|
|
These release notes describe new features and caveats (if any) for the Cisco AS5800 universal access server system supported in Cisco IOS Release 11.3 AA, up to and including the current maintenance release, Cisco IOS Release 11.3(11)AA. (You may have a minor variation of this release designation.)
 |
Note Cisco IOS Release 11.3 AA is not intended to be a long-lived release. It is currently in end of engineering and end of sales. The currently Cisco IOS Release is intended for previously purchased systems. No new features are added. You are encouraged to migrate to Cisco IOS Release 12.0 T. For the latest news on upgrade and migration information, see the: "Upgrading to a New Release and Online Product Bulletins" section. |
These release notes are reissued with each new maintenance release of Cisco IOS 11.3 AA, approximately every six weeks. These release notes are updated as needed to describe new memory requirements, new features, newly resolved or open caveats, new hardware support, software platform image deferrals, microcode or modem code changes, related document changes, and any other important changes.
This special release, Cisco IOS Release 11.3 AA, is based on Cisco IOS Release 11.3 T, beginning with 11.3(4)T. Earlier maintenance release were code-harmonized to the preceding Cisco IOS Release 11.3 T. Therefore, caveats and features from Cisco IOS Release 11.3 T can also apply to this release. However, new releases of Cisco IOS Release 11.3 AA may contain one or more additional features that currently may not be found in the earlier Cisco IOS Release 11.3 T. After Cisco IOS Release 11.3 (9)AA, now new feature were added.
For more information, see the "New and Changed Information" section. See the "Upgrading to a New Release and Online Product Bulletins" subsection.
For related information, see the "New Features in Cisco IOS Release 11.3 T and Other Related Releases" section.
This document is subject to change. Any preliminary content will be replaced with final content as it becomes available. The following sections are especially subject to change:
For an online version of this document and other online information about this release, see the Cisco Connection Online (CCO) page, Cisco IOS 11.3 AA New Features at:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113aa/index.htm
For more tips about finding information about this release online, see the "Cisco IOS Release Information" section.
These release notes discuss the following topics:
The Cisco AS5800 is a high-density, ISDN and modem WAN aggregation system that provides digital and analog call termination. It is intended to be used as a service provider dial point-of-presence (POP) or centralized enterprise dial gateway. The Cisco AS5800 system consists of a dial shelf, a router shelf, and a system controller.
The Cisco 5814 dial shelf and host Cisco 7206 router shelf communicate over a dial shelf interconnect cable (DSIC). This nonblocking interconnect supports 100 Mbps, full-duplex data transfer. Data is converted into packets by the feature cards, transmitted to a hub on the dial shelf controller (DSC) card, and from there sent to the router shelf. Conversely, packets from the router shelf are sent to the DSC card, where they are transmitted over the backplane to the modem and trunk cards.
For more information on the Cisco AS5800, refer to the Cisco AS5800 Universal Access Server Software Installation and Configuration Guide (Document Number DOC-5800-SICG=) or the Cisco AS5800 Universal Access Server Software Installation and Configuration Guide (Document Number DOC-5800-HICG) that shipped with your system.
The AS5800 can also be used in the Cisco SS7/C7 Dial Access Solution System. For more information, see the "Cisco SS7/C7 Dial Access Solution System and other Cisco IOS 11.3 AA Platforms" subsection.
The Cisco 5814 dial shelf has 14 slots and can support one or two dial shelf controller cards and up to 12 feature cards subject to a limit of four trunk cards and 10 modem cards to provide full modem and Digital Integrated Services Digital Network (ISDN) coverage. The dial shelf supports up to 720 simultaneous analog and/or digital calls, with the RS7206. (Higher numbers of ports are supported with the RS7206 VXR running Cisco IOS Release 12.04XJ or later. The RS7206 VXR does not support Cisco IOS Release 11.3 AA.)
Analog calls are terminated by a feature card that is loaded with integrated modems. ISDN calls are terminated onboard the trunk card on High-Level Data Link Control (HDLC) controllers. The E1 trunk and the T1 trunk card include channel service units (CSUs) and has either 12 E1 ports or 12 T1 ports that can operate as Primary Rate Interface (PRI) interfaces or channelized interfaces in any combination.
The RS7206 router shelf contains a network processing engine, an I/O controller, and the egress interfaces, such as High-Speed Serial Interface (HSSI), Fast Ethernet (FE), Fiber Distributed Data Interface (FDDI), and Asynchronous Transfer Mode (ATM). The RS7206 router shelf supports either 280 W AC-input or 280 W DC-input redundant power. The router shelf also contains a dial shelf interconnect port adapter with a single RJ-45 receptacle that is used to connect the router shelf to the Cisco 5814 dial shelf. The interconnect port adapter connects directly to the dial shelf controller card on the dial shelf via a single, full-duplex cable. The cable used for this connection is a Cisco proprietary cable, customized with jack screws to secure the connection. You must use this specially designed cable that ships with your interconnect port adapter.
The SC3640 system controller includes the Cisco 3640 router running Cisco IOS software with system controller features. The system controller can be installed at a remote facility so users can access multiple systems through a console port or Web interface. System administrators can download software configurations to any Cisco AS5800 universal access server using Simple Network Management Protocol (SNMP) or Telnet. The system controller monitors Cisco equipment to provide performance data collection, accounting data collection, and logging.
These release notes also include information on features of the Cisco IOS Release 11.3 AA that support the Cisco SS7/C7 Dial Access Solution System. For more information, see the "New Features in Cisco IOS Release 11.3(7)AA" section. These release notes also include information on the SC3640 system controller and the Cisco SS7/C7 Dial Access Solution System.
For Cisco IOS Release 11.3 AA information on other platforms capable of running the Cisco SS7/C7 Dial Access Solution System, see the following separate document release notes:
This section describes the system requirements for current Release and includes the following sections:
Because it is a system, the Cisco IOS release for the Cisco AS5800 universal access server contains multiple Cisco IOS software images. The available set of these images are listed in Table 1 .
Table 2 describes the memory requirements for the Cisco AS5800 feature sets supported by the current Cisco IOS Release. Flash memory is optional for these Cisco AS5800 images.
| System Components | Feature Set | Image Name | Required FLASH Memory | Required DRAM Memory | Runs From |
|---|---|---|---|---|---|
Cisco AS5800 Series | IP Plus | c5800-p4-mz | 16 MB Flash | 128 MB1 | DRAM |
Cisco AS5800 Series | IP Plus IPSec 56 | c5800-p456i-mz | 16 MB Flash | 128 MB | DRAM |
Cisco 5814 Dial Shelf | IP Plus | dsc-c5800-mz | 8 MB Flash | 32 MB | DRAM |
SC3640 Series IP/System Controller | IP Plus | c3640-c2is-mz | 16 MB Flash | — | Flash |
Cisco AS5200 | See the Release Notes for the Cisco AS5200 for Cisco IOS Release 11.3 AA. | ||||
Cisco AS5300 | See the Release Notes for the Cisco AS5300 for Cisco IOS Release 11.3 AA. | ||||
| 1See the note above this table. |
The Cisco AS5800 universal access server includes:
(There are no separate release notes for the SC3640 router for the Cisco IOS Release 11.3 AA.)
Cisco IOS Release 11.3(2)T and later contains bundled modem code, which is the modem firmware (or modem code) that runs on the modems packaged on modem cards compatible with the Cisco AS5800. Modem code is bundled with the Cisco IOS software image to supplement separate modem code that is available from external sources. When the access server starts, the Cisco IOS software unpacks the bundled modem code and loads the proper code on the modem cards.
With the Cisco AS5800 for Cisco IOS 11.3(6)AA and higher, external modem code can also be downloaded using the firmware command.
|
Note Documents that discuss Mica modems can use the term "portware" when referring to modem code; however, the term can refer to either a bundled version or an externally packaged version. |
The show modem mapping command lists all versions of modem code running on the modem modules, residing in system Flash, and bundled with Cisco IOS software. Enter this command to help you decide if you need to update your modem code files.
 |
Caution The Cisco factory might have installed a later version of modem code than the one bundled with the Cisco IOS software. The factory installs modem code in Flash memory and maps that code to the modems. Sometimes different modem cards can be installed with different versions. It is important to keep the factory configuration, unless you fully understand how you wish to reconfigure modems on your system and how to use all the available Cisco IOS commands for copying and downloading modem code. If you use a command that downloads the bundled version to the modems, you could be overwriting the desired modem code with an earlier version. When this happens, there is no easy way to restore the original factory-installed modem code by rebooting or otherwise. |
For current Cisco AS5800 modem code information, see the following CCO page:
http://www.cisco.com/pcgi-bin/tablebuild.pl/mica
http://www.cisco.com/cgi-bin/tablebuild.pl
The modem code release notes are on CCO and on the Documentation CD-ROM.
Use the following URL to access modem information and modem code release notes from CCO:
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_serv/as5800/5800_pw/index.htm
If the above path does not respond or is changed, follow this general path to access the release notes from CCO or the Documentation CD-ROM:
Documentation CD Home Page > Cisco Product Documentation > Access Servers and Access Routers > Access Servers > Cisco AS5800 > Portware.
For more release information, see the "New Features in Cisco IOS Release 11.3 T and Other Related Releases" section.
See also the "Related Documentation" section.
To determine the version of Cisco IOS software running on your Cisco AS5800 universal access server, log on to the access server and enter the show version User EXEC command:
router> show version
The following is sample output from the show version command. The version number is indicated on the second line as shown below:
Cisco Internetwork Operating System Software
IOS (tm) 5800 Software (C5800-p4-mz), Version 11.3(11)AA.......
Additional command output lines include more information, such as processor revision numbers, memory amounts, hardware IDs, and partition information.
The Cisco AS5800 universal access server contains multiple Cisco IOS software images. The available set of these images are listed in Table 1 . For more information, see the "Memory Requirements and Cisco IOS Software Images" section.
For online information about this release and the Cisco AS5800, see the Cisco Connection Online (CCO) page,
Cisco IOS 11.3 AA New Features at:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113aa/index.htm
On this page, you will find links to the following types of information:
On the Cisco AS5800 page, you will find links to the following documents and types of documents:
To find additional information about this release on CCO (http://www.cisco.com/) is to click on Service and Support:
This page has the following categories of links:
For handy navigation links to information related to this release notes, see the CCO page, Site Map and Help:
http://www.cisco.com/public/help/navigate.shtml
For general information on Cisco IOS software releases, see the CCO page, Software Releases at:
http://www.cisco.com/warp/public/732/Releases/
In general, the recommended upgrade path from Cisco IOS Release11.3 AA is Cisco IOS Release12.0 T
For information about upgrading to a new software release or migrating from an End of Engineering release, refer to the Product Bulletins on Products & Technologies page, located on CCO at:
http://www.cisco.com/public/sw-center/sw-ios.shtml
To find this page from the CCO home page, click on this path:
Service & Support > Software Center > Cisco IOS Software > Software Releases >
Cisco IOS 11.3
This page contains links to Cisco IOS Technical Documents and Additional Software Information such as:
For information on this release, select one of the following links on the Cisco IOS 11.3 page:
For general information on upgrading, select the link,
Cisco IOS Software Release 11.3 Upgrade Paths (#703: 12/97)
|
Note If you have an account on CCO, you can access the Cisco IOS Software Release 12.0 Upgrade Paths and Packaging Simplification product bulletin at the following URL: http://www.cisco.com/kobayashi/library/12.0/120MigrPaths.pdf |
This section lists Cisco IOS software feature sets available for the Cisco AS5800. Table 3 uses the following terms to specify features:
| Feature Set Matrix Term | Description |
|---|---|
Yes | This feature is offered. |
No | This feature is not offered. |
In | The "New in Release Number" column lists the Cisco IOS release that first introduces a feature. For example, (2) means a feature is introduced in 11.3(2)AA. If a table cell has a dash in this column, the feature was included in the initial release. |
Table 3 lists the feature sets supported in Cisco IOS Release 11.3 AA. IPSec 56 listed in this table is an abbreviation for IP Security.
|
Note Voice is not supported in Cisco IOS Release 11.3 AA, but is supported in Cisco IOS Release 11.3 NA images. |
| Features | IP Plus | IP Plus IPSec 56 | New in Release Number |
|---|---|---|---|
| IBM Support |
|
|
|
APPN High-Performance Routing | No | No | - |
APPN MIB Enhancements | No | No | - |
APPN over Ethernet LAN Emulation | No | No | - |
APPN Scalability Enhancements | No | No | - |
Bisync Enhancements:
| No | No | - |
Cisco MultiPath Channel (CMPC) | No | No | - |
DLSw+ Enhancements:
| No | No | - |
FRAS Enhancements:
| No | No | - |
RIF Passthru in DLSw+ | No | No | - |
SRB over FDDI on Cisco 4000-M, 4500-M, and 4700-M Routers | No | No | - |
TN3270 LU Nailing | No | No | - |
TN3270 Server Enhancements | No | No | - |
Token Ring LAN Emulation Services | Yes | Yes | (6) |
Tunneling of Asynchronous Security Protocols | No | No | - |
| Internet |
|
|
|
DRP Server Agent | No | No | - |
DRP Server Agent Enhancements | No | No | - |
L2TP | Yes | Yes | (5) |
L2TP Optimal Fastswitching Support | Yes | Yes | (8) |
L2TP VPDN Per User Configuration | Yes | Yes | (9) |
Split Dial Shelf Configuration | Yes | Yes | (8) |
| IP Routing |
|
|
|
Easy IP (Phase 1) | Yes | Yes | (2) |
Hot Standby Router Protocol (HSRP) over ISL in Virtual LAN Configurations | No | No | - |
IP Enhanced IGRP Route Authentication | Yes | Yes | (2) |
OSPF LSA Group Pacing | Yes | Yes | (2) |
OSPF Point-to-Multipoint Networks with Neighbors | Yes | Yes | (2) |
Yes | Yes | (4) | |
PIM Version 2 | Yes | Yes | (2) |
TCP Enhancements:
| Yes | Yes | (2) |
| LAN Support |
|
|
|
AppleTalk Access List Enhancements | No | No | - |
DECnet Accounting | No | No | - |
IPX Named Access Lists | No | No | - |
IPX SAP-after-RIP | No | No | - |
NLSP Enhancements | No | No | - |
NLSP Multicast Support | No | No | - |
Token Ring LAN Emulation Services | Yes | Yes | (6) |
| Management |
|
|
|
Cisco Call History MIB Command Line Interface | Yes | Yes | (2) |
Cisco IOS File System | Yes | Yes | (2) |
Cisco IOS Internationalization | Yes | Yes | (2) |
Conditionally Triggered Debugging | Yes | Yes | (2) |
Entity MIB (Phase 1) | Yes | Yes | (2) |
External Portware Download | Yes | Yes | (5) |
Per DNIS AAA Server Selection | Yes | Yes | (6) |
Portware Download | Yes | Yes | (6) |
Redundant AC Power Supply | No | No | (6) |
Redundant Dial Shelf Controller | Yes | Yes | (6) |
Show Caller Command | Yes | Yes | (5) |
Show Modem Command | Yes | Yes | (5) |
SNMP v2C | Yes | Yes | (2) |
SNMP Inform Requests | No | No | - |
Virtual Profiles | Yes | Yes | (2) |
Yes | Yes | (3) | |
| Multimedia |
|
|
|
IP Multicast Load Splitting across Equal-Cost Paths | Yes | Yes | (2) |
IP Multicast over ATM Point-to-Multipoint Virtual Circuits | Yes | Yes | (2) |
IP Multicast over Token Ring LANs | Yes | Yes | (2) |
Stub IP Multicast Routing | Yes | Yes | (2) |
| Quality of Service |
|
|
|
RTP Header Compression | No | No | - |
| Security |
|
|
|
AAA Scalability | Yes | Yes | (3) |
Authenticating ACL | No | No | - |
Automated Double Authentication | No | No | - |
Certificate Authority Interoperability | No | No | - |
Configuring Key, Timeout, Retransmission per Radius Server | Yes | Yes | (8) |
Double Authentication | Yes | Yes | (2) |
Encrypted Kerberized Telnet | No | No | - |
HTTP Security | Yes | Yes | (2) |
Internet Key Exchange Security Protocol | No | No | - |
IPSec Network Security | No | No | - |
MS-CHAP Support | Yes | Yes | (3) |
Named Method Lists for AAA Authentication and Accounting | Yes | Yes | (3) |
Per-User Configuration | Yes | Yes | (2) |
Reflexive Access Lists | Yes | Yes | (2) |
TCP Intercept | No | No | - |
Vendor-Proprietary RADIUS Attributes | Yes | Yes | (2) |
Vendor-Proprietary RADIUS -Additional Attributes | Yes | Yes | (3) |
| Switching |
|
|
|
AppleTalk Routing over ISL and IEEE 802.10 in Virtual LANs | No | No | - |
CLNS and DECnet Fast Switching over PPP | No | No | - |
DECnet/Vines/XNS over ISL:
| No | No | - |
Fast-Switched Policy Routing | Yes | Yes | (2) |
IPX Routing over ISL Virtual LANs | No | No | - |
L2TP Optimal Fastswitching Support | Yes | Yes | (8) |
VIP Distributed Switching Support for IP Encapsulated in ISL | No | No | - |
| Terminal Services |
|
|
|
Telnet Extensions for Dialout | No | No | - |
Virtual Templates for Protocol Translation | No | No | - |
| WAN Optimization |
|
|
|
ATM MIB Enhancements | No | No | - |
PAD Enhancements | No | No | - |
PAD Subaddressing | Yes | Yes | (2) |
| WAN Services |
|
|
|
SS7/C7 Continuity Testing for Network Access Servers | Yes | Yes | (5) |
Configurable SLIPP/PPP Timeout Message | Yes | Yes | (8) |
Continuity Testing (COT) | Yes | Yes | (7) |
ISDN Module | Yes | Yes | (7) |
E1 R21 | Yes | Yes | (4) |
R1 Modified Signaling Support for Taiwan only2 | Yes | Yes | (5) |
Enhanced Local Management Interface (ELMI) | No | No | - |
Frame Relay Enhancements | Yes | Yes | (2) |
Frame Relay MIB Extensions | Yes | Yes | (2) |
Frame Relay Router ForeSight | Yes | Yes | (2) |
GRE VPN | Yes | Yes | (4) |
ISDN Advice of Charge | Yes | Yes | (2) |
ISDN Caller ID Callback | Yes | Yes | (2) |
ISDN NFAS | Yes | Yes | (2) |
Layer 2 Forwarding—Fast Switching | Yes | Yes | (2) |
Leased-Line ISDN at 128 kbps | No | No | - |
Microsoft Point-to-Point Compression (MPPC) | Yes | Yes | (3) |
MS Callback | Yes | Yes | (2) |
Modem Management Enhancements | Yes | Yes | (2) |
Multiple ISDN Switch Types | Yes | Yes | (3) |
National ISDN Switch Types for BRI and PRI Interfaces (NI2) | Yes | Yes | (3) |
PPP over ATM | No | No | - |
Redundant Link Manager (RLM) | Yes | Yes | (7) |
Stackable Home Gateway | Yes | Yes | (3) |
Switched 56K Digital Connections | No | No | - |
Telnet Extensions for Dialout | No | No | - |
User-Configurable SLIP/PPP Banner with Parameter Insertion | Yes | Yes | (8) |
X.25 Enhancements | Yes | Yes | (2) |
X.25 on ISDN | Yes | Yes | (2) |
| 1For a list of supported countries, see the "New Features in Cisco IOS Release 11.3(4)AA"
section. 2E1 R1 signaling support for Taiwan requires MICA portware version 2.3.1.0 or higher. |
This section describes the new features supported by the Cisco AS5800 in Cisco IOS in Release 11.3 AA, broken down by maintenance release.
There are no new features for the specific to the current release. The last new features were added at Cisco IOS Release 11.3 (9)AA.
To see which of the earlier features described in this section are supported on which of the Cisco AS5800 images of the Cisco IOS Release 1.3 AA, see Table 3, above.
This section contains brief descriptions of the new features added in this release.
Platforms: Cisco AS5200, Cisco AS5300, Cisco AS5800: all images
This feature is an enhancement to the earlier feature, Layer 2 Tunneling Protocol (L2TP) , documented in New Features in Cisco IOS Release 11.3(5)AA.
The VPDN Per User Configuration feature sends the entire structured username to the AAA server the first time. This enables the Cisco IOS software to customize tunnel attributes for individual users using a common domain name or DNIS. Previously, Cisco IOS sent only the domain name or DNIS to determine VPDN tunnel attribute information. Then, if no VPDN tunnel attributes were returned, Cisco IOS sent the entire username string. Because of this behavior, there is no way to define specific tunnel attributes for a particular user within a domain. It also limited the types of connections that are possible in a RADIUS Proxy VPDN roaming environment. All VPDN users are forwarded to the tunnel endpoint, even if they just need generic Internet access.
This section contains brief descriptions of the new features added in this release.
Platforms: Cisco AS5800.
The split dial shelf configuration of the Cisco AS5800 Universal Access Server dial platform increases bandwidth by using two Cisco 7206 router shelves to service a single Cisco AS5814 dial shelf. The dual router shelves serve as the interfaces between the "split" Cisco AS5814 dial shelf and the external network. This configuration provides the equivalent of two Cisco AS5800 Universal Access Servers in a single rack.
Platforms: Cisco AS5200, Cisco AS5300, Cisco AS5800, Cisco 7200 Series Core Router
For background on L2TP and this feature, see "Layer 2 Tunneling Protocol (L2TP)" subsection.
L2TP Optimal Fastswitching Support is a user transparent performance enhancement that allows L2TP to have the same switching functionality as L2F (Layer2 Forwarding Protocol). This capability was added to L2F as part of the optimal fastswitching support for VPDN in Cisco IOS release 11.3. This L2TP fastswitching support for LES (LAN emulation server) platforms, even on the LNS (L2TP Network Server), allows L2TP to scale to the large numbers of interfaces that L2F can support (1000+ sessions).
In this implementation, two route cache lookups used to forward a packet, one to switch to the virtual access interface and the other to switch from the virtual access interface to the output physical interface, have been reduced to one. This is accomplished by caching the complete IP/UDP/L2TP/PPP header, which is prepended to the packet that is to be tunneled, so that, when a packet is received on the input physical interface, the route cache lookup returns the output physical interface missing out the virtual interface. The cached header is then prepended to the packet and the appropriate reformatings are performed before the packet is switched as normal.
This feature in implemented in this way only for Cisco IOS release 11.3AA. In other releases, the scalability is provided by the FIB.
This security feature, also called, Per-Radius-server for key, timeout, and retransmit, adds per-server parameters to three global commands that apply to all RADIUS servers:
radius-server timeout m
radius-server retransmit n
radius-server key xyz
The parameters on a per-server basis define the "global" commands for each specified server. For example:
radius-server host 1.1.1.1 timeout n retransmit m key abc
radius-server host 2.2.2.2 timeout k retransmit l key def
If the user does not define the per-server value, a "global" commands value is used. Anytime the per-server options are used, they override the "global" value. If neither global, nor per-server values are defined, the defaults are used: timeout (5 seconds), retransmit (3 retries), and no key (respectively).
The radius-server host is specified by additional keywords of the three changed command syntax.
For more information, see the "Additional Vendor-Proprietary RADIUS Attributes" subsection.
Configurable SLIP/PPP timeout message is an enhancement to the exec login process whereby the prompt string can be set to some value that does not contain the prompt, thereby keeping the user scripts from becoming confused. When the username or password prompt times out, the prompt string is included as part of the timeout message. The presence of the prompt string can in the timeout message can be confused with the login prompt by some scripts. A new command is added that can set the prompt string contained in the timeout message to a different value. This feature is similar and related to the feature: User-Configurable SLIP/PPP Banner with Parameter Insertion. See the following subsection
(This feature was introduced in Cisco IOS release 11.3(6)AA for all platforms supported in the release, but was undocumented at that time.)
Token Ring LANE allows Token Ring LAN users to take advantage of the benefits of ATM without modifying end-station hardware or software. ATM uses connection-oriented service with point-to-point signaling or multicast signaling between source and destination devices. However, Token Ring LANs use connectionless service. Messages are broadcast to all devices on the network. With Token Ring LANE, routers and switches emulate the connectionless service of a Token Ring LAN for the end stations.
By using Token Ring LANE, you can scale your networks to larger sizes while preserving your investment in LAN technology.
For more information see CCO at the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113ed_cr/switch_c/xclane.htm
This section contains brief descriptions of the new features added in this release. The three new features described in this section support the Cisco SS7/C7 Dial Access Solution System, a product which runs on the following access servers in conjunction with the Cisco Signaling Controller (CSC) and the Network Access Server (NAS):
These features further enhance the capabilities of the Cisco SS7/C7 Dial Access Solution System, which was first introduced with Cisco IOS release 11.3(5)AA. (See the section, "New Features in Cisco IOS Release 11.3(5)AA.") The new features introduced with the current release are:
These features provide support for IP connection to SS7/C7 Signaling Controller and associated continuity testing (COT). This support allows carrier customers to connect their access servers to the Public Switch Telephone Network (PSTN) directly, by using Signaling System #7 (SS7/C7) signaling protocols. The SS7/C7 signaling links terminate on a separate UNIX system called the Signaling Controller (SC2200). The SC2200 maps incoming calls, which are signaled via SS7/C7, to bearers on the access servers. The access servers and SC2200 interact to set up and tear down calls using an extended Q.931 protocol over Q.921 and UDP. In this manner, the access servers and SC2200 form a system that emulates an end-office switch in the PSTN.
The Cisco SS7/C7 Dial Access Solution System uses the ISDN Q.931 and Q.921 protocols over a Redundant Link Manager (RLM) module. RLM makes use of the UDP protocol to transfer information from the NAS to the CSC and vice versa. The ISDN module works in conjunction with the RLM.
For more information on the Cisco SS7/C7 Dial Access Solution System, see the, "Related Documentation" section.
The goal of Redundant Link Manager (RLM) is to primarily provide a virtual link management over multiple IP networks so that the Q.931 signaling protocol and other proprietary protocols can be transported on top of multiple redundant links between the Cisco Signaling Controller (CSC) and the Network Access Server (NAS). In addition to this, RLM opens, maintains, and closes multiple links, manages buffers of queued signaling messages, and monitors whether links are active for link failover and Signaling Controller failover. The user can create more than one IP connection between the CSC and the NAS.
The RLM goes beyond Q.921, because it allows for future use of different upper layers, and more importantly, allows for multiple, redundant paths to be treated as one path by upper layers.
The Continuity Test (COT) subsystem supports the Continuity Test, which is required by the SS7 network to conduct loopback and NAS-generated tone check testing on the path before a circuit is established. COT will detect any failure of DS0 channels. It is required for North American SS7 compliance.
This feature is an enhancement to the COT feature introduced in Cisco IOS release 11.3(6)AA. See "SS7/C7 Continuity Testing for Network Access Servers" subsection.
The ISDN module ensures that the ISDN protocol stack functions properly while the D-channel information (Q.931 and the Q.921 frames) are transported over possibly multiple IP networks via UDP across links managed by the Redundant Link Manager (RLM).
For more information about RLM, see the "Redundant Link Manager (RLM)" subsection.
The following new features are supported by the Cisco AS5800 in Cisco IOS Release 11.3(6)AA. For easy online access, feature modules are linked (if one exists). See the section "Feature Documentation" to access the online configuration documentation.
Cisco IOS Release 11.3(6)AA for the Cisco AS5800 supports all features in MICA portware Release 2.5.10. The features include V.90, Fax, and Data Dial Out.
This feature enables authentication to a RADIUS server based on the DNIS number.
Redundant Dial Shelf Controller (DSC) provides the ability for a Cisco AS5300 dial shelf to use dual DSCs, each connected to the same router shelf, to provide redundancy of the DSC function.
(This feature was introduced in Cisco IOS release 11.3(6)AA for all platforms supported in the release, but was undocumented in these release notes at that time. for a description of this feature, see the "New Features in Cisco IOS Release 11.3(8)AA" subsection.)
The following new features are supported by the Cisco AS5800 in Cisco IOS Release 11.3(5)AA. For easy online access, feature modules are linked (if one exists). See the section "Feature Documentation"to access the online configuration documentation.
The Channelized T3 Interface Dial Shelf Feature Board is available on Cisco AS5800 routers. This card provides for the aggregation of channelized interfaces into a single T3 facility. T3 support on the Cisco AS5800 allows support for 28 T1s per chassis.
Platform: Cisco AS5800
There are no special features associated with this hardware enhancement.
The double-density modem card is available on the Cisco AS5800 universal access server. There are two types of modem cards currently supported on your access server—Cisco's Modem ISDN Channel Aggregation (MICA) hex modem modules (HMMs) and double-density modem modules (DMMs).
The Cisco AS5800 universal access server is equipped with a maximum of 10 modem cards that MICA technology with upgradable firmware. The Cisco AS5800 universal access server has the capability of terminating up to 1,344 modem connections when equipped with 10 double-density modem cards and one CT3 trunk card, when used with the RS7206 VXR router shelf or two RS7206 router shelves. Each DMM card contains 12 DMM SIMMS. Each DMM SIMM contains 12 digital modems.
The double-density modem card performs the following functions:
Platform: Cisco AS5800
The External Portware Download feature modifies the existing firmware command by adding the capability of upgrading modem firmware independently from an externally sourced file without upgrading either the router shelf or dial shelf image(s). The firmware command now enables the user to copy non-bundled modem firmware out of Cisco AS5800 Flash memory down to the modems in the system shelf. The modified firmware command still retains the original capability of downloading firmware from an onboard bundled source, such as a Cisco IOS image.
The External Portware Download feature consists of one new config-modem-pool subcommand that allows the router to recognize the Cisco AS5800 Flash memory device that contains the external firmware upgrade file. The use of the command assumes that the user previously has already copied the firmware from a TFTP server to Flash memory in the Cisco AS5800. The external firmware upgrade file (portware) can be acquired from a variety of media or network sources, such as CCO or a floppy disk. The firmware is copied to a local Flash device, such as a PCMCIA Flash card in the Cisco AS5800.
Layer 2 Tunneling Protocol (L2TP) is an emerging Internet Engineering Task Force (IETF) standard that combines the best features of two existing tunneling protocols: Cisco's Layer 2 Forwarding (L2F) and Microsoft's Point-to-Point Tunneling Protocol (PPTP). L2TP is an extension to the Point-to-Point Protocol (PPP), which is an important component for Access Virtual Private Networks (VPNs). Access VPNs allow mobile users to connect to their corporate intranets or extranets, thus improving flexibility and reducing costs.
Enabling R1 Modified Signaling allows a Cisco AS5800 universal access server to talk to central office trunks that also use R1 Modified Signaling. R1 Signaling is an international signaling standard that is common to channelized T1/E1 networks; however, Cisco has only made this feature available in Taiwan. You can configure a channelized T1/E1 interface to support different types of R1 Modified Signaling, which is used in older analog telephone networks.
|
Note This type of signaling is not the same as ITU R1 signaling; it is R1 signaling modified for Taiwan specifically. |
Platforms: Cisco AS5200, Cisco AS5300, Cisco AS5800, Cisco 7200 Series Core Router
The show caller command is a network management feature that applies to dial protocols for public and private networks. It is a user interface command that displays information for incoming and outgoing connections. The show caller command supports ISDN and asynchronous modem connections and is supported for PPP, Multilink PPP, and SLIP. It also includes all NCPs running on PPP, including IP, IPX and Appletalk.
The show modem summary status EXEC command was added to display a summary of the modem for a single modem or group of modems.
Platforms: Cisco AS5200, AS5300, AS5800. Each of these platforms can be the access server component in a Cisco SS7/C7 dial network access system. For more information on these systems, see the "Related Documentation" section
This feature allows you to set up continuity testing for Signaling System 7 (SS7/C7) on a network access server (NAS), in which the NAS generates the tone. Continuity testing reduces the call-failure rate by detecting failed DS0s (B channels) on the NAS before setting up a call. Calls can be circuit-switched data calls or analog modem calls. Because the Cisco Signaling Controller SC2200 does not directly control the bearer channels on an access server, the access server must perform the loopbacks and tone generation or tone detection required for continuity testing. Continuity testing is required for North American SS7/C7 compliance.
The following new features for the Cisco AS5800 universal access server are available for Cisco IOS Release 11.3(4)AA. Documentation is also provided for these features.
Beginning with the current release, Cisco AS5200 and Cisco AS5300 platforms have been added to the maintenance releases of Cisco IOS Release 11.3 AA.
Platforms: Cisco AS5800
R2 signaling is an international signaling standard that is common to channelized E1 networks. There is no single standard for R2 signaling. The ITU-T Q.400-Q.490 recommendation defines R2, but a number of countries implement R2 in entirely different ways. Cisco Systems addresses this challenge by supporting many localized implementations of R2 signaling in its Cisco IOS software.
Cisco Systems' E1 R2 signaling default is ITU, which supports the following countries: Denmark, Finland, Germany, Russia (ITU variant), Hong Kong (ITU variant), and South Africa (ITU variant). The expression "ITU variant" means there are multiple R2 signaling types in the specified country, but Cisco supports the ITU variant.
Cisco Systems also supports specific local variants of E1 R2 signaling in the following regions, countries, and corporations:
This feature allows the copying of the inner precedence (TOS) to the tunnel GRE IP header during packet encapsulation.
Microsoft Point-to-Point Protocol (PPP) clients have the ability to request either a primary or secondary domain naming system (DNS) server from the network access server (NAS) during IP Control Protocol (IPCP) negotiation. To support this functionality using authentication, authorization, and accounting (AAA) security services, two new TACACS+ attribute-value (AV) pairs and two new vendor-proprietary RADIUS attributes have been added.
The following new features for the Cisco AS5800 universal access server are available for Cisco IOS Release 11.3(3)AA, based on Cisco IOS Release 11.3(3)T. Documentation is also provided for these features.
Remote Authentication Dial-In User Service (RADIUS) is an access server authentication, authorization, and accounting protocol originally developed by Livingston, Inc. Although an Internet Engineering Task Force (IETF) draft standard for RADIUS specifies a method for communicating vendor-proprietary information between the network access server and the RADIUS server, some vendors have extended the RADIUS attribute set in a unique way. In this release, Cisco IOS software introduces support for additional vendor-proprietary RADIUS attributes. Users who have implemented security solutions using a vendor-proprietary implementation of RADIUS can now integrate Cisco access routers into their networks more easily.
Microsoft Point-to-Point Compression (MPPC) is a scheme used to compress Point-to-Point Protocol (PPP) packets between Cisco and Microsoft client devices. The MPPC algorithm is designed to optimize processor and bandwidth utilization in order to support multiple simultaneous connections. The MPPC algorithm uses a Lempel-Ziv (LZ) based algorithm with a continuous history buffer, called a dictionary.
Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) is the Microsoft version of CHAP. Like the standard version of CHAP, MS-CHAP is used for PPP authentication; in this case, authentication occurs between a PC using Microsoft Windows NT or Microsoft Windows 95 and a Cisco router or access server acting as a network access server (NAS).
MS-CHAP differs from the standard CHAP as follows:
Depending on the security protocols you have implemented, PPP authentication using MS-CHAP can be used with or without authentication, authorization and accounting (AAA) security services. If you have enabled AAA, PPP authentication using MS-CHAP can be used in conjunction with both TACACS+ and RADIUS.
The Multiple ISDN Switch Types feature allows you to configure more than one ISDN switch type per router. You can apply an ISDN switch type on a per interface basis, thus extending the existing global isdn switch-type command to the interface level. This allows Basic Rate Interfaces (BRI) and Primary Rate Interfaces (PRI) to run simultaneously on platforms that support both interface types.
The isdn tei command is also extended to the interface level. Terminal endpoint negotiation (TEI) determines when Layer 2 is activated (powerup or first-call).
In earlier Cisco IOS releases, only named authentication method lists were supported under Cisco's authentication, authorization, and accounting (AAA) network security services. With Cisco IOS Release 11.3(3)T, AAA has been extended to support both authorization and accounting named method lists. Named method lists for authorization and accounting function the same way as those for authentication; they allow you to define different methods for authorization and accounting and apply those methods on a per-interface or per-line basis.
National ISDN Switch Types for Basic Rate and Primary Rate Interfaces introduce changes to ISDN switch types for Primary Rate Interfaces (PRI) and Basic Rate Interfaces (BRI) as follows:
|
Note The command parser will still accept the following switch types: basic-nwnet3, vn2, and basic-net3; however, when viewing the NVRAM configuration using either the show running configuration or write terminal command, the basic-net3 or vn3 switch types are displayed respectively. |
The Performance Data Collection feature allows a system controller, SC3640, to collect and store SNMP MIB data from its managed router and dial shelves. The system controller then serves as a central point for network management data collection. The system controller collects the raw data from the managed shelves periodically, saves the data, and provides a single access point for a central network management application. The data can then be uploaded to a network management station using FTP or TFTP.
Platforms: Cisco AS5800, Cisco 7200 Series Routers. In a later release, the Cisco AS5300 was added.
The Virtual Private Dial-Up Network (VPDN) Management Information Base (MIB) feature is intended to support all the tables and objects defined in "Cisco VPDN Management MIB" for the user sessions of the VPDN features. There are a number of commands which provide information and statistics through the Command-Line Interface (CLI) but not Simple Network Management Protocol (SNMP); the Cisco VPDN MIB has been created to satisfy the need to provide information and statistics through SNMP. Information on active tunnels and sessions are retrievable by SNMP from the VPDN MIB.
The following new features for the Cisco AS5800 universal access server are available for
Cisco IOS Release 11.3(2)AA. Documentation is also provided for these features.
The following features are for the SC3640 system controller:
Platform: Cisco AS5800
This feature module presents the new features for the Cisco AS5800 universal access server and includes a description of the system, supported MIBs and RFCs, and configuration tasks including the following:
Modem management enhancements are available for Cisco AS5800 universal access servers using MICA modems. A snapshot of all the firmware versions running on all modems in the access server can be displayed by using the show modem mapping command. This command also shows the source location of each version of firmware (for example, running out of Flash memory, boot Flash memory, or bundled with Cisco IOS software). This command is useful for managing and monitoring multiple versions of modem firmware running in an access server.
Platforms: All Cisco IOS 11.3 AA platforms
The Cisco IOS File System (IFS) feature provides a single interface to all file systems the router uses:
Any other endpoint for reading or writing data (NVRAM, the running configuration, ROM, raw system memory, system bundled microcode, Xmodem, Flash load helper log, Lex interfaces, modems, and BRI MUX interfaces).
Platforms: All Cisco IOS 11.3 AA platforms
The Conditionally Triggered Debugging feature limits debugging messages based on their related interface or subinterface. When this feature is enabled, the router will generate debugging messages for packets entering or leaving the router on a specified interface. However, the router will not generate debugging output for packets entering or leaving through a different interface. This feature allows you to focus debugging output on the problematic interface or interfaces. You can specify the interfaces explicitly. For example, you might only want to see debugging messages for one interface or subinterface. You can also turn on debugging for all interfaces that meet specified conditions, such as a particular username, calling party number, or called party number. If you specify multiple conditions, the interface must meet at least one of the conditions.
Platform: Cisco AS5800
The AAA Scalability feature enables you to configure and monitor the number of background processes allocated by the PPP manager in the network access server (NAS) to deal with AAA authentication and authorization requests. In previous Cisco IOS releases, only one background process was allocated to handle all AAA requests for PPP. This meant that parallelism in AAA servers could not be fully exploited. The AAA Scalability feature enables you to configure the number of processes used to handle AAA requests for PPP, thus increasing the number of users that can be simultaneously authenticated or authorized.
Platforms: Cisco AS5800 and Cisco 7200 Series Routers
The OSPF LSA group pacing feature allows the router to group together OSPF link state advertisements (LSAs) and pace the refreshing, checksumming, and aging functions. The group pacing results in more efficient use of the router.
Platforms: Cisco AS5800 and Cisco 7200 Series Routers
OSPF has two new features related to point-to-multipoint networks. One feature applies to broadcast networks; the other feature applies to nonbroadcast networks. On point-to-multipoint broadcast networks, there is no need to specify neighbors. However, you can specify neighbors with the neighbor command, in which case you should specify a cost to that neighbor. On point-to-multipoint nonbroadcast networks, you now use the neighbor command to identify neighbors. Assigning a cost to a neighbor is optional.
Before this feature, some OSPF point-to-multipoint protocol traffic was treated as multicast traffic. Therefore, the neighbor command was not needed for point-to-multipoint interfaces because multicast took care of the traffic. Hellos, updates, and acknowledgments were sent using multicast. In particular, multicast hellos discovered all neighbors dynamically. Some customers, however, were using point-to-multipoint on nonbroadcast media (such as classic IP over ATM), so their routers could not dynamically discover their neighbors. This feature allows the neighbor command to be used on point-to-multipoint interfaces. On any point-to-multipoint interface (broadcast or not), the Cisco IOS software assumes the cost to each neighbor is equal. The cost is configured with the ip ospf cost command. In reality, the bandwidth to each neighbor is different, so the cost should be different. With this feature, you can configure a separate cost to each neighbor. This feature applies to point-to-multipoint interfaces only.
Platforms: Cisco AS5800, Cisco 7200 Series routers. In later Cisco IOS releases, this feature has been added the Cisco AS5200 and Cisco AS5300.
Dialer Watch is a backup feature that integrates dial backup with routing capabilities. Prior dial backup implementations used the following conditions to trigger backup:
Prior backup implementations might not have supplied optimum performance on some networks, such as those using Frame Relay multipoint subinterfaces or Frame Relay connections that do not support end-to-end LMI.
Dialer Watch provides reliable connectivity without relying solely on defining interesting traffic to trigger outgoing calls at the central router. Dialer Watch uses the convergence times and characteristics of dynamic routing protocols. Integrating backup and routing features enables Dialer Watch to monitor every deleted route. By configuring a set of watched routes that define the primary interface, you are able to monitor and track the status of the primary interface as watched routes are added and deleted. Monitoring the watched routes is done in the following sequence:
1. Whenever a watched route is deleted, Dialer Watch checks to see if there is at least one valid route for any of the watched IP addresses defined.
2. If there is no valid route, the primary line is considered down and unusable.
3. If there is a valid route for at least one of the defined watched IP addresses, and if the route is pointing to an interface other than the backup interface configured for Dialer Watch, the primary link is considered up.
4. In the event that the primary link goes down, Dialer Watch is immediately notified by the routing protocol and the secondary link is brought up.
5. Once the secondary link is up, at the expiration of each idle timeout, the primary link is rechecked.
6. If the primary link remains down, the idle timer is indefinitely reset.
7. If the primary link is up, the secondary backup link is disconnected. Additionally, a disable timer can be set to create a delay for the secondary link to disconnect, after the primary link is reestablished.
Platforms: Cisco AS5800, Cisco 7200 Series routers. In later Cisco IOS releases, this feature has been added the Cisco AS5200 and Cisco AS5300.
The MS Callback feature provides client-server callback services for Microsoft Windows 95 and Microsoft Windows NT clients. MS Callback supports the Microsoft Callback Control Protocol (MSCB). MSCB is a Microsoft proprietary protocol used by Windows 95 and Windows NT clients. MS Callback supports negotiated PPP Link Control Protocol (LCP) extensions initiated and agreed upon by the Microsoft client. MS Callback is added to existing PPP Callback functionality. Therefore, if you configure your Cisco AS5800 to perform PPP Callback using Cisco IOS Release 11.3(2)T or later, MS Callback is automatically available.
MS Callback supports AAA security models using a local database or AAA server. MSCB uses LCP callback options with suboption type 6. The Cisco MS Callback feature supports clients with a user-specified callback number and server-specified (preconfigured) callback number. MS Callback does not affect non-Microsoft machines that implement standard PPP LCP extensions as described in RFC 1570. In this scenario, MS Callback is transparent.
Protocol-Independent Multicast (PIM) Version 2 includes the following improvements over PIM Version 1:
PIM Version 1, together with the Auto-RP feature, can perform the same tasks as the PIM Version 2 BSR. However, Auto-RP is a standalone protocol, separate from PIM Version 1, and is Cisco proprietary. PIM Version 2 is a standards track protocol in the Internet Engineering Task Force (IETF).
Cisco's PIM Version 2 implementation allows good interoperability and transition between Version 1 and Version 2. You can upgrade to PIM Version 2 incrementally. PIM Versions 1 and 2 can be configured on different routers within one network. Internally, all routers on a shared media network must run the same PIM version. Therefore, if a PIM Version 2 router detects a PIM Version 1 router, the Version 2 router downgrades itself to Version 1 until all Version 1 routers have been shut down or upgraded.
PIM uses the BSR to discover and announce RP-set information for each group prefix to all the routers in a PIM domain. This is the same function accomplished by Auto-RP, but the BSR is part of the PIM Version 2 specification. The BSR mechanism interoperates with Auto-RP.
To avoid a single point of failure, you can configure several candidate BSRs in a PIM domain. A BSR is elected among the candidate BSRs automatically; they use bootstrap messages to discover which BSR has the highest priority. This router then announces to all PIM routers in the PIM domain that it is the BSR.
Routers that are configured as candidate RPs then unicast to the BSR the group range for which they are responsible. The BSR includes this information in its bootstrap messages and disseminates it to all PIM routers in the domain. Based on this information, all routers will be able to map multicast groups to specific RPs. As long as a router is receiving the bootstrap message, it has a current RP map.
Platform: Cisco 7200 Series Routers
The DRP Server Agent enhancements are as follows:
Platforms: Cisco 7200 Series Routers
The SNMP Inform Requests feature was first introduced in Cisco IOS Release 11.3(1)T, and is now available for the Cisco AS5800. This enhancement allows routers to send inform requests to SNMP managers.
Routers can send notifications to SNMP managers when particular events occur. For example, an agent router might send a message to a manager when the agent router experiences an error condition. SNMP notifications can be sent as traps or inform requests. Traps are unreliable because the receiver does not send any acknowledgment when it receives a trap. The sender cannot determine if the trap was received. However, an SNMP manager that receives an inform request acknowledges the message with an SNMP response PDU. If the manager does not receive an inform request, it does not send a response. If the sender never receives a response, the inform request can be sent again. Thus, informs are more likely to reach their intended destination.
Because they are more reliable, informs consume more resources in the router and in the network. Unlike a trap, which is discarded as soon as it is sent, an inform request must be held in memory until a response is received or the request times out. Also, traps are sent only once, while an inform may be retried several times.
The retries increase traffic and contribute to a higher overhead on the network. Thus, traps and inform requests provide a trade-off between reliability and resources. If it is important that the SNMP manager receives every notification, use inform requests. On the other hand, if you are concerned about traffic on your network or memory in the router and you do not need to receive every notification, use traps.
The Shelf Discovery and Autoconfiguration feature allows a system controller to automatically discover new shelves and properly configure them to interact with the system controller. The system controller communicates with its managed shelves through the Shelf Discovery Protocol (SDP), which runs on top of UDP.
The Health Monitor feature monitors key performance attributes of the shelves managed by the system controller. The Health Monitor feature continually polls its managed shelves to obtain the information stored in the Health Monitor MIB. Management stations collect information for all the shelves from the system controller rather than by polling each shelf individually. In addition, you can configure specific performance thresholds for all managed shelves through simple commands on the system controller. The system controller uses SNMP to automatically configure the following on each managed shelf:
When threshold traps are received by the system controller, they are converted to Health Monitor traps and sent to trap destinations configured in the system controller.
The Virtual Console feature allows you to access dial and router shelves connected to a system controller. During a system controller session, you can connect to a router or dial shelf at the same privilege level as the current system controller session. By entering one command, you can Telnet directly to a shelf, provide a username and password, and then go to the same privilege level as the system controller.
The FTP Server feature configures a router to act as an FTP server. FTP clients can copy files to and from certain directories on the router. In addition, the router can perform many other standard FTP server functions.
The Syslog Disk Logging feature allows you to collect, store, and retrieve all managed shelf syslog messages through the system controller. The system controller receives syslog messages from managed shelves and stores these messages in subfiles on its disk. Each syslog message stored in a subfile contains the following information:
In addition, this feature provides an enhanced method of viewing messages in the logging history table. Messages can be displayed based on host IP address, time received, and order received.
Before its release, each maintenance release of Cisco IOS Release 11.3 T parent release is "synched" with the current Cisco IOS Release 11.3 AA. Therefore, generally, all compatible features in Cisco IOS Release 11.3 T are also included in this special release. For information on these features, see CCO online platform-specific release notes for the Cisco AS5200 and Cisco AS5300 at:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/ios113p/index.htm
For more information about additional features that apply to Cisco IOS Release 11.3 T, refer to the Release Notes for Cisco IOS Release 11.3, which includes information about all hardware platforms supported in Cisco IOS Release 11.3. The sections, "Related Documentation" and "Cisco Connection Online" describe the location of the related release notes.
Currently, for the Cisco IOS 11.3 releases, the Cisco AS5800 is supported only on the Cisco IOS Release 11.3 AA.
Currently, for the Cisco IOS 12.0 releases, the Cisco AS5800 is supported on the Cisco IOS Release 12.0 and Cisco IOS Release 12.0 T, including some related "limited life" releases. See the release notes at:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/relnote/5800as/index.htm
This document is subject to change. Check the online version for possible changes at:
Cisco IOS 11.3 AA New Features:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113aa/index.htm
(See also the "Caveats" section.)
The Cisco 7200 Series Router is not supported on this Cisco IOS release after Cisco IOS Release 11.3(9)AA. See the Product Bulletin for Cisco IOS Release 11.3 AA.
The Cisco RS7206 VXR is not supported on any Cisco IOS Release 11.3 versions.
Cisco IOS images with strong encryption (including, but not limited to 168-bit (3DES) data encryption feature sets) are subject to U.S. government export controls and have a limited distribution. Strong encryption images to be installed outside the U.S. may require an export license. Customer orders may be denied or subject to delay due to U.S. government regulations. When applicable, purchaser/user must obtain local import and use authorizations for all encryption strengths. Please contact your sales representative or distributor for more information, or send an e-mail to export@cisco.com.
(This section describes a special situation similar to what is called a Caveat.)
See Table 4 for affected Cisco IOS Release 11.3 AA versions.
Certain versions of Cisco IOS software may fail or hang when they receive invalid User Datagram Protocol (UDP) packets sent to their syslog ports (port 514). At least one commonly-used Internet scanning tool generates packets which can cause such problems. This fact has been published on public Internet mailing lists, which are widely read both by security professionals and by security crackers. This information should be considered in the public domain.
Attackers can cause Cisco IOS devices to repeatedly fail and reload, resulting in a completely disabled Cisco IOS device that will need to be reconfigured by its administrator. Some Cisco IOS devices have been observed to hang instead of failing when attacked. These devices do not recover until they are manually restarted by reset or power cycling. An administrator must personally visit an attacked, hung device to restart it, even if the attacker is no longer actively sending any traffic. Some devices have failed without providing stack traces; some devices may indicate that they were "restarted by power-on", even when that is not the case.
Customers should assume that any potential attacker is likely to know that the existence of this vulnerability and the ways to exploit it. An attacker can use tools available to the public on the Internet. An attacker does not need to write any software to exploit the vulnerability. Minimal skill is required. No special equipment is required.
Despite Cisco's specifically inviting such reports, Cisco has received no actual reports of malicious exploitation of this vulnerability.
This vulnerability notice was posted on Cisco's World Wide Web site:
http://www.cisco.com/warp/public/770/iossyslog-pub.shtml
This information was also sent to the following e-mail and Usenet news recipients:
Vulnerable devices and software versions are specified in Table 4 of Software Versions and Fixes. Affected versions include 11.3AA, 11.3DB, and all 12.0 versions (including 12.0 mainline, 12.0S, 12.0T, and any other regular released version whose number starts with 12.0), up to the repaired releases listed in Table 4. Cisco is correcting the vulnerability in certain special releases and will correct it in future maintenance and interim releases. See Software Versions and Fixes for details. Cisco intends to provide fixes for all affected IOS variants.
No particular configuration is needed to make a Cisco IOS device vulnerable. It is possible to filter out attack traffic using access lists. See "Workarounds" for techniques. However, except at Internet firewalls, the appropriate filters are not common in customer configurations. Carefully evaluate your configuration before assuming that any filtering you have already configured protects you against this attack.
The most commonly used or asked-about products are listed below. If you are unsure whether your device is running Cisco IOS software, log in to the device and issue the show version command. Cisco IOS software will identify itself simply as "IOS" or "Internetwork Operating System Software". Other Cisco devices will not have the show version command, or they will identify themselves differently in their output. The most common Cisco devices that run Cisco IOS software include the following:
Affected software versions, which are relatively new, are not necessarily available on every device listed above.
If you are not running Cisco IOS software, you are not affected by this vulnerability. The following Cisco devices are not affected:
This vulnerability has been assigned Cisco bug ID CSCdk77426.
Cisco offers free software updates to correct this vulnerability for all affected customers, regardless of their contract status. However, because this vulnerability information has been disseminated by third parties, Cisco has released this notice before updates are available for all software versions. Table 4 gives Cisco's projected fix dates.
Make sure your hardware had adequate RAM to support the new software before installing it. Amount of RAM is seldom a problem when you upgrade within a major release (say, from 11.2(11)P to 11.2(17)P), but it is often a factor when you upgrade between major releases (say, from 11.2 P to 11.3 T).
Because fixes will be made available for all affected releases, this vulnerability will rarely, if ever, require an upgrade to a new major release. Cisco recommends very careful planning for any upgrade between major releases. Make certain no known bugs will prevent the new software from working properly in your environment.
Further upgrade planning assistance is available on Cisco's World Wide Web site at:
http://www.cisco.com
Customers with service contracts should obtain new software through their regular update channels (generally via Cisco's World Wide Web site). They may upgrade to any software release, but they must remain within the boundaries of the feature sets they have purchased.
Customers without service contracts may upgrade to obtain only the bug fixes; they are not offered upgrades to versions newer than required to resolve the defects. In general, these customers will be restricted to upgrading within a single row of Table 4 below, except when no upgrade within the same row is available in a timely manner. Obtain updates by contacting one of the following Cisco Technical Assistance Centers (TACs):
Give the URL of this notice (http://www.cisco.com/warp/public/770/iossyslog-pub.shtml ) as evidence of your entitlement to a free update. Free updates for non-contract customers must be requested through the TAC. Please do not contact either "psirt@cisco.com" or "security-alert@cisco.com" for software updates.
You can work around this vulnerability by preventing any affected Cisco IOS device from receiving or processing UDP datagrams addressed to its port 514. This can be done either using packet filtering on surrounding devices, or by using input access list filtering on the affected IOS device itself.
If you use an input access list, that list should be applied to all interfaces to which attackers may be able to send datagrams. Interfaces include not only physical LAN and WAN interfaces, but virtual subinterfaces of those physical interfaces, as well as virtual interfaces and/or interface templates corresponding to GRE, L2TP, L2F, and other tunneling protocols.
The input access list must block traffic destined for UDP port 514 at any of the Cisco IOS device's own IP addresses, as well as at any broadcast or multicast addresses on which the Cisco IOS device may be listening. Be sure to block both old-style "all-zeros" broadcasts and new-style "all-ones" broadcasts. It is not necessary to block traffic being forwarded to other hosts; only traffic actually addressed to the Cisco IOS device is of interest.
No single input access list works in all configurations. Know the effect of your access list in your specific configuration before activating it.
The following example shows a possible access list for a three-interface router, along with the configuration commands needed to apply the list. The example assumes input filtering is not needed, other than as a workaround for this vulnerability.
! Deny all multicasts, and all unspecified-net broadcasts, to port
514
access-list 101 deny udp any 224.0.0.0 31.255.255.255 eq 514
! Deny old-style unspecified-net broadcasts
access-list 101 deny udp any host 0.0.0.0 eq 514
! Deny network-specific broadcasts. This example assumes that all
of
! the local interfaces are on the class B network 172.16.0.0,
subnetted
! everywhere with mask 255.255.255.0. This will differ from network
! to network. Note that we block both new-style and old-style
broadcasts.
access-list 101 deny udp any 172.16.0.255 0.0.255.0 eq 514
access-list 101 deny udp any 172.16.0.0 0.0.255.0 eq 514
! Deny packets sent to the addresses of our own network interfaces.
access-list 101 deny udp any host 172.16.1.1 eq 514
access-list 101 deny udp any host 172.16.2.1 eq 514
access-list 101 deny udp any host 172.16.3.3 eq 514
! Permit all other traffic (default would be to deny)
access-list 101 permit ip any any
! Apply the access list to the input side of each interface
interface ethernet 0
ip address 172.16.1.1 255.255.255.0
ip access-group 101 in
interface ethernet 2
ip address 172.16.2.1 255.255.255.0
ip access-group 101 in
interface ethernet 3
ip address 172.16.3.3 255.255.255.0
ip access-group 101 in
Listing all possible addresses—especially all possible broadcast addresses—to which attack packets might be sent is complicated. If you do not need to forward any legitimate syslog traffic received on an interface, you can block all syslog traffic arriving on that interface. Remember that blocking will affect traffic routed through the Cisco IOS device as well as traffic destined to the device; if the IOS device is expected to forward syslog packets, you will have to do the detailed filtering. Because input access lists impact system performance, install them with caution, especially on systems running very near their capacity.
Many Cisco software images have been or will be specially reissued to correct this vulnerability. Table 4 specifies information about affected and repaired software versions.
|
Note All dates within this table are subject to change. |
| Cisco IOS Major Release | Description | Special Fix1 | First Fixed Interim Release2 | Fixed Maintenance Release3 |
|---|---|---|---|---|
| Releases based on 11.3 |
|
|
|
|
11.3AA | 11.3 early deployment for AS58xx | 11.3(7)AA2, 8-JAN-19994 | 11.3(7.2)AA | 11.3(8)AA, 15-FEB-1999 |
| Releases based on 12.0 | ||||
12.0T | 12.0 new technology early deployment | 12.0(2a)T1, 11-JAN-1999 | 12.0(2.4)T | 12.0(3)T, 15-FEB-1999 |
12.0(1)XB | Short-life release for Cisco 800 series; merged to 12.0T and 12.0 (3)T | 12.0(1)XB1 | Merged | Upgrade to 12.0(3)T. |
12.0(2)XC | Short-life release for new features in Cisco 2600, Cisco 3600, ubr7200, ubr900 series; merged to 12.0T at 12.0(3)T. | 12.0(2)XC1, 7-JAN-1999 | Merged | Upgrade to 12.0(3)T |
12.0(2)XD | Short-life release for ISDN voice features; merged to 12.0T at 12.0(3)T. | 12.0(2)XD1, 18-JAN-1999 | Merged | Upgrade to 12.0(3)T |
12.0(1)XE | Short-life release | 12.0(2)XE, 18-JAN-1999 | Merged | Upgrade to 12.0(3)T |
Generally releases of Cisco IOS 11.3 AA are shipped free of severity 1 and 2 caveats. If such a caveat does occur, the release is typically deferred until the caveat(s) is resolved. In that case, the resulting release is identified with a minor variation in the release number designation, but is generally recognizable as the current release described in this document. Such events are noted in the online software distribution website and in the online product bulletin(s).
This section describes possibly unexpected behavior by Cisco IOS Release 11.3(11)AA and describes only severity 1 and 2 caveats.
The following software caveat currently may apply to the current release for the Cisco AS5800.
The Kerberos Client functionality on Cisco products, when configured to provide access control, will fail in a "deny" state when the expiration of the credentials is in January or February of leap years, thus denying any Kerberos-authenticated access. A workaround for the problem is to choose an alternate form of authentication such as TACACS+ or RADIUS.
If you need more detailed information on caveats and if you have an account with CCO, you can use Bug Navigator II to find caveats of any severity for any release. Bug Navigator II can be found from the Web or from CCO.
Software Center> Cisco IOS Software> Cisco IOS BugToolkit > Cisco BugNavigator II
http://www.cisco.com/support/bugtools/Bug_root.html
To get to Bug Navigator II and other tools and information from the Web (CCO), go to:
http://www.cisco.com/support/bugtools
This special release is based on Cisco IOS Release 11.3 T, beginning with 11.3(4)T. Each new maintenance Cisco IOS Release 11.3 AA was "code-synched" to it, if new features were added in the 11.3 AA release. Therefore, caveats from Cisco IOS Release 11.3 T can also apply to this release. See the CCO document: Caveats for Cisco IOS Release 11.3 T. A link for this document is located at:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/ios113p/index.htm
For more information, see the CCO online document of product specific release notes: Release Notes for the Cisco AS5800 for Cisco IOS Release 11.3 T.
http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/ios113p/index.htm
The Cisco IOS Release12.0 T, in turn, is initially based on Cisco IOS Release 12.0. All features and caveats in Release 12.0 are also in Release 12.0 T. Use these release notes in conjunction with the mainline Release Notes for Cisco IOS Release 12.0 and the Caveats for Cisco IOS Release 12.0 document located on Cisco Connection Online (CCO) and the Documentation CD-ROM.
The following sections describe the documentation available for the Cisco AS5800. Typically these documents consist of hardware installation guides, software installation guides, Cisco IOS configuration and command references, system error messages, and feature modules, which are updates to the Cisco IOS documentation. Documentation is available as printed manuals or electronic documents, except for feature modules, which are available online only.
The most up-to-date documentation can be found on the Web via Cisco Connection Online (CCO) and on the latest Documentation CD-ROM. These electronic documents might contain updates and modifications made after the paper documents were printed. For information on CCO, refer to the "Cisco Connection Online" section later in this document. For more information on the CD-ROM, refer to the "Documentation CD-ROM " section later in this document.
See also the "Cisco IOS Release Information" section.
For more information on the Cisco SS7/C7 Dial Access Solution System, see the CCO online feature at Cisco Product Documentation: Signaling Systems: Signaling Controller: Cisco SS7/C7 Dial Access Solution System Integration Guidelines.
The Cisco AS5800 universal access server is comprised of the Cisco DS5814 dial shelf, the Cisco RS7206 router shelf, and an optional AC power supply. To help you manage multiple systems, the SC3640 system controller network management system is available to provide local data gathering and monitoring functions for multiple hardware platforms within a single point of presence (POP).
The SC3640 system controller facilitates the management of AS5800 systems by performing automated monitoring and data collection. The SC3640 has 350 MB of non-volatile storage for the temporary storage of log files, images, and MIB statistics. Because it is based upon the SC3640 modular access router, the SC3640 also provides connectivity and routing for an out-of-band management network while it is performing network management functions.
The Cisco AS5800 universal access server and the SC3640 system controller network management system are available to help you manage your dial POP site efficiently and effectively. Each of these products is supported by documentation listed in Table 5.
This documentation can be found on CCO and the Documentation CD-ROM:
The documentation for new Release 11.3 AA features is available online only. This new feature documentation includes configuration tasks and new and changed command reference pages that supplement the Cisco IOS Release 11.3 configuration guide and command reference publications.
Cisco IOS Release 11.3 documentation and Release 11.3 AA feature documentation can be found on CCO and the Documentation CD-ROM:
The Cisco IOS software documentation is divided into nine modules and two master indexes. There are also four supporting documents.
|
Note The most current Cisco IOS documentation can be found on the Web and the latest Documentation CD-ROM. These electronic documents contain updates and modifications made after the paper documents were printed. See the section "Online Navigation for Software Documentation" for more details. |
Each module consists of two books: a configuration guide and a corresponding command reference. Chapters in a configuration guide describe protocols, configuration tasks, and Cisco IOS software functionality and contain comprehensive configuration examples. Chapters in a command reference provide complete command syntax information. Each configuration guide can be used in conjunction with its corresponding command reference.
|
Note Due to a production problem, many source-route bridging commands were omitted from the printed version of the Cisco IOS Software Command Summary (part number 78-4746). For complete documentation of all source-route bridging commands, refer to the Bridging and IBM Networking Command Reference (part number 78-4743). You can also obtain the most current documentation on the Documentation CD-ROM or Cisco Connection Online (CCO). |
Two master indexes provide indexing information for the Cisco IOS software documentation set: an index for the configuration guides and an index for the command references. In addition, individual books contain a book-specific index.
The Cisco IOS documentation set consists of the following books and chapter topics:
|
Note The Cisco Management Information Base (MIB) User Quick Reference publication is no longer being published. For the latest list of MIBs supported by Cisco, see the Cisco Network Management Toolkit on Cisco Connection Online (CCO). On CCO, go to Software and Support; click Software Center: Network Management Products: Cisco Network Management Toolkit: Cisco MIBs. |
You can access the Cisco IOS software electronic documents from Cisco Connection Online (CCO) on the Web and the Cisco Documentation CD-ROM:
The following are some of the types of Cisco IOS Release 11.3 documents available:
For Product Bulletins on CCO, the path is as follows from Cisco Connection Online: Products and Ordering: More Information: Product Bulletins. In the Software area, under Cisco IOS 11.3, click Cisco IOS Software Release 11.3 Upgrade Paths.
New online navigation enhancements for Release 11.3 include the following:
On CCO or the Documentation CD-ROM, go to Cisco IOS Release 11.3 and click Cisco IOS Release 11.3 Configuration Guides: Command References. Then click Configuration Guide Master Index or Command Reference Master Index. To access documentation related to an index entry, click on the page number following the entry.
On CCO or the Documentation CD-ROM, go to Cisco IOS Release 11.3 and click Cisco IOS Release 11.3 Configuration Guides: Command References. Next, click Cisco IOS 11.3 New Features. To access configuration documentation for a feature, do one of the following:
For additional information about the CCO and Documentation CD-ROM, refer to the sections "Cisco Connection Online" and "Documentation CD-ROM " at the end of these release notes.
For service and support for a product purchased from a reseller, contact the reseller. Resellers offer a wide variety of Cisco service and support programs, which are described in the section "Service and Support" in the information packet that shipped with your product.
|
Note If you purchased your product from a reseller, you can access CCO as a guest. CCO is Cisco Systems' primary real-time support channel. Your reseller offers programs that include direct access to CCO services. |
For service and support for a product purchased directly from Cisco, use CCO.
For helpful tips on configuring Cisco products, from the CCO home page,
click on the following path if you have a current support contract:
http://www.cisco.com/kobayashi/serv_tips.shtml
This URL is subject to change. If it changes, or if you do not have a current support contract, Follow this path on CCO:
Service & Support > Online Technical Support > Technical Tips
"Hot Tips" are popular tips and hints gathered from the Cisco Technical Assistance Center (TAC). Most of these documents are available from the TAC fax-on-demand service. To access fax-on-demand and receive documents at your fax machine from the USA, call 888-50-CISCO (888-502-4726). From other areas, call 650-596-4408.
The following sections are provided from the Technical Tips page:
Cisco Connection Online (CCO) is Cisco Systems' primary, real-time support channel. Maintenance customers and partners can self-register on CCO to obtain additional information and services.
Available 24 hours a day, 7 days a week, CCO provides a wealth of standard and value-added services to Cisco's customers and business partners. CCO services include product information, product documentation, software updates, release notes, technical tips, the Bug Navigator, configuration notes, brochures, descriptions of service offerings, and download access to public and authorized files.
CCO serves a wide variety of users through two interfaces that are updated and enhanced simultaneously: a character-based version and a multimedia version that resides on the World Wide Web (WWW). The character-based CCO supports Zmodem, Kermit, Xmodem, FTP, and Internet e-mail, and it is excellent for quick access to information over lower bandwidths. The WWW version of CCO provides richly formatted documents with photographs, figures, graphics, and video, as well as hyperlinks to related information.
You can access CCO in the following ways:
For a copy of CCO's Frequently Asked Questions (FAQ), contact cco-help@cisco.com. For additional information, contact cco-team@cisco.com.
|
Note If you are a network administrator and need personal technical assistance with a Cisco product that is under warranty or covered by a maintenance contract, contact Cisco's Technical Assistance Center (TAC) at 800 553-2447, 408 526-7209, or tac@cisco.com. To obtain general information about Cisco Systems, Cisco products, or upgrades, contact 800 553-6387, 408 526-7208, or cs-rep@cisco.com. |
Cisco documentation and additional literature are available in a CD-ROM package, which ships with your product. The Documentation CD-ROM, a member of the Cisco Connection Family, is updated monthly. Therefore, it might be more current than printed documentation. To order additional copies of the Documentation CD-ROM, contact your local sales representative or call customer service. The CD-ROM package is available as a single package or as an annual subscription. You can also access Cisco documentation on the World Wide Web at http://www.cisco.com, http://www-china.cisco.com, or http://www-europe.cisco.com.
If you are reading Cisco product documentation on the World Wide Web, you can submit comments electronically. Click Feedback in the toolbar and select Documentation. After you complete the form, click Submit to send it to Cisco. We appreciate your comments.
Posted: Tue Dec 17 20:33:03 PST 2002
All contents are Copyright © 1992--2002 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.