. Some update packets were getting lost in cases where the link was slow, a neighbor could not receive the updates fast enough, or the router was out of buffer space. For example, packets might be dropped if either of these topologies existed:

OSPF update packets are now automatically paced by a delay of 33 milliseconds. Pacing is also added between retransmissions to increase efficiency and minimize lost retransmissions.

OSPF update and retransmission packets are sent more efficiently. Also, you can display the LSAs waiting to be sent out an interface.

Smart-init

The smart-init feature is an extension to the existing memory split program of the Cisco IOS software running on Cisco 3600 series routers. It computes iomem size by looking at the network modules installed in the system and uses this iomem for carrying out the memory split. Also, compatibility with older IOS configurations is maintained by retaining support for the memory-size configuration command. The user can disable smart-init and set iomem percentage to the required value by issuing the memory-size configuration command.

Time-Based Access Lists

It is now possible to implement access lists based on the time of day. To do so, you create a time range that defines specific times of the day and week. The time range is identified by a name, and then referenced by a function, so that those time restrictions are imposed on the function itself.

Currently, IP and IPX extended access lists are the only functions that can use time ranges. The time range allows the network administrator to define when the permit or deny statements in the access list are in effect. Prior to this feature, access list statements were always in effect once they were applied. Both named or numbered access lists can reference a time range.

PPP Over Frame Relay

The PPP over Frame Relay feature allows a router to establish end-to-end Point-to-Point Protocol (PPP) sessions over Frame Relay. IP datagrams are transported over the PPP link using RFC 1973 compliant Frame Relay framing. This feature is useful for remote users running PPP to access their Frame Relay corporate networks.

PPP over Frame Relay provides the following benefits:

R2 Signaling

R2 signaling is an international signaling standard that is common to channelized E1 networks. However, there is no single signaling standard for R2. The ITU-T Q.400-Q.490 recommendation defines R2, but a number of countries and geographic regions implement R2 in entirely different ways. Cisco Systems addresses this challenge by supporting many localized implementations of R2 signaling in its Cisco IOS software.

RIP Enhancements

Triggered extensions to IP RIP increase efficiency of RIP on point-to-point, serial interfaces. Routers are used on connection-oriented networks to allow potential connectivity to many remote destinations. Circuits on the WAN are established on demand and are relinquished when the traffic subsides. Depending on the application, the connection between any two sites for user data could be short and relatively infrequent.

There were two problems with using RIP to connect to a WAN:

To overcome these limitations, triggered extensions to RIP cause RIP to send information on the WAN only when there has been an update to the routing database. Periodic update packets are suppressed over the interface on which this feature is enabled.

X.25 Over ISDN D-Channel

Basic Rate Interface (BRI) is an Integrated Systems Digital Network (ISDN) interface, consisting of two B channels (B1 and B2) and one D channel. The B channels are used to transfer data, voice, and video. The D channel controls the B channels.

ISDN uses the D channel to carry signal information, and can also use the D channel in a BRI to carry X.25 packets. The D channel has a capacity of 16 kbps, and the X.25 over D channel can use up to 9.6 kbps.

You can set the parameters of the X.25-over-D-channel interface without disrupting the original ISDN interface configuration. In a normal ISDN BRI interface, the D and B channels are bundled together and represented as a single interface. The original BRI interface continues to represent the D, B1, and B2 channels.

Because some end-user equipment uses static terminal endpoint identifiers (TEIs) to access this feature, static TEIs are supported. The dialer recognizes the X.25-over-D-channel calls and initiates them on a new interface.

X.25 traffic over the D channel can be used as a primary interface where low-volume, sporadic interactive traffic is the normal mode of operation. Supported traffic includes IPX, AppleTalk, transparent bridging, XNS, DECnet, and IP.

Important Notes

Note For important information about the ATM OC3 network modules and compatibility with the Cisco 3620 router, please review the field notice on CCO, at http://www.cisco.com/warp/customer/770/51.shtml  

The last maintenance release of the 12.0T release train is 12.0(7)T. The migration path for customers needing bug fixes for the 12.0 T features is 12.1 Mainline. 12.1 Mainline has the complete feature content of 12.0T and this release will eventually reach General Deployment (GD).

The last maintenance release was renamed from 12.0(6)T to 12.0(7)T to reflect that 12.0(7)T has all the bug fixes of 12.0(7) mainline. 12.0T is a superset of 12.0 mainline, hence any defect fixed in 12.0 mainline is also fixed in 12.0 T. The set of features for 12.0(6)T is the same as that of 12.0(7)T. There was no change in the feature content of the release. The release was renamed so that the releases would be consistent with Cisco's release process.

Image Deferral, Cisco IOS Release 12.0(3)T

When Cisco IOS Release 12.0(3)T first became available, the following images were deferred:

Cisco IOS Syslog Failure

Certain versions of Cisco IOS software can fail or hang when they receive invalid User Datagram Protocol (UDP) packets sent to their syslog ports (port 514). At least one commonly-used Internet scanning tool generates packets that can cause such problems. This fact has been published on public Internet mailing lists, which are widely read both by security professionals and by security crackers. This information should be considered in the public domain.

Attackers can cause Cisco IOS devices to repeatedly fail and reload, resulting in a completely disabled Cisco IOS device that will need to be reconfigured by its administrator. Some Cisco IOS devices have been observed to hang instead of failing when attacked. These devices do not recover until they are manually restarted by reset or power cycling. An administrator must personally visit an attacked, hung device to restart it, even if the attacker is no longer actively sending any traffic. Some devices have failed without providing stack traces; some devices might indicate that they were "restarted by power-on," even when that is not the case.

Assume that any potential attacker is likely to know about this problem and the ways to exploit it. An attacker can use tools available to the public on the Internet. An attacker does not need to write any software to exploit the problem. Minimal skills and no special equipment are required.

Despite Cisco specifically inviting such reports, Cisco has received no actual reports of malicious exploitation of this problem.

This vulnerability notice was posted on Cisco's World Wide Web site:

http://www.cisco.com/warp/public/770/iossyslog-pub.shtml

This information was also sent to the following e-mail and Usenet news recipients:

Affected Devices and Software Versions

Vulnerable devices and software versions are specified in Table 9. Affected versions include 11.3AA, 11.3DB, and all 12.0 versions (including 12.0 mainline, 12.0 S, 12.0 T, and any other regular releases whose number starts with 12.0), up to the repaired releases listed in Table 9. Cisco is correcting the problem in certain special releases and will correct it in future maintenance and interim releases. See the "Software Versions and Fixes" section for details. Cisco intends to provide fixes for all affected Cisco IOS variants.

No particular configuration is needed to make a Cisco IOS device vulnerable. It is possible to filter out attack traffic by using access lists. See the "Workarounds" section for techniques. However, except at Internet firewalls, the appropriate filters are not common in customer configurations. Carefully evaluate your configuration before assuming that any filtering protects you against this attack.

The most commonly used or asked-about products are listed below. If you are unsure whether your device is running classic Cisco IOS software, log in to the device and issue the show version command. Cisco IOS software identifies itself simply as "IOS" or "Internetwork Operating System Software." Other Cisco devices do not have the show version command, or they identify themselves differently in their output. The most common Cisco devices that run Cisco IOS software include the following equipment:

Affected software versions, which are relatively new, are not necessarily available on every device listed above. If you are not running Cisco IOS software, you are not affected by this problem.

The following Cisco devices are not affected:

This problem has been assigned Cisco caveat ID CSCdk77426.

Solution

Cisco offers free software updates to correct this problem for all affected customers---regardless of their contract status. However, because this vulnerability information has been disseminated by third parties, Cisco has released this notice before updates are available for all software versions. Table 9 gives Cisco's projected fix dates.

Make sure your hardware had adequate RAM to support the new software before installing it. The amount of RAM is seldom a problem when you upgrade within a major release (say, from 11.2(11)P to 11.2(17)P), but it is often a factor when you upgrade between major releases (say, from 11.2 P to 11.3 T).

Because fixes will be available for all affected releases, this problem will rarely, if ever, require an upgrade to a new major release. Cisco recommends very careful planning for any upgrade between major releases. Make certain no known bugs will prevent the new software from working properly in your environment.

Further upgrade planning assistance is available on Cisco's World Wide Web site at:

http://www.cisco.com

If you have a service contract, you should obtain new software through your regular update channels (generally via Cisco's World Wide Web site). You can upgrade to any software release, but you must remain within the boundaries of the feature sets you have purchased.

If you do not have a service contract, you may upgrade to obtain only the bug fixes; Cisco is not offering upgrades to versions newer than the versions required to resolve the defects. In general, you will be restricted to upgrading to a version represented within a single row of Table 9, However, Cisco will make an exception to this policy when no upgrade within the same row is available in a timely manner. Obtain updates by contacting one of the following Cisco Technical Assistance Centers (TACs):

Give the URL of this notice (http://www.cisco.com/warp/public/770/iossyslog-pub.shtml) as evidence for a free update. Non-contract customers must request free updates through the TAC. Please do not contact either "psirt@cisco.com" or "security-alert@cisco.com" for software updates.

Workarounds

You can work around this problem by preventing any affected Cisco IOS device from receiving or processing UDP datagrams addressed to its port 514. This can be done either using packet filtering on surrounding devices, or by using input access list filtering on the affected Cisco IOS device itself.

If you use an input access list, apply that list to all interfaces to which attackers might be able to send datagrams. Interfaces include---not only physical LAN and WAN interfaces---but virtual subinterfaces of those physical interfaces, as well as virtual interfaces and interface templates corresponding to GRE, L2TP, L2F, and other tunneling protocols.

The input access list must block traffic destined for UDP port 514 at any of the Cisco IOS device's own IP addresses, as well as at any broadcast or multicast addresses on which the Cisco IOS device might be listening. Be sure to block both old-style "all-zeros" broadcasts and new-style "all-ones" broadcasts. It is not necessary to block traffic being forwarded to other hosts; only traffic actually addressed to the Cisco IOS device is of interest.

No single input access list works in all configurations. Know the effect of your access list in your specific configuration before activating it.

The following example shows a possible access list for a three-interface router, along with the configuration commands needed to apply the list. The example assumes input filtering is not needed, other than as a workaround for this problem:

! Deny all multicasts, and all unspecified-net broadcasts, to port 514
access-list 101 deny udp any 224.0.0.0 31.255.255.255 eq 514
! Deny old-style unspecified-net broadcasts
access-list 101 deny udp any host 0.0.0.0 eq 514
! Deny network-specific broadcasts. This example assumes that all of
! the local interfaces are on the class B network 172.16.0.0, subnetted
! everywhere with mask 255.255.255.0. This will differ from network
! to network. Note that we block both new-style and old-style broadcasts.
access-list 101 deny udp any 172.16.0.255 0.0.255.0 eq 514
access-list 101 deny udp any 172.16.0.0   0.0.255.0 eq 514
! Deny packets sent to the addresses of our own network interfaces.
access-list 101 deny udp any host 172.16.1.1 eq 514
access-list 101 deny udp any host 172.16.2.1 eq 514
access-list 101 deny udp any host 172.16.3.3 eq 514
! Permit all other traffic (default would be to deny)
access-list 101 permit ip any any
 
! Apply the access list to the input side of each interface
interface ethernet 0
ip address 172.16.1.1 255.255.255.0
ip access-group 101 in
 
interface ethernet 2
ip address 172.16.2.1 255.255.255.0
ip access-group 101 in
 
interface ethernet 3
ip address 172.16.3.3 255.255.255.0
ip access-group 101 in

Listing all possible addresses---especially all possible broadcast addresses---to which attack packets can be sent is complicated. If you do not need to forward any legitimate syslog traffic received on an interface, you can block all syslog traffic arriving on that interface. Remember that blocking will affect traffic routed through the Cisco IOS device as well as traffic destined to the device; if the IOS device is expected to forward syslog packets, you will have to do the detailed filtering. Because input access lists impact system performance, install them with caution---especially on systems running very near their capacity.

Software Versions and Fixes

Many Cisco software images have been or will be specially reissued to correct this problem. For example, Release 12.0(2) is vulnerable, as are interim Releases 12.0(2.1) through 12.0(2.3). The first fixed interim version of Release 12.0 mainline software is Release 12.0(2.4). However, a special Release 12.0(2a), contains only the fix for this problem and does not include any other bug fixes from later 12.0 interim releases.

If you are running Release 12.0(2) and want to fix this problem without risking possible instability presented by installing the Release 12.0(2.4) interim release, you can upgrade to Release 12.0(2a). Release 12.0(2a) is a "code branch" from the Release 12.0(2) base, which will merge back into the 12.0 mainline at Release 12.0(2.4).

Special releases, like Release 12.0(2a), are one-time, spot fixes, and they will not be maintained. Thus, the upgrade path from Release 12.0(2a) is to 12.0(3).

Table 9 specifies information about affected and repaired software versions.

Note All dates within this table are subject to change.

Table 9: Affected and Repaired Software Versions
Cisco IOS Major Release Description Special Fix1 First Fixed Interim Release2 Fixed Maintenance Release3
Unaffected Releases

11.2 and earlier---all variants

Unaffected early releases (no syslog server)

Unaffected

Unaffected

Unaffected

11.3, 11.3T, 11.3DA, 11.3MA, 11.3NA, 11.3WA, 11.3(2)XA

11.3 releases without syslog servers

Unaffected

Unaffected

Unaffected

Releases based on 11.3

11.3AA

11.3 early deployment for Cisco AS58xx

11.3(7)AA2, 8-JAN-19994

11.3(7.2)AA

11.3(8)AA, 15-FEB-1999

11.3DB

11.3 for Cisco NRP routing blade in Cisco 6400 xDSL DSLAM

11.3(7)DB2, 18-JAN-1999

Releases based on 12.0

12.0

12.0 Mainline

12.0(2a), 8-JAN-1999

12.0(2.4)

12.0(3), 1-FEB-1999

12.0 T

12.0 new technology early deployment

12.0(2a)T1, 11-JAN-1999

12.0(2.4)T

12.0(3)T, 15-FEB-1999

12.0S

ISP support; Cisco 7200, RSP, GSR

12.0(2.3)S, 27-DEC-1998

12.0(2)S5, 18-JAN-1999

12.0DB

12.0 for Cisco 6400 universal access concentrator node switch processor (lab use)

12.0(2)DB, 18-JAN-1999

12.0(1)W

12.0 for Catalyst 8500 and LS1010

12.0(1)W5(5a) and 12.0(1a)W5(5b) (LS1010 only)

12.0(1)W5(5.15)

12.0(1)W5(6) (platform support for Catalyst 8540M will be in 12.0(1)W5(7))

12.0(0.6)W5

One-time early deployment for CH-OC12 module in Catalyst 8500 series switches

Unaffected; one-time release

Unaffected

Unaffected; general upgrade path is via 12.0(1)W5 releases

12.0(1)XA3

Short-life release; merged to 12/0 T at 12.0(2)T

Obsolete

Merged

Upgrade to 12.0(2a)T1 and/or to 12.0(3)T

12.0(1)XB

Short-life release for Cisco 800 series; merged to 12.0 T and 12.0(3)T

12.0(1)XB1

Merged

Upgrade to 12.0(3)T

12.0(2)XC

Short-life release for new features in Cisco 2600, Cisco 3600, ubr7200, ubr900 series; merged to 12.0 T at 12.0(3)T

12.0(2)XC1, 7-JAN-1999

Merged

Upgrade to 12.0(3)T

12.0(2)XD

Short-life release for ISDN voice features; merged to 12.0 T at 12.0(3)T

12.0(2)XD1, 18-JAN-1999

Merged

Upgrade to 12.0(3)T

12.0(1)XE

Short-life release

12.0(2)XE, 18-JAN-1999

Merged

Upgrade to 12.0(3)T

1A special fix is a one-time release that provides the most stable immediate upgrade path.
2Interim releases are tested less rigorously than regular, maintenance releases; interim releases might contain serious bugs.
3Fixed maintenance releases are on a long-term upgrade path. Other long-term upgrade paths also exist.
4All dates in this table are estimates, subject to change.
5This entry is not a misprint. Release12.0(2.3)S is available before Release 12.0(2)S in which the problem is fixed.

Deprecated MIBs

Old Cisco Management Information Bases (MIBs) will be replaced in a future release. OLD-CISCO-* MIBS are currently migrated into more scalable MIBs---without affecting existing Cisco IOS products or NMS applications. You can update from deprecated MIBs to the replacement MIBs as shown in the following table.


Table 10: Deprecated MIBs
Deprecated MIB Replacement

OLD-CISCO-APPLETALK-MIB

RFC1243-MIB

OLD-CISCO-CHASSIS-MIB

ENTITY-MIB

OLD-CISCO-CPUK-MIB

In Development

OLD-CISCO-DECNET-MIB

OLD-CISCO-ENV-MIB

CISCO-ENVMON-MIB

OLD-CISCO-FLASH-MIB

CISCO-FLASH-MIB

OLD-CISCO-INTERFACES-MIB

IF-MIB CISCO-QUEUE-MIB

OLD-CISCO-IP-MIB

OLD-CISCO-MEMORY-MIB

CISCO-MEMORY-POOL-MIB

OLD-CISCO-NOVELL-MIB

NOVELL-IPX-MIB

OLD-CISCO-SYS-MIB

(Compilation of other OLD* MIBS)

OLD-CISCO-SYSTEM-MIB

CISCO-CONFIG-COPY-MIB

OLD-CISCO-TCP-MIB

CISCO-TCP-MIB

OLD-CISCO-TS-MIB

OLD-CISCO-VINES-MIB

CISCO-VINES-MIB

OLD-CISCO-XNS-MIB

Caveats

Caveats describe unexpected behavior or defects in Cisco IOS software releases. Severity 1 caveats are the most serious caveats; severity 2 caveats are less serious.

For information on caveats in Cisco IOS Release 12.0 T, see Caveats for Cisco IOS Release  12.0 T that accompanies these release notes. This document lists severity 1 and 2 caveats for Cisco IOS Release 12.0 T.

All caveats in Release 12.0 are also in Release 12.0 T.

For information on caveats in Cisco IOS Release 12.0, see Caveats for Cisco IOS Release  12.0, which lists severity 1 and 2 caveats, and is located on CCO and the Documentation CD-ROM.

Note If you have an account with CCO, you can use Bug Navigator II to find caveats of any severity for any release. Click on this path: Software Center: Cisco IOS Software: Cisco IOS Bug Toolkit: Cisco Bug Navigator II. You can also find Bug Navigator II at
http://www.cisco.com/support/bugtools

The following sections describe the documentation available for the Cisco 3600 series. These documents consist of hardware and software installation guides, Cisco IOS configuration and command references, system error messages, feature modules, and other documents.

Documentation is available as printed manuals or electronic documents, except for feature modules, which are available online on CCO and the Documentation CD-ROM.

Use these release notes with these documents:

Release-Specific Documents

The following documents are specific to or support Cisco IOS Release 12.0(7)T and are located on CCO and the Documentation CD-ROM:

On CCO, beginning under the Service & Support heading:
Technical Documents: Documentation Home Page: Cisco IOS Software Configuration: Cisco IOS Release 12.0: Release Notes: Cross-Platform Release Notes
On the Documentation CD-ROM:
Cisco Product Documentation: Cisco IOS Software Configuration: Cisco IOS Release 12.0: Release Notes: Cross-Platform Release Notes for Cisco IOS Release 12.0 T
Technical Documents
As a supplement to the caveats listed in the "Caveats" section in these release notes, see Caveats for Cisco IOS Release 12.0 T, which contains caveats applicable to all platforms for all maintenance releases of Release 12.0 T.
On CCO, beginning under the Service & Support heading:
Technical Documents: Documentation Home Page: Cisco IOS Software Configuration: Cisco IOS Release 12.0: Caveats: Caveats for Cisco IOS Release 12.0 T
On the Documentation CD-ROM:
Cisco Product Documentation: Cisco IOS Software Configuration: Cisco IOS 12.0: Caveats: Caveats for Cisco IOS Release 12.0 T
Note If you have an account with CCO, you can use Bug Navigator II to find caveats of any severity for any release. Click on this path: Software Center: Cisco IOS Software: Cisco IOS Bug Toolkit: Cisco Bug Navigator II. You can also find Bug Navigator II at
http://www.cisco.com/support/bugtools

The documents listed below are available for the Cisco 3600 series routers and are also available on CCO and on the Documentation CD-ROM.

On CCO, beginning under the Service & Support heading:

Technical Documents: Documentation Home Page: Access Servers and Access Routers: Modular Access Routers: Cisco 3600 Series Routers

On the Documentation CD-ROM:

Access Servers and Access Routers: Modular Access Routers: Cisco 3600 Series Routers

Feature Modules

Feature modules describe new features supported by Cisco IOS Release 12.0 T and are updates to the Cisco IOS documentation set. A feature module consists of a brief overview of the feature, benefits, configuration tasks, and a command reference. As updates, the feature modules are available online only. The feature module information is incorporated into the next printing of the Cisco IOS documentation set.

On CCO, beginning under the Service & Support heading:

Technical Documents: Documentation Home Page: Cisco IOS Software Configuration: Cisco IOS Release 12.0: New Feature Documentation: New Features in Release 12.0 T

On the Documentation CD-ROM:

Cisco Product Documentation: Cisco IOS Software Configuration: Cisco IOS Release 12.0: New Feature Documentation: New Features in Release 12.0 T

Cisco IOS Software Documentation Set

The Cisco IOS software documentation set consists of the Cisco IOS configuration guides, Cisco IOS command references, and several other supporting documents. These documents are shipped with your order in electronic form on the Documentation CD-ROM---unless you specifically ordered the printed versions.

Documentation Modules

Each module in the Cisco IOS documentation set consists of two books: a configuration guide and a corresponding command reference. Chapters in a configuration guide describe protocols, configuration tasks, and Cisco IOS software functionality and contain comprehensive configuration examples. Chapters in a command reference provide complete command syntax information. Each configuration guide can be used with its corresponding command reference.

On CCO and the Documentation CD-ROM, two master hot-linked documents provide information for the Cisco IOS software documentation set.

On CCO, beginning under the Service & Support heading:

Technical Documents: Documentation Home Page: Cisco IOS Software Configuration: Cisco IOS Release 12.0: Cisco IOS Release 12.0 Configuration Guides and Command References

On the Documentation CD-ROM:

Cisco IOS Software Configuration: Cisco IOS Release 12.0: Cisco IOS Release 12.0 Configuration Guides and Command References

Release 12.0 Documentation Set

Table 11 describes the contents of the Cisco IOS Release 12.0 software documentation set, which is available in electronic form and in printed form upon request.

Note You can find the most current Cisco IOS documentation on CCO and the Documentation CD-ROM. These electronic documents may contain updates and modifications made after the hard-copy documents were printed.

On CCO, beginning under the Service & Support heading:

Technical Documents: Documentation Home Page: Cisco IOS Software Configuration: Cisco IOS Release 12.0

On the Documentation CD-ROM:

Cisco Product Documentation: Cisco IOS Software Configuration: Cisco IOS Release 12.0


Table 11: Cisco IOS Software Release 12.0 Documentation Set
Books Chapter Topics

  • Configuration Fundamentals Configuration Guide

  • Configuration Fundamentals Command Reference

Configuration Fundamentals Overview
Cisco IOS User Interfaces
File Management
System Management

  • Bridging and IBM Networking Configuration Guide

  • Bridging and IBM Networking Command Reference

Transparent Bridging
Source-Route Bridging
Token Ring Inter-Switch Link
Remote Source-Route Bridging
DLSw+
STUN and BSTUN
LLC2 and SDLC
IBM Network Media Translation
DSPU and SNA Service Point
SNA Frame Relay Access Support
APPN
Cisco Database Connection
NCIA Client/Server Topologies
Cisco Mainframe Channel Connection
Airline Product Set

  • Dial Solutions Configuration Guide

  • Dial Solutions Command Reference

Dial-In Port Setup
Dial-In Terminal Services
Dial-on-Demand Routing (DDR)
Dial Backup
Dial-Out Modem Pooling
Large-Scale Dial Solutions
Cost-Control Solutions
ISDN
X.25 over ISDN
VPDN
Dial Business Solutions and Examples

  • Cisco IOS Interface Configuration Guide

  • Cisco IOS Interface Command Reference

Interface Configuration Overview

  • Network Protocols Configuration Guide, Part 1

  • Network Protocols Command Reference, Part 1

IP Addressing
IP Services
IP Routing Protocols

  • Network Protocols Configuration Guide, Part 2

  • Network Protocols Command Reference, Part 2

AppleTalk
Novell IPX

  • Network Protocols Configuration Guide, Part 3

  • Network Protocols Command Reference, Part 3

Apollo Domain
Banyan VINES
DECnet
ISO CLNS
XNS

  • Security Configuration Guide

  • Security Command Reference

AAA Security Services
Security Server Protocols
Traffic Filtering and Firewalls
IP Security and Encryption
Passwords and Privileges
Neighbor Router Authentication
IP Security Options

  • Cisco IOS Switching Services Configuration Guide

  • Cisco IOS Switching Services Command Reference

Switching Paths for IP Networks
Virtual LAN (VLAN) Switching and Routing

  • Wide-Area Networking Configuration Guide

  • Wide-Area Networking Command Reference

ATM
Frame Relay
SMDS
X.25 and LAPB

  • Voice, Video, and Home Applications Configuration Guide

  • Voice, Video, and Home Applications Command Reference

Voice over IP
Voice over Frame Relay
Voice over ATM
Voice over HDLC
Video Support
Universal Broadband Features

  • Quality of Service Solutions Configuration Guide

  • Quality of Service Solutions Command Reference

Classification
Scheduling
Packet Drop
Traffic Shaping
ATM QoS
SNA QoS
Line Protocols

  • Cisco IOS Software Command Summary

  • Dial Solutions Quick Configuration Guide

  • System Error Messages

  • Debug Command Reference

Service and Support

For service and support for a product purchased from a reseller, contact the reseller, who offers a wide variety of Cisco service and support programs described in "Service and Support" of Cisco Information Packet shipped with your product.

Note If you purchased your product from a reseller, you can reach CCO as a guest. CCO is Cisco Systems' primary real-time support channel. Your reseller offers programs that include direct access to CCO services.

For service and support for a product purchased directly from Cisco, use CCO.

Software Configuration Tips on the Cisco Technical Assistance Center Home Page

If you have a CCO login account, you can access the following URL, which contains links and tips on configuring your Cisco products:

http://www.cisco.com/kobayashi/technotes/serv_tips.shtml

This URL is subject to change without notice. If it changes, point your Web browser to CCO  and click on this path: Products & Technologies: Products: Technical Tips.

The following sections are provided from the Technical Tips page:

Cisco Connection Online

Cisco Connection Online (CCO) is Cisco Systems' primary, real-time support channel. Maintenance customers and partners can self-register on CCO to obtain additional information and services.

Available 24 hours a day, 7 days a week, CCO provides a wealth of standard and value-added services to Cisco's customers and business partners. CCO services include product information, product documentation, software updates, release notes, technical tips, the Bug Navigator, configuration notes, brochures, descriptions of service offerings, and download access to public and authorized files.

CCO serves a wide variety of users through two interfaces that are updated and enhanced simultaneously: a character-based version and a multimedia version that resides on the World Wide Web (WWW). The character-based CCO supports Zmodem, Kermit, Xmodem, FTP, and Internet e-mail, and it is excellent for quick access to information over lower bandwidths. The WWW version of CCO provides richly formatted documents with photographs, figures, graphics, and video, as well as hyperlinks to related information.

You can reach CCO in the following ways:

For a copy of CCO's Frequently Asked Questions (FAQ), contact cco-help@cisco.com. For additional information, contact cco-team@cisco.com.

Note If you are a network administrator and need personal technical assistance with a Cisco product that is under warranty or covered by a maintenance contract, contact Cisco's Technical Assistance Center (TAC) at 800 553-2447, 408 526-7209, or tac@cisco.com. To obtain general information about Cisco Systems, Cisco products, or upgrades, contact 800 553-6387, 408 526-7208, or cs-rep@cisco.com.

Documentation CD-ROM

Cisco documentation and additional literature are available in a CD-ROM package, which ships with your product. The Documentation CD-ROM, a member of the Cisco Connection Family, is updated monthly. Therefore, it might be more current than printed documentation. To order additional copies of the Documentation CD-ROM, contact your local sales representative or call customer service. The CD-ROM package is available as a single package or as an annual subscription. You can also reach Cisco documentation on the World Wide Web at http://www.cisco.com, http://www-china.cisco.com, or http://www-europe.cisco.com.

If you are reading Cisco product documentation on the World Wide Web, you can submit comments electronically. Click Feedback in the toolbar and select Documentation. After you complete the form, click Submit to send it to Cisco. We appreciate your comments.


Note 

hometocprevnextglossaryfeedbacksearchhelp
Posted: Sat Jan 15 02:56:11 PST 2000
Copyright 1989 - 2000©Cisco Systems Inc.