Cisco IOS Software Release 1. T New Features and Hardware Support. Product Bulletin No. Software Release 1. T provides the latest innovations for the worlds most demanding networks, designed for the borderless network to provide a unified architecture that is easier to operate, more reliable, and more secure. New features are fully integrated with extensive capabilities already available in Cisco IOS Software Release 1. M to provide solutions for enterprise, service provider, and smart grid networks. New features include. VPN encryption acceleration support Security enhancements including more IPv. VPN functionality Cisco Unified Communications Border Element CUBE enhancements Deep packet inspection capabilities for IPv. Network Based Application Recognition NBAR. Cisco IOS Software 1. T supports Cisco 8. Construction Dive provides news and analysis for construction industry executives. We cover commercial and residential construction, focusing on topics like. Surveillance without Borders The Traffic Shaping Loophole and Why It Matters. Series Routers Cisco 1. Series Integrated Services Routers the Cisco 1. E Integrated Services Router and the Cisco CGR 2. Connected Grid Router. New Features and Hardware Support ISM VPN for VPN Acceleration. Cisco IOS Software Release 1. T will provide support for the Integrated Services Module ISM for VPN acceleration. ISM VPN offloads crypto processing to the dedicated hardware to free up the house router resources for other Cisco IOS features such as firewall, quality of service Qo. S, or Network Address translation. The module offers plug and play capability, allowing quick and easy installation. It provides up to 3 to 5 times throughput improvement over the onboard crypto engine on ISR G2 and supports hardware acceleration on advanced cryptographic algorithms, such as Internet Key Exchange Version 2 IKEv. Suite B. VPN and Security Enhancements. Group Member Removal and Policy Replacement for Group Encrypted Transport VPN. The group member GM removal feature facilitates efficient removal of unwanted GMs from the network without modifying the existing network operation. Network operators can remove a group member instantly from the key server KS. This action instructs the key server to send a message to all group members to redownload policies and rejoin the group if they are allowed. This causes the unauthenticated group member to be rejected from the group as per the security policy. Policy replacement for group encrypted transport VPN GETVPN creates a new EXEC command to allow the KS to trigger rekey on demand after the configuration changes are completes. GETVPN policy changes alone will not trigger rekey anymore. When customers change the policy and exit from config mode, a syslog message will be displayed on the primary KS that the policy has been changed and a rekey is needed. The user can enter this new triggered rekey command to send a rekey based on the latest security policy in the running configuration. Provides additional control capability to manage GETVPN Simplifies implementing new policy changes and updates on the network GDOI MIB Support for GETVPN. Group Domain of Interpretation GDOI MIB support for GETVPN provides new standard Simple Network Management Protocol SNMP management capabilities for routers with GETVPN enabled. Network operators can now use SNMP to gather and retrieve data related to core GETVPN functions to simplify troubleshooting, recording network events, and operating the network. The GDOI MIB consists of MIB objects and notifications traps. The MIB objects and notifications reflect the status on both the key server and the group member. MIB objects included in the MIB are key and traffic encryption key tables, traffic, and policy tables. Notifications include new registrations, rekey, reregistrations, and rekey failure. MIB statistics provide detailed visibility for core GDOI operation and counters. Standard SNMP with GETVPN provides easy access and facilitates integration with current SNMP based network management systems. IPv. 6 Transport for Dynamic Multipoint VPN. This feature allows sites deployed with an IPv. WAN address to have access and connectivity with a virtual private network. Both IPv. 4 and IPv. IPV6 only WAN. The IPv. IPv. 6 capable hub and get full access to VPN. This provides the IPv. VPN. This feature allows connecting IPV6 only sites with IPv. New sites and deployments are faced with the challenges of running out of registered IPv. New sites in various regions are starting to require IPv. WAN interface. IPv. Dynamic Multipoint VPN DMVPN eases the migration to and rollout of IPv. This feature allows the m. GRE interface to be IPv. Next Hop Resolution Protocol NHRP to work over the IPv. IPv. 6 transport for DMVPN integrates with existing Cisco IOS services that are supported with IPv. GRE, NHRP, and Cisco Express Forwarding. This release provides support for the following with IPv. DMVPN. Dual hub topology for resiliency and failover Hub and spoke tunnel topology with access between the spokes through the hub Dynamic routing for IPv. IPv. 4 with Enhanced Interior Gateway Protocol EIGRP, Open Shortest Path First OSPF, Border Gateway Protocol BGP, and Routing Information Protocol Version 2 RIPv. NHRP MIB and syslog enhancements Backup Next Hop Server NHS and hub configuration with fully qualified domain name FQDN Virtual Route Forwarding VRF awareness for the tunneled traffic and GRE tunnel. Allows IPv. 6 only sites to have full VPN access for both IPv. IPv. 6 passenger traffic Eases the migration and rollout of IPv. WAN Maintains end to end connectivity for passenger traffic over any mix of IPv. IPv. 6 addresses in the WAN Supports private addresses across the network without the need for address translation across the network DHCP Automatic IPv. Address Pool Assignment for DMVPN Spokes. The Dynamic Host Configuration Protocol DHCP automatic IPv. DMVPN spokes feature uses the DHCP On Demand Address Pool ODAP feature to support the centralized management of overall IP addresses and zero touch spoke DMVPN deployments. Support for dynamic IP address allocation for the DMVPN spokes GRE tunnel interface was introduced in Release 1. T. The spoke devices in DMVPN deployments must be configured statically for local DHCP pools so that they can distribute addresses to hosts on their inside LAN interface. This involves substantial administrative overhead. The management of large pools of IP subnets needs to be centralized to simplify the configuration of subnets allocated to LAN interfaces in large DMVPN networks. The Cisco implementation of DHCP provides an additional functionality of ODAP subnet allocation. The ODAP subnet allocation allows DHCP to be used not only to allocate and install an IP address for the DMVPN m. GRE or peer to peer tunnel on the spoke, but also to allocate an IP subnet to be used by the spoke to distribute addresses on its inside LAN interface. ODAP is used to centralize the management of large pools of addresses and simplify the configuration of large networks. ODAP provides a central management point for the allocation and assignment of subnets and IP addresses. Centralized IP address manageability, which reduces administrative overhead On demand IP address assignment on branches or spokes Cisco Any. Connect VPN Client with IPsec and IKEv. The Cisco Any. Connect Secure Mobility Client 3. IPsec tunnels and Internet Key Exchange Version 2. This Cisco IOS release provides support for a Cisco Any. Connect Essentials 3. Cisco ISR G2 routers. A preinstalled Cisco Any. Connect client can use the IKEv. Extended Authentication Protocol EAP methods including EAP MSCHAPv. EAP MD5, and EAP GTC. In the case of certificate authentication RSA Signature Auth, the Cisco IOS server and Any. Connect 3. 0client post advanced certificate requests to the common trust point certificate server and obtain the certificates and use them for mutual authentication. Eases client administration Allows the administrator automatically to distribute policy updates from the VPN headend Allows service providers to offer secure managed connectivity service with VRF support Provides an optimized connection for latency sensitive traffic when security policies require use of IPsecIKEv. To learn more, visit the Cisco Any. Connect VPN Client. Windows 7 Client Termination with IPsec and IKEv. This feature allows a PC with Windows 7 to connect to Cisco IOS devices with IPsec and IKEv. With this release, Windows 7 can establish an IPv. IPv. 6 passenger traffic and an IPv. IPv. 4 passenger traffic. Provides secure connectivity for standalone systems operating with Windows 7 Supports both IPv. Internet Routing and Traffic Engineering. Internet Routing. Internet routing today is handled through the use of a routing protocol known as BGP Border Gateway Protocol. Individual networks on the Internet are represented as an autonomous system AS. An autonomous system has a globally unique autonomous system number ASN which is allocated by a Regional Internet Registry RIR, who also handle allocation of IP addresses to networks. Each individual autonomous system establishes BGP peering sessions to other autonomous systems to exchange routing information. A BGP peering session is a TCP session established between two routers, each one in a particular autonomous system. This BGP peering session rides across a link, such as a 1. Gigabit Ethernet interface between those routers. The routing information contains an IP address prefix and subnet mask. This translates which IP addresses are associated with an autonomous system number AS origin. Routing information propagates across these autonomous systems based upon policies that individual networks define. This is where things get a bit interesting because various factors influence how routing is handled on the Internet. There are two main types of relationships between autonomous systems today Transit and Peering. Transit is where an autonomous system will pay an upstream network known as a transit provider for the ability to forward traffic towards them who will forward that traffic further. It also provides for the autonomous system purchasing who is the customer in this relationship to have their routing information propagated to their adjacencies. Transit involves obtaining direct connectivity from a customer network to an upstream transit provider network. These sorts of connections can be multiple 1. Gigabit Ethernet links between each others routers. Transit pricing is based upon network utilization in a particular dominant direction with 9. A transit provider will look at a months worth of utilization and in the traffic dominant direction they will bill on the 9. The unit used in billing is measured in bits per second bps and is communicated in a price per Mbps for example 2 per Mbps. Peering is where an autonomous system will connect to another autonomous system and agree to exchange traffic with each other and routing information of their own networks and any customers transit customers they have. With peering, there are two methods that connectivity is formed on. The first is where direct connectivity is established between individual networks routers with multiple 1. Gigabit Ethernet or 1. Gigabit Ethernet links. This sort of connectivity is known as private peering or PNI Private Network Interconnect. This sort of connection provides both parties with clear visibility into the interface utilization of traffic in both directions inbound and outbound. Another form of peering that is established is via Internet Exchange switches, or IXs. With an Internet Exchange, multiple networks will obtain direct connectivity into a set of Ethernet switches. Individual networks can establish BGP sessions across this exchange with other participants. The benefit of the Internet Exchange is that it allows multiple networks to connect to a common location and use it for one to many connectivity. A downside is that any given network does not have visibility into the network utilization of other participants. Most networks will deploy their network equipment routers, Dense Wave Division Multiplexing DWDM transport equipment into colocation facilities where networks will establish direct connectivity to each other. This can be via Internet Exchange switches which are also found in these colocation facilities or direct connections which are fiber optics cables ran between individual suitesracks where the network gear is located. Routing Policy. Networks will define their routing policy to prefer routing to other networks based upon a variety of items. The BGP best path decision process in a routers operating system dictates how a router will prefer one BGP path over another. Network operators will write their policy to influence that BGP best path decision process based upon factors such as the cost to deliver traffic to a destination network in addition to performance. A typical routing policy within most networks will dictate that internal their own and routes learned from their own customers are to be preferred over all other paths. After that, most networks will then prefer peering routes since peering is typically free and often times can provide a shorteroptimal path to reach a destination. Finally the least preferred route to a destination is over paid transit links. When it comes to transit paths, both cost and performance are typically factors in determining how to reach a destination network. Routing policies themselves are defined on routers in a simple text based policy language that is specific to the router operating system. They contain two types of functions matching on one or multiple routes and an action for that match. The matching can include a list of actual IP prefixes and subnet lengths, ASN origins, AS Paths or other types of BGP attributes communities, next hop, etc. The actions can include resetting BGP attributes such as local preference, Multi Exit Discriminators MED and various other values communities, Origin, etc. Below is a simplified example of a routing policy on routes learned from a transit provider. It has multiple terms to permit an operator to match on specific Internet routes to set a different local preference value to control what traffic should be forwarded through that provider. There are additional actions to set other BGP attributes related to classifying the routes so they can be easily identified and acted upon by other routers in the network. TRANSIT 1 IN. PREFER OVER PEERING. TRANSIT 1 OVERRIDE. TRANSIT. community add LOCATION. PREFER OVER OTHER TRANSIT. TRANSIT 1 HIGH PREF. TRANSIT. community add LOCATION. DEPREF OTHER TRANSIT. TRANSIT 1 LOW PREF. TRANSIT. community add LOCATION. DEFAULT TERM. metric 1. TRANSIT. community add LOCATION. Network operators will tune their routing policy to determine how to send traffic and how to receive traffic through adjacent autonomous systems. This practice is generally known as BGP traffic engineering. Making outbound traffic changes is by far the easiest to implement because it involves identifying the particular routes you are interested in directing and increasing the routing preference to egress through a particular adjacency. Operators must take care to examine certain things before and after any policy change to understand the impact of their actions. Inbound traffic engineering is a bit more difficult as it requires a network operator to alter routing information announcements leaving your network to influence how other autonomous systems on the Internet prefer to route to you. While influencing the directly adjacent networks to you is somewhat trivial, influencing networks further beyond those directly connected can be tricky. This technique requires the use of features that a transit provider can grant via BGP. In the BGP protocol, there is a certain type of attribute known as Communities. Communities are strings you can pass in a routing update across BGP sessions. Most networks use communities to classify routes as transit vs. The transit customer relationship usually gives certain capabilities to a customer to control the further propagation of routes to their adjacencies. This grants a network with the ability to traffic engineer further upstream to networks it is not directly connected to. Traffic engineering is used for several reasons today on the Internet. The first reason might be to reduce bandwidth costs by preferring particular paths different transit providers. The other is for performance reasons, where a particular transit provider may have less congestedlower latency path to a destination network. Network operators will view a variety of metrics to determine if there is a problem and start to make policy changes to examine the outcome. Of course on the Internet, the scale of the traffic being moved around counts. Moving a few Gbps of traffic from one path to another may improve performance, but if you move tens of Gbps over you may encounter congestion on this newly selected path.