Release 12.4T New Security Features and Hardware Support [Cisco IOS Software Releases 12.4 T]

Cisco IOS Software is the world's premiere network infrastructure software, delivering seamless integration of technology innovation, business-critical services, and hardware support. Currently operating on millions of active systems, from small home office routers to the core systems of the world's largest service provider networks, Cisco IOS Software is the most widely leveraged network infrastructure software in the world.

Cisco IOS® Software Release 12.4T integrates a comprehensive portfolio of new capabilities, including security, voice, and IP services, with powerful hardware support to deliver advanced services for Enterprise and access customers.

Release 12.4(22)T delivers QoS support for IPSec tunnels, Trusted Relay Point (TRP) IOS firewall security for unified communications, flexible NetFlow enhancements, and support for the Cisco 880 SRST and 880G Integrated Services Routers.

Release 12.4(20)T added significant embedded management enhancements, category-based productivity and security ratings support, multi-level Quality of Service (QoS) scheduling, and support for the Cisco 860, 880, and 1861 Routers.

Release 12.4(15)T streamlined the Cisco IOS Software upgrade process, provided sub-second link failure detection and faster convergence, delivered next-generation Layer 2-7 flexible packet classification, enhanced Intrusion Protection (IPS) and SSLVPN capabilities, and support for the new Cisco 7201 Router.

Release 12.4(11)T delivered new Layer 2 VPN transport over MPLS capabilities, enhanced MPLS management, mobile IPv6 authorization and identity support, and support for the high performance Network Processing Engine G2 (NPE-G2) and VPN Service Adapter (VSA) for the Cisco 7200 Series Router.

Release 12.4(9)T delivered improved manageability, integrated IP communications capability, enhanced HTTP and P2P security, and faster routing protocol convergence.

Release 12.4(6)T delivered highly available firewalls, comprehensive endpoint and network security for SSL VPN environments, and optimized bandwidth management for improved VoIP call quality.

Release 12.4(4)T enhanced threat protection against malicious worm and virus attacks, improved performance monitoring of VoIP networks, and extended support for secure concurrent services on the Cisco 1800 Series router.

1.1) Migration Guide

Cisco recommends that customers running Release 12.3T, 12.3, or prior releases upgrade to Release 12.4T or 12.4. Customers should determine their functionality needs and choose the appropriate release.

Note: Release 12.3 reached End of Software Maintenance on March 15, 2008. For additional information please visit: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6947/ps5187/prod_end-of-life_notice0900aecd8052e110.html

Release 12.4(15)T will receive extended bug fix support through December 2010. Cisco is taking this action to indicate that Release 12.4(15)T maintenance releases are treated in a similar manner as Release 12.4. Both undergo comprehensive testing and review cycles to continuously improve and increase reliability, quality, and stability. As per Cisco policies, no new technologies or features are to be added to either Release 12.4 or maintenance rebuild releases of Release 12.4(15)T. For more information please visit: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6968/ps6441/ps8258/product_bulletin_c25-496283.html

Release 12.4(15)T provides significant software feature benefits and hardware support over Release 12.4. For additional details please visit:

http://www.cisco.com/en/US/products/ps8258/index.html

http://www.cisco.com/en/US/products/ps6441/prod_release_notes_list.html

Figure 1 illustrates the current migration path from Cisco IOS Release 12.3T and 12.3 (or prior) into Releases 12.4T or 12.4.

Figure 1. Release 12.4T Migration Plan

Figure 2 below illustrates the relationship between Release 12.4T and Release 12.4.

Figure 2. Release 12.4T and Release 12.4 Relationship

Figure 3 below shows the relationship between Release 12.4T and individual 12.4(n)T new feature releases.

Figure 3. Release 12.4T and Individual 12.4(n)T Release Relationship

Note: Cisco IOS Software Release 12.4(20)T, Release 12.4(22)T, and later releases do not support several Cisco hardware platforms that were supported in Release 12.4(15)T and prior releases. These platforms will be supported by Release 12.4(15)T via regularly scheduled software maintenance rebuilds and bug fix support until the end of software maintenance date for the respective platform is reached.

• Cisco SOHO 90 Series

• Cisco 831, 836, 837, and 850 Series

• Cisco 1701, 1711, 1712, 1721, 1751, 1751-V, and 1760 Series

• Cisco 2610XM-2611XM, 2620XM-2621XM, 2650XM-2651XM, and 2691 Series

• Cisco 3631 and 3660 Series

• Cisco 3725 and 3745 Series

• Cisco 7400 Series

• Cisco AS5850 Universal Gateway

For more information refer to the following product bulletin: Cisco IOS Software Release 12.4(15)T: Last Cisco IOS T Release for Select Cisco Hardware Platforms http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6968/ps6441/product_bulletin_c25_466578.html

The Cisco release delivery process, rigorous software testing, and regularly scheduled software maintenance results in significant incremental enhancements and improvement to the quality, stability, and resiliency of Cisco IOS Software Release 12.4T and 12.4.

1.2) Release 12.4T Additional Information

• Cisco IOS Software Release 12.4T

Cisco IOS Software Releases 12.4 T-Products & Services-Cisco Systems

• Cisco IOS Software Product Lifecycle Dates & Milestones, Product Bulletin No. 2214

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps6969/ps1835/prod_bulletin0900aecd801eda8a_ps6441_Products_Bulletin.html

• Changes to Cisco IOS Software Product Support in Release 12.4T, Product Bulletin No. 3000

http://www.cisco.com/go/124thardware/

• Cisco IOS Software Download Center

Download Cisco IOS Software releases and access software upgrade planners.

http://www.cisco.com/public/sw-center/sw-ios.shtml

• Cisco Feature Navigator

A web-based application that allows you to quickly match Cisco IOS Software releases to features, to hardware.

http://www.cisco.com/go/fn/

• Cisco Software Advisor

Determine the minimum supported software for selected hardware.

http://tools.cisco.com/Support/Fusion/FusionHome.do

• Cisco IOS Upgrade Planner

View all major releases, hardware, and software features from a single interface.

http://www.cisco.com/pcgi-bin/Software/Iosplanner/Planner-tool/iosplanner.cgi

1.3) Cisco IOS Packaging

Figure 4. Cisco IOS Packaging for Cisco Routers

2) Release 12.4(22)T Highlights

Table 1. Release 12.4(20)T Feature Highlights

2.1) Cisco IOS Security

2.1.1) IOS Firewall Support for Trusted Relay Point (TRP)

2.1.2) Access Control List (ACL) Syslog Correlation

2.1.3) Per (DMVPN) Tunnel Quality of Service (QoS)

2.1.4) Certificate IP Address Extension Support

2.1.5) Time-based Anti-replay on VPN Services Adapter (VSA)

2.1.6) Group Encrypted Transport VPN (GET VPN) Enhancements

2.1.7) IOS SSL VPN Internationalization

2.1.8) IOS Support for Lawful Intercept

2.1) Cisco IOS Security

2.1.1) IOS Firewall Support for Trusted Relay Point

Cisco IOS firewall enhances security for Unified Communications (UC) by supporting Trusted Relay Point (TRP). This solution provides a trusted anchor within the network for seamless UC related services including media recording, QoS enforcement, and intelligent firewall traversal.

Figure 5. IOS Firewall Trusted Relay Point Use Case Scenario

Trusted Relay Point is a multi-functional architecture covering Quality of Service (QoS), Optimized Edge Routing (OER), and virtual network traversal. It eliminates the deep packet inspection and overhead associated with firewalling by signaling the firewall to permit traffic.

Benefits of UC-Trusted Firewall Control

• Provides authentication required to open port requests on the firewall

• Supports asymmetric signaling/media paths control, cases where signaling and media may not traverse the same paths in the network (such as internal "firewalling") and might ordinarily be blocked

• Provides encrypted signaling between voice entities, cases where the firewall has the group key to look at the signaling and allow pinholes for media

• Ports for media and signaling remain open for session length only, providing more secure sessions

Hardware

Routers

• Cisco 871, 1800, 2800, 3700, 3800, 7200, and 7301 Series Routers

Product Management Contact: ask-stg-ios-pm@cisco.com

2.1.2) Access Control List (ACL) Syslog Correlation

Cisco IOS ACL Syslog Correlation feature provides a correlation mechanism for ACLs that can be used by Network Management System (NMS) tools to correlate the triggered syslog with the specific Access Control Entry (ACE) within the ACL that triggered the syslog. The ACL Syslog Correlation feature utilizes a `tag' which is appended to the ACE generated syslog. The `tag' can either be a user-configured alpha-numeric cookie or an IOS generated 32-bit hash. If the user does not configure the cookie, IOS will create the hash for ACEs configured with the `log' keyword.

Figure 6. Define a tag to be used for ACE generated syslogs

Figure 7. Configured tags are appended to ACE generated syslogs

Benefits

• Provides a consistent monitoring solution for IOS ACLs, allowing network management tools to easily correlate the triggered syslog with the specific Access Control Entry (ACE) within the ACL that triggered the syslog

• Reduces complexity of managing and monitoring ACL rules for access and control by simplifying the correlation of ACE rules with their corresponding syslog events

• Assists network administrators in troubleshooting issues that occur as a result of ACE rules and allows them to monitor ACE rules' effectiveness

Hardware

Routers

• Cisco 800, 1800, 2800, 3700, 3800, and 7200 Series Routers

Additional Information: http://www.cisco.com/go/iossecurity

Product Management Contact: ask-stg-ios-pm@cisco.com

2.1.3) Per Dynamic Multipoint VPN (DMVPN) Tunnel Quality of Service (QoS)

This feature enables the DMVPN hub to dynamically allocate a QoS service policy for each spoke. The DMVPN hub can have multiple QoS policies for all the remote spokes. If QoS is configured, each spoke requests a QoS policy from the hub during Next Hop Resolution Protocol (NHRP) registration. This QoS service policy is applied on the hub in the outbound direction. A typical QoS policy provides multiple classes of service, including a priority queue for voice, and traffic shaping for the total bandwidth of all classes.

Table 2. Detailed Capabilities of DMVPN Per Tunnel QoS Functionality

Feature	Benefit
Dynamic QoS policy allocation for spokes during the NHRP registration with hub	Simplifies QoS configuration on the hub router for dynamically addressed spokes
Cisco Modular QoS CLI (MQC) support configuration in every spoke policy	Allows prioritization to VoIP/delay sensitive data traffic
Protect critical control traffic before and after encryption	Enhances network stability
Dynamic QoS on the hub ensures optimal traffic flow when a spoke connects to the hub	Simplifies QoS enablement in VPN networks
Protect the crypto engine by supporting full tunnel queuing hierarchy in hierarchical queuing format; QoS queuing and shaping happens before encryption	Avoids anti-replay error reporting with IPSec
Shaping and queuing happens at the physical interface	Centralizes QoS policy in the router and simplifies configuration
Protection for critical control traffic before and after encryption	Enhances network stability
Dynamic QoS allocation on the hub router protects the spoke from traffic bursts	Protects small spokes from becoming overwhelmed from large hub sites

Hardware

Routers

• Cisco 800, 1800, 2800, 3700, 3800, and 7200 Series Routers

Additional Information: http://www.cisco.com/go/iossecurity

Product Management Contact: ask-stg-ios-pm@cisco.com

2.1.4) Certificate IP Address Extension Support

This feature enables support for RFC3779, X.509 Extensions for IP addresses. One of the first protocols to use this feature will be the SEcure Neighbor Discovery Protocol (SEND). IPv6 hosts run Neighbor Discovery Protocol (NDP) to discover other devices on a link. If this link is not secured, NDP is vulnerable to various attacks such as neighbor solicitation/advertisement spoofing and duplicate address detection DoS attacks. SEND is designed to counter the threats to NDP and can use X.509 IP extensions to provide a stronger control on prefix advertisements.

Note that with SEND, RFC3779 (X.509 Extensions for IP addresses) is an optional feature. While SEND will provide its full capabilities with this version of PKI, it could still be deployed with older PKI versions that don't support IP extensions.

Benefits

• Generates certificates with IP extensions

• Counters threats to NDP

• Allows for stronger control on prefix advertisements

Hardware

Routers

• Cisco 87x, 88x, 1800, 2800, 3700, 3800, 7200, and 7301 Series Routers

Additional Information: http://www.cisco.com/en/US/products/ps6638/products_ios_protocol_group_home.html

Product Management Contact: ask-stg-ios-pm@cisco.com

2.1.5) Time-Based Anti-Replay on The VPN Services Adapter (VSA)

This feature enables Time-Based Anti-Replay (TBAR) support on the VPN Services Adapter (VSA) of the 7200 NPE-G2 platform. TBAR is used in the Group Encrypted Transport VPN (GETVPN) solution to detect replay attacks since standard sequence-based anti-replay attack detection is not supported. This feature prevents `man in the middle' attacks.

The Cisco GETVPN solution allows organizations to have branch-to-branch secure connectivity without having to incur the cost of establishing and maintaining full-mesh connections.

Benefits

• Supports anti-replay in the Cisco GET VPN solution

• Allows protection against `man in the middle' attacks, bolstering overall GET VPN security

Hardware

Routers

• Cisco 7200 with Network Processing Engine (NPE) G2

Additional Information: http://www.cisco.com/go/vsa

Product Management Contact: ask-stg-ios-pm@cisco.com

2.1.6) Group Encrypted Transport VPN (GET VPN) Enhancements

Several new GET VPN feature enhancements are introduced in Release 12.4(22)T:

• Passive Security Association (SA)

This feature enables a new mode of IPSec Security Association (SA) with GET VPN. In this mode, the SA will accept unencrypted traffic and encrypted traffic on the inbound, while it will always encrypt traffic on the outbound. Passive SA mode is configured on the Group Member (GM), and is persistent over router restarts: this allows the Group Member to modify the SAs downloaded from the Key Server (KS). Passive SA can be used similar to the SA receive-only to enable transitions in large scale deployment.

• Fail-Close

This feature enables GET VPN traffic forwarding to follow the "fail-close" model, wherein an unregistered Group Member (GM) stops forwarding data packets rather than send them out unencrypted.

The fail-close command sets up an implicit "permit ip any any" at the end of the crypto map during the pre-registration phase. Post successful GDOI registration, the "permit ip any any" is removed from the crypto map.

You can specify exceptions that need to be forwarded in the clear, through a deny entry in the ACL. This is useful to allow routing packets and management packets from a particular host to get through. However, note that the deny ACL in the GDOI crypto map still takes precedence. After the registration is successful, the deny entry in the ACL goes away while the deny entry in the GDOI crypto map is persistent.

Once the GM is successfully registered to all its groups, the policies downloaded from the KS take over, governing the GMs behavior and the fail-close ACL and implicit "permit ip any any" are taken out. GMs keep the policies downloaded from the KS even if the re-registration fails and IPSec SA has expired.

When fail-close is activated, unencrypted packets are prevented prior to and during registration. Once the GM is successfully registered to all its groups however, the policies downloaded from the KS take over, governing the GMs behavior and the fail-close ACL and implicit "permit ip any any" are dropped. GMs keep the policies downloaded from the KS even if the re-registration fails and IPSec SA has expired.

Note: GET VPN supported fail-close previously, using an interface ACL. With the above feature, interface ACL may not be required. Fail-close with interface ACL might still be useful to customers looking to enforce a policy that certain packets must always be encrypted, regardless of the downloaded key server policy.

• Change Key Server Role

This feature allows you to switch the primary Key Server (KS)by forcing an election. Issuing the new clear crypto gdoi ks coop role command on the primary Key Server makes it relinquish the primary role and initiate an election. If the priorities have changed, a new primary will be declared elected. Note: This command does not clear any policies-it merely facilitates switching the primary KS.

• Co-operative Key Server: Sharing Keys

This feature optimizes the number of rekeys that are sent out in the event of a network split, thereby allowing the network to stabilize rapidly. When there is a network split, a secondary KS takes the partition that cannot reach the primary; with this new feature, the new primary reuses the existing policies where possible. At split, the rekey is sent only if there are keys that are due to expire within the lifetime threshold (150 seconds). Unless this threshold is met, the current keys and policies are retained on the KS separated from the primary. This new ability to share the keys created by another KS reduces the number of policies to manage, thereby improving the cooperation between the KS'es.

• Re-key From Secondary on Merge

This feature distributes rekeying when a partitioned network merges back. When the merge occurs, the newly-demoted secondary KS takes responsibility to send out rekeys to the group members in its database. The primary KS is freed from having to send out all rekeys, and is able to focus on sending rekeys to only the members in its own database.

Benefits

• Enables controlled deployments in phases

• Provides ability to eliminate flow of unencrypted data packets

• Allows primary key server to be changed midstream ie: for scheduled maintenance

• Optimizes cooperative key server communications during split and merge, providing better stability

Hardware

Routers

• Group Member (GM): Cisco 870, 88, 1800, 2800, 3800 and 7200 Series and Cisco 7301

• Key Server (KS): Cisco 1840, 2800, 3800 and 7200 Series and Cisco 7301

Additional Information: http://www.cisco.com/go/getvpn

Product Management Contact: ask-stg-ios-pm@cisco.com

2.1.7) IOS SSL VPN Internationalization

Cisco IOS SSL VPN Internationalization lays the framework to support multiple languages in the login and portal pages. Users will be able to select their language preference for their session from a drop down menu at the time of login.

Figure 8. IOS SSL VPN Internationalization Support

Benefits

• Allows content to be presented in the local language.

Hardware

Routers

• Cisco 87x, 88x, 1800, 2800, 3700, 3800, 7200, and 7301 Series Routers

Additional Information: http://www.cisco.com/go/iossslvpn

Product Management Contact: ask-stg-ios-pm@cisco.com

2.1.8) IOS Support for Lawful Intercept

Cisco IOS provides a cost effective, yet powerful Communications Assistance for Law Enforcement Act (CALEA) compliant solution with the ability to monitor digital communications. The Cisco Service Independent Intercept (SII), Control Point Discovery (CPD) and Packet Cable 2.0 support Dynamic Discovery of Intercept Access Point (IAP). Cisco Lawful Intercept provides an out-of-band control mechanism when using a third-party mediation device to request intercepts on the network elements within the organizations trust boundaries. When performing captures for Lawful Intercept, this activity is transparent to everything else going on in the network, providing access only to authorized personnel.

Figure 9. IOS Control Point Discovery (CPD) Lawful Intercept - Use Case Scenario

1. The Cisco IOS Router will act as a platform for lawful intercept, offering a complete end-to-end solution for the network with all communication sessions and intercept details preserved.

2. The Cisco Lawful Intercept solution offers scalable packet captures and an effective, powerful solution for organizations looking to comply with CALEA requirements.

Benefits

• Cost effective way to leverage existing infrastructure to meet LI regulatory obligations

• Provides easy, proactive compliance and offers quick deployment

Hardware

Routers

• Cisco 7200 Routers

Product Management Contact: ask-stg-ios-pm@cisco.com

3) Release 12.4(20)T Highlights

Table 3. Release 12.4(20)T Feature Highlights

3.1) Cisco IOS Security

3.1.1) Group Encrypted Transport VPN (GET VPN) Support for the Cisco VPN Services Adapter (VSA) for Cisco 7200 NPE-G2 Series Routers

3.1.2) Cisco IOS Content Filtering

3.1.3) VRF-Aware Cisco IOS Intrusion Prevention System (IPS)

3.1.4) User-based Cisco IOS Firewall

3.1.5) Application Inspection and Control for Simple Mail Transfer Protocol (SMTP)

3.1.6) Cisco IOS Firewall Support for Skinny Local Traffic

3.1.7) Cisco IOS Firewall Session Initiation Protocol (SIP) Application Layer Gateway (ALG) Enhancements

3.1.8) Cisco IOS Firewall H.323 Version 3 (v3) and Version 4 (v4) Support

3.1.9) Instant Messaging Blocking Support in Cisco IOS Firewall for "I Seek You" (ICQ) and Windows Messenger

3.1.10) Object Groups for Access Control Lists (ACLs)

3.1.11) Cisco IOS SSL VPN Access Control Enhancements

3.1.12) Cisco IOS SSL VPN AnyConnect Client Support

3.1.13) Cisco IOS SSL VPN Back End HTTP Proxy

3.1.14) Cisco IOS SSL VPN Full-Tunnel Performance Enhancements

3.1.15) Cisco IOS SSL VPN URL Split Rewrite Support

3.1.16) Next Hop Resolution Protocol (NHRP) MIB for Dynamic Multipoint VPN (DMVPN)

3.1.17) IPv6 Over Dynamic Multipoint VPN (DMVPN) Support

3.1.18) Group Encrypted Transport (GET) VPN Support for VRF-Lite

3.1.19) Cisco Tunnel Control Protocol (cTCP) Support on Easy VPN Hardware Clients

3.1.20) IPSec Usability Enhancements

3.1.21) Secure Shell Protocol Version 2 (SSHv2) Feature Enhancements

3.1.22) Command Line Interface (CLI) for Displaying Certificates

3.1.23) CLI to Control Certification Revocation List (CRL) Cache

3.1.24) Secure Device Provisioning (SDP) Connect Template

3.1) Cisco IOS Security

3.1.1) Group Encrypted Transport VPN (GET VPN) Support for the Cisco VPN Services Adapter (VSA) for Cisco 7200 NPE-G2 Series Routers

Cisco IOS Release 12.4(20)T adds GET VPN support for the Cisco VSA, the latest high-performance encryption and key-generation services module for IPSec VPN applications on Cisco 7200 NPE-G2 Series Routers.

GET VPN offers a new standards-based IP Security (IPSec) security model that is based on the concept of "trusted" group members. Trusted member routers use a common security methodology that is independent of any point-to-point IPSec tunnel relationship. GET VPN simplifies securing large Layer 2 or MPLS networks requiring partial or full-mesh connectivity.

Benefits

The VSA offers increased IPSec performance over the Cisco VPN Acceleration Module 2+ (VAM2+) module.

Hardware

Routers

• Cisco 7200 NPE-G2 Series Routers

Additional Information:

http://www.cisco.com/go/vsa

http://www.cisco.com/go/getvpn

Product Management Contact: ask-stg-ios-pm@cisco.com

3.1.2) Cisco IOS Content Filtering

Cisco IOS Content Filtering offers category-based productivity and security ratings. Content-aware security ratings protect against malware, malicious code, phishing attacks, and spyware. URL and keyword blocking help to ensure that employees are productive when accessing the Internet. This is a subscription-based hosted solution that leverages Trend Micro's global TrendLabs™ threat database, and is closely integrated with Cisco IOS Software. It is supported on routers running the Advanced Security image. Feature licenses can be purchased directly from the Cisco.com ordering tool or through your Cisco partner/account team.

Figure 10. IOS Content Filtering Use Case Scenario

Benefits

• Secures Internet access to branch, without the need for additional devices

• Controls spyware and malware at the remote site; conserves WAN bandwidth

• Improves employee productivity and protects network resources by enabling content filtering

Hardware

Routers

• Cisco 800, 1800, 2800, and 3800 Series Routers

Additional Information: http://www.cisco.com/go/ioscontentfiltering

Product Management Contact: ask-stg-ios-pm@cisco.com

3.1.3) VRF-Aware Cisco IOS Intrusion Prevention System (IPS)

VRF-Aware Cisco IOS IPS allows Enterprises or service providers to put different groups of users or network segments into separate Virtual Routing and Forwarding (VRF) groups and to configure IPS on only certain VRFs or to configure IPS differently on each VRF. Divisions or functional groups separated by VRF segments may have different threat protection needs.

Hierarchical Navigation

Cisco IOS Software Releases 12.4 T

Release 12.4T New Security Features and Hardware Support

Downloads