Cisco IOS®Software Release 12.2S is designed for Enterprise campus and Service Provider edge networks that require world-class IP and Multiprotocol Label Switching (MPLS) services. The Cisco Catalyst® Switches and high-end routers in Release 12.2S provide secure, converged network services in the most demanding Enterprise and Service Provider environments, from the wiring closet and data center to the WAN aggregation edge.
The infrastructure innovation and technology leadership in Release 12.2S enable advanced Ethernet LAN switching, Metro Ethernet, and Broadband Aggregation services through enhancements in High Availability, Security, MPLS, VPNs, and IP Routing and Services.
Derived from Release 12.2(14)S, Release 12.2SX provides Release 12.2S functionality and new features and hardware support for the Cisco Catalyst 6500 Series Switch and Cisco 7600 Series Router.
In addition to Release 12.2(18)SXD and 12.2(18)SXE, Releases 12.2(17d)SXB, 12.2(17b)SXA, 12.2(17a)SX, and 12.2(14)SX are available from Cisco.com. For detailed information about the features and hardware supported in each of these releases, please visit:
1.1 Release 12.2SX Ordering Information, Feature Sets, and Image Names
Refer to the "Feature Sets" section of the Release 12.2SX release notes for information about Release 12.2SX orderable product numbers, feature sets, and image names:
Cisco IOS Software is the world's leading network infrastructure software, delivering a seamless integration of technology innovation, business-critical services, and hardware support. Currently operating on over ten million active systems, ranging from the small home office router to the core systems of the world's largest service provider networks, Cisco IOS Software is the most widely leveraged network infrastructure software in the world.
Today's users need more flexible and consistent software packaging to address their complex network environments. Cisco is expanding its new Cisco IOS Packaging to Cisco switches via Cisco IOS Software Release 12.2S, creating a new foundation for Cisco IOS Software features and functionality.
For an overview of Cisco IOS Packaging for Cisco switches, including its availability and the associated Cisco IOS Software Release migration strategy, please visit http://www.cisco.com/go/packaging.
3. RELEASE 12.2(18)SXF HARDWARE AND FEATURE HIGHLIGHTS
Cisco IOS Software Release 12.2(18)SXF, the latest customer release of Release 12.2S, adds support for powerful new hardware and software features for the Cisco Catalyst 6500 Series Switch and Cisco 7600 Series Router.
3.1 Release 12.2(18)SXF Hardware and Feature Highlights
Table 1 and the following sections highlight some of the key hardware and software features available in Release 12.2(18)SXF.
Note: Unless noted otherwise, the following highlighted features were first supported in Release 12.2SX as of Release 12.2(18)SXF. Subsequent releases of Release 12.2SX also support the highlighted features, and might include additional hardware support for the following highlighted features.
Cisco Feature Navigator, which requires an account on Cisco.com, dynamically updates the list of supported hardware as new hardware support is added for the features in the releases of Release 12.2SX. Cisco Feature Navigator can provide a cumulative list of all new and existing features supported in Release 12.2(18)SXF, including hardware and software image support.
Table 1. Release 12.2(18)SXF Hardware and Feature Highlights
Hardware Support
Cisco IOS Security
Cisco IOS Infrastructure
IP Addressing and Services
MPLS and VPNs
IP Multicast
• Cisco 7600 Series SPA Interface Processor 600
• Cisco Catalyst 6500 Series Supervisor Engine 32
• Secure Multicast over GRE with Cisco Catalyst 6500 Series/Cisco 7600 Series IPsec VPN SPA*
• Cisco Port Security MIB*
• Network Admission Control LAN Port IP*
• Per Interface Sticky ARP
• Cisco Catalyst 6500 Series Switch with Cisco IOS Software Modularity**, ***
• Cisco IOS Embedded Event Manager 2.1**, ***
• Flex Links
• EtherChannel Min-Link
• Netflow V9 Export Format
• Hardware Capacity Monitoring
• 802.1d to PVST+ Bridge Protocol Data Unit (BPDU) Conversion*
• IEEE 802.1s-Multiple Spanning Tree (MST) Standard
• IP Unnumbered for VLAN-SVI Interfaces
• Match Class of Service (CoS) on SIP-400 with GE SPA
• Shaped Round Robin (SRR) ***
• P-Bit Transparency*
• Hierarchical-Virtual Private LAN Service (H-VPLS) with MPLS Edge
• Layer 3 MPLS VPN over GRE
• PIM Snooping DR Flooding Enhancement
• Internet Group Management Protocol (IGMP) Static Group Range ***
* This functionality is available beginning in Cisco IOS Software Release 12.2(18)SXF2.
** This functionality is available beginning in Cisco IOS Software Release 12.2(18)SXF4 with the Supervisor Engine 720.
*** This functionality is available beginning in Cisco IOS Software Release 12.2(18)SXF5 with the Supervisor Engine 32.
4.0 HARDWARE SUPPORT
4.1 Cisco 7600 Series SPA Interface Processor 600
Ideal for Service Provider applications, the Cisco 7600 Series SPA Interface Processor 600 (7600-SIP-600) supports up to 10Gbps of bandwidth and a wide range of interfaces. 7600-SIP-600 also provides the unique ability to combine both Layer 2 and Layer 3 services on the same linecard. The combination of native Layer 2 bridging and Layer 3 routing distinguishes this linecard among its peers, particularly in Metro Ethernet applications.
The innovative architecture of this industry leading WAN-services module is designed to deliver cost-effective high-touch features, combining both ASIC and Network Processor technology for an optimal combination of performance and flexibility. The 7600-SIP-600 uses dedicated ASIC technology in the forwarding path (routing/switching, NetFlow, ACLs) as well as for queuing/shaping functions to provide the maximum performance for these foundational features; a programmable network processor is included in the forwarding plane to facilitate flexibility and feature growth. These features are combined with distributed forwarding capabilities that dramatically multiply total system throughput.
7600-SIP-600 initially supports the following SPAs:
4.8 Cisco Catalyst 6500 Series PoE, 10/100 Interface Modules
Designed for deployment in wiring closets, high-density Cisco Catalyst 6500 Series 10/100 interface modules provide line-rate 10/100 Ethernet forwarding to the desktop capabilities. These interface modules feature PoE field-installable daughter cards for pay-as-you-grow investment protection and flexibility.
The 96-port 10/100 module (part number WS-X6196-RJ-21) is the industry's first 96-port 10/100 RJ-21 module with IEEE 802.3af support for all 96 ports, helping enable the Cisco Catalyst 6500 Series Switch to deliver the industry's highest port densities ranging from 192 10/100 ports in a Cisco Catalyst 6503 chassis to 1152 10/100 ports in a Cisco Catalyst 6513 chassis for a very cost-effective solution in the wiring closet. With the 802.3af PoE daughter card, this module can support up to 96 Class 2 devices or 62 Class 3 devices per module (960W of PoE per module).
The 96-port 10/100 module (part number WS-X6148X2-RJ-45) is the industry's first 96-port 10/100 RJ-45 module that helps enable the Cisco Catalyst 6500 Series Switch to deliver industry's highest port densities, ranging from 192 10/100 ports in a Cisco Catalyst 6503 chassis to 1152 10/100 ports in a Cisco Catalyst 6513 chassis for a very cost-effective solution in the wiring closet.
The 96-port 10/100 module (part number WS-X6148X2-RJ-45) doubles the port density in the system by allowing it to expand from 48 ports to 96 ports per slot with the addition of a splitter (included), typically mounted at the patch panel. The splitting also can occur at the wall jack, providing another option for doubling the port density of the switch without costly rewiring. This module also can function as a regular 48-port 10/100 module for maximum flexibility and scalability in the future. With the 802.3af PoE daughter card, this module can support up to 48 Class 3 devices per module when operating as a 48-port module, or up to 96 Class 2 devices per module when operating as a 96-port module (960W of PoE per module).
Benefits
Using RJ-21 or RJ-45 connectors, the Cisco Catalyst 6500 Series classic 10/100 modules are ready to be deployed in virtually all wiring-closet environments with the following operational advantages and characteristics:
• Maximum Port Density per Chassis:
– Support up to 1152 10/100 ports or 576 10/100/1000 ports in the Cisco Catalyst 6513 chassis
– Support up to 768 10/100 ports in the Cisco Catalyst 6509 chassis
– Support up to 480 10/100 ports in the Cisco Catalyst 6506 chassis
– Support up to 192 10/100 ports in the small-form-factor Cisco Catalyst 6503 chassis
• Field-Installable and Upgradable Inline-Power Daughter Cards: these modules help enable centralized power distribution to IP phones, wireless access points, and other devices by sharing the same Category 5 UTP cabling used for network connections.
• Forwarding Architecture: these modules provide centralized Cisco Express Forwarding.
• Forwarding Performance: these modules forward packets up to 15 Mpps per system.
• Fabric Connection: these modules provide a 32-Gbps shared bus connection.
Hardware
Routers
Cisco 7600 Series Router, Supervisor Engine 720 and Supervisor Engine 32
Switches
Cisco Catalyst 6500 Series Switch, Supervisor Engine 720 and Supervisor Engine 32
Considerations
These modules work with Supervisor Engine 1A, Supervisor Engine 2, Supervisor 32, or Supervisor Engine 720. These modules can occupy any slot in any Cisco Catalyst 6500 Series Switch or Cisco 7600 Series Router chassis.
5.1 Secure Multicast over GRE with Cisco Catalyst 6500 Series/Cisco 7600 Series IPsec VPN SPA
Secure multicast over GRE provides a secure and scalable solution to protect multicast traffic in enterprise or managed service provider environment. Each head-end device with the IPsec VPN SPA can support IPsec encrypted multicast traffic for up to 500 remote tunnels. The practical applications include voice/video/data broadcast.
Benefits
• Provides a secure method to transport multicast traffic
• Single box solution simultaneously incorporating GRE encapsulation, IPsec Encryption, and multicast
• Scalable up to 500 remote tunnels
Hardware
Routers
Cisco 7600 Series Router, Supervisor Engine 32 and Supervisor Engine 720
Switches
Cisco Catalyst 6500 Series Switch, Supervisor Engine 32 and Supervisor Engine 720
Considerations
Requires Cisco Catalyst 6500 Series Switch/Cisco 7600 Series Router IPsec VPN SPA and Services SPA Carrier (SSC) module: SPA-IPSEC-2G and 7600-SSC-400.
This functionality is available beginning in Cisco IOS Software Release 12.2(18)SXF2.
CISCO-PORT-SECURITY-MIB provides SNMP access to configure and retrieve information for port-security. The major areas covered by this MIB include: secure Interface Configuration Table; secure MAC Address Table; and secure VLAN Table.
Benefits
• Allows more flexible management options for port security.
Hardware
Switches
Cisco Catalyst 6500 Series Switch, Supervisor Engine 32 and Supervisor Engine 720
Considerations
This functionality is available beginning in Cisco IOS Software Release 12.2(18)SXF2.
Network Admission Control (NAC) Framework is a foundational component of the Cisco Self-Defending Network strategy, improving the network's ability to automatically identify, prevent, and respond to security threats.
NAC Framework enables the Cisco Catalyst 6500 Series Switches to collaborate with third-party solutions for security-policy compliance and enforcement before a host is permitted to access the network. By deploying NAC framework on the Cisco Catalyst 6500 Series Switches, customers can now restrict non-complaint endpoints that maybe vulnerable or infected with worms, viruses or spyware before they have a chance to enter the Local Area Network (LAN) and potentially infect other enterprise resources.
NAC performs posture validation at the Layer 2 network edge for hosts with or without 802.1x enabled. Vulnerable and noncompliant hosts can be isolated, given reduced network access or directed to remediation servers based on organizational policy. By ensuring that every host complies with security policy, organizations can significantly reduce the damage caused by infected hosts.
Network Admission Control (NAC) LAN Port IP extends NAC support to Layer 2 Ethernet access ports at the network edge. NAC L2 IP is an integral part of Cisco Network Admission Control. It offers the first line of defense for infected hosts connecting to the corporate network. Host device posture validation includes anti-virus state and operating system patch levels. Depending on the corporate access policy and host device posture, a host may be admitted, allowed restricted access, or quarantined to prevent further virus spread across the network.
The device to be validated must be attached to the L2 port within the first Layer 3 hop. LAN Port IP does not require 802.1x support on the hosts. Performing posture validation at the edge maximizes the portion of the network which is protected by the access control, and allows posture validation to be performed within a VLAN. NAC LAN Port IP acts at the same point in the network as the NAC LAN Port 802.1x basic feature, but uses different mechanisms to initiate posture validation, to carry the communication between host and authentication server, and to enforce the resulting access limitations. The posture verification exchange between the supplicant and the switch is over EAPoUDP (Extensible Authentication Protocol over User Datagram Protocol).
Figure 2. Network Admission Control LAN Port IP
Benefits
• Dramatically Improves Security-NAC ensures that endpoints (laptops, PCs, PDAs, servers, etc.) conform to security policy in order to proactively protect against worms, viruses and spyware.
• Increases Enterprise Resilience-NAC provides comprehensive admission control across the LAN to prevent non-compliant and rogue endpoints from impacting network availability.
• Improve Operational Efficiency-NAC helps organizations focus operations on prevention, not reaction, reducing OpEx related to identifying and repairing non-compliant, rogue, and infected systems.
• Extends Existing Investment-NAC provides broad integration with multivendor security and management software, and extends existing investments in network infrastructure and vendor software. Extends the benefits of NAC to Layer 2 Ethernet Access ports using IP on the Cisco Catalyst 6500 Series Switch and Cisco 7600 Series Router.
Hardware
Routers
Cisco 7600 Series Router, Supervisor Engine 720 and Supervisor Engine 32
Switches
Cisco Catalyst 6500 Series Switch, Supervisor Engine 720 and Supervisor Engine 32
Considerations
This functionality is available beginning in Cisco IOS Software Release 12.2(18)SXF2.
5.4 Per Interface Sticky Address Resolution Protocol
Currently, Cisco is implementing IP Sticky Address Resolution Protocol (ARP) functionality to prevent hackers or malicious users from spoofing MAC addresses. Sticky ARP entries do not age out, and prevent malicious users from modifying the MAC addresses; however, existing functionality can only be applied to all private VLANs. This enhancement enables users to apply the Sticky ARP functionality to any Layer 3 interface, while allowing the user to overwrite the private VLAN Sticky ARP configuration on a specific interface.
Benefits
This enhancement allows more flexible security options preventing hosts from changing the MAC address of an interface. This is useful for Metro Ethernet Access environments, in which a DSL end station host may attempt to change the MAC address of a Broadband Aggregation Server (BRAS).
Hardware
Routers
Cisco 7600 Series Router, Supervisor Engine 720 and Supervisor Engine 32
Switches
Cisco Catalyst 6500 Series Switch, Supervisor Engine 720 and Supervisor Engine 32
6.1 Cisco Catalyst 6500 Series Switch with Cisco IOS Software Modularity
Cisco Catalyst 6500 Series Switch with Cisco IOS Software Modularity boosts operational efficiency and minimizes downtime through evolutionary software infrastructure advancements. By enabling modular Cisco IOS Software subsystems to run as independent processes, this innovation:
• Minimizes unplanned downtime through self-healing processes
• Simplifies software changes through subsystem In-Service Software Upgrades (ISSU)
• Enables process-level, automated policy control by integrating Embedded Event Manager (EEM)
Figure 3. Cisco Catalyst 6500 Series Switch with Cisco IOS Software Modularity
The Cisco Catalyst 6500 Series Switch delivers hardware based forwarding through ASICs (Application Specific Integrated Circuits) on a central Policy Feature Card (PFC) or Distributed Forwarding Cards (DFC). The control plane functions on the Cisco Catalyst 6500 Series Switch run on dedicated CPUs on the Multilayer Switch Forwarding Card (MSFC) complex.
• Control Plane-Handles control traffic such as routing protocol updates and management traffic
• Data Plane-Responsible for the actual forwarding of packets using ASICs
A completely separate data plane ensures that traffic forwarding continues even if there is a disruption in the control plane, as long as the software is intelligent enough to program the hardware for non-stop operation. With Supervisor Engine redundancy, the Non-Stop Forwarding (NSF) and Stateful Switchover (SSO) features available on the Cisco Catalyst 6500 Series Switch provide a continuous data plane even in the event of a hardware failure on the active Supervisor.
Cisco IOS Software Modularity combines subsystems into individual processes and enhances the Cisco IOS Software memory architecture in order to provide process level fault isolation and subsystem ISSU capability. These enhancements are delivered on Cisco IOS Software for the Cisco Catalyst 6500 Series Switch Supervisor Engine 720 and Supervisor Engine 32, maintaining the feature richness and operational environment that network operators are familiar with.
Benefits
• Operational Consistency-While Software Modularity adds many enhancements to Cisco IOS Software on the Cisco Catalyst 6500 Series Switch, no changes from an operational point of view are necessary. Command Line Interface (CLI) as well as management interface related interfaces such as SNMP or SYSLOG are the same as before. New commands to exec and configuration mode as well as show commands have been added to support the new functionality. Software releases and rebuilds are the same as before with additional support for patching.
• Protected Memory-Software Modularity enables a memory architecture where processes make use of a protected address space. Each process and its associated subsystems "live" in an individual memory space. Using this paradigm, memory corruption across process boundaries becomes virtually impossible.
• Fault Containment-The benefit of protected memory space is increased availability since problems occurring in one process can not affect other parts of the system. For example, if a less critical system process fails or is not operating as expected, critical functions required to maintain packet forwarding are not affected.
• Process Restartability-Building on the protected memory space and fault containment, the modular processes are now individually restartable. For test purposes or non-responding processes, a new CLI command is provided to manually restart processes. This allows fast recovery from transient errors without the need to disrupt forwarding. An integrated high availability subsystem constantly checks the state of processes and keeps track of how many times a process restarted in a defined time interval. In the event a process restart does not restore the system, the high availability subsystem will take more drastic actions such as initiating a Supervisor Engine switchover or a system restart.
• Modularized Processes-Several control plane functions have been modularized to cover the most commonly used features. Examples of modular processes include but are not limited to:
– Routing process
– Internet Daemon
– Raw IP processing
– TCP process
– UDP process
– CDP process
– SYSLOG Daemon
– Any EEM components
– IP File System Daemon
– File system drivers
– Install Manager
• Subsystem ISSU-The most important benefit of the protected memory space and process restartability is the ability to make changes to software during runtime. Cisco IOS Software Modularity enhances the Cisco IOS Software infrastructure to allow selective system maintenance through individual patches (a patch is a single update that can affect one or multiple subsystems). By providing versioning and patch management capabilities, patches can be downloaded, verified, installed and activated without the need to restart the system. Since packet forwarding is not affected during the patch process, the network operator now has the flexibility to introduce software changes at any time. A patch only affects the components required for the update, which means that a network administrator now only has to re-certify the portion of the software associated with the update.
Hardware
Switches
Cisco Catalyst 6500 Series Switch, Supervisor Engine 720 and Supervisor Engine 32
Considerations
This functionality is available on the Supervisor Engine 720 beginning in Cisco IOS Software Release 12.2(18)SXF4. This functionality is available on the Supervisor Engine 32 beginning in Cisco IOS Software Release 12.2(18)SXF5.
Cisco IOS Embedded Event Manager (EEM) 2.1 supports a flexible, policy driven framework that supports in-box monitoring of different components of the system with the help of software agents known as event detectors. Event detectors notify the EEM when an event of interest occurs. The EEM policies (configured via CLI or TCL scripting interface) define automatic actions to be taken based on the current state of the system and on the policy specified for the given event. An extendible EEM framework allows new event detectors to be added as needed.
The goal of Cisco IOS Embedded Event Manager 2.1 is to significantly enrich the embedded event management framework in Cisco IOS Software by building on top of EEM 1.0 and adding TCL based event management policy authoring capabilities. EEM 2.1 will also provide a number of additional event detectors and policy action supporting advance monitoring, high availability and serviceability capabilities.
Cisco IOS Embedded Event Manager 2.1 provides a leadership feature to users in the areas of on-device event detection/recovery and supports enhanced ability to identify and correct anomalies within user networks. The users can incorporate consistent logical fault management policies across Cisco IOS Software based products in their networks. Furthermore, the ability to define event management policies reduces operator errors, and establishes rule sets for root- cause analysis. Cisco IOS Embedded Event Manager 2.1 enables a distributed, scalable, and customizable approach to event management (detection, recovery, and automated actions) directly in a Cisco IOS Software device.
Figure 4. EEM 2.1 Block Diagram
Benefits
• Leverage intelligence of Cisco IOS Software
• Enhanced event management and monitoring capabilities through the use of event detectors
• Increased network availability and serviceability through integration with network policy rule sets
• Increased management scalability with integrated event detectors and automated policy actions
• EEM 2.1 provides autonomous scripting capabilities in Cisco IOS Software without requiring the use of an NMS application
Hardware
Routers
Cisco 7600 Series Routers, Supervisor Engine 720 and Supervisor Engine 32
Switches
Cisco Catalyst 6500 Series Switch, Supervisor Engine 720 and Supervisor Engine 32
Considerations
EEM 2.1 is supported in Cisco IOS Software Release 12.2(18)SXF4 for Cisco IOS Modularity for the Cisco 6500 only. Support for EEM 2.1 in Cisco IOS Software images not containing Cisco IOS Modularity is available in Cisco IOS Software Release 12.2(18)SXF5 for both the Cisco Catalyst 6500 Series Switch and Cisco 7600 Series Router.
Flex Links are a pair of a Layer 2 interfaces (switchports or port channels), in which one interface is configured to act as a backup for the other. The feature provides an alternative solution to the Spanning Tree Protocol (STP), enabling users to turn off STP without sacrificing basic link redundancy. Flex Links are typically configured in service provider or enterprise networks, in which customers do not need to run STP on the switch. If the system is running STP, it is not necessary to configure Flex Links because STP already provides link-level redundancy or backup.
A Flex Link is configured for one Layer 2 interface (the active link) by assigning another Layer 2 interface as the Flex Link or backup link. When one of the links is up and forwarding traffic, the other link is in standby mode, ready to begin forwarding traffic if the other link shuts down. At any given time, only one of the interfaces is in the linkup state and forwarding traffic. If the primary link shuts down, the standby link starts forwarding traffic. When the active link comes back up, it goes into standby mode and does not forward traffic. STP is disabled on Flex Link interfaces.
Benefits
• Flex Links provide fast convergence, with failover in less than three seconds.
• It allows users to configure one of the switchport interfaces to backup another switchport interface for increased network fault tolerance and backup capabilities.
• Eliminates the need for STP.
Hardware
Routers
Cisco 7600 Series Router, Supervisor Engine 720 and Supervisor Engine 32
Switches
Cisco Catalyst 6500 Series Switch, Supervisor Engine 720 and Supervisor Engine 32
