Table Of Contents
T1/E1 Multiflex Voice/WAN Interface Cards for Cisco 1721
Cisco IOS DHCP Secured IP Address Assignment
Cisco IOS DHCP Accounting, Accounting Start/Stop Messages
Product Bulletin, No. 1806
Cisco IOS Software Release 12.2(8)YJ
Introduction:
This product bulletin describes the new features introduced in Cisco IOS® Software Release 12.2(8)YJ.
New Features
T1/E1 Multiflex Voice/WAN Interface Cards for Cisco 1721
With this release, the following T1/E1 Multiflex voice interface cards (VWICs) are introduced onto the Cisco 1721 modular router platform.
VWIC-1MFT-E1
VWIC-2MFT-E1
VWIC-1MFT-T1
VWIC-2MFT-T1
VWIC-1MFT-G703
VWIC-2MFT-G703
VWIC-2MFT-T1-DI
VWIC-2MFT-E1-DI
These cards are supported on Cisco 1751, Cisco 1760, Cisco 2600, and Cisco 3600 routers running Cisco IOS Software versions earlier than 12.2(8)YJ.
T1/E1 multiflexi cards, provide the following new data services on the Cisco 1721 in the basic IP images:
•
Fractional T1/E1 data service
•
•
•
•
Important Notes
With this release, the services listed above, which are in data-only mode, are supported in Cisco 1700 IOS IP images. They are no longer required in Cisco 1700 IOS IP/VOX Plus or above images. However, for channelized voice services on the Cisco 1751 and Cisco 1760 through T1/E1 VWICs, Cisco 1700 IOS IP/VOX Plus and above images are still required.
Cisco Easy VPN Features
Supporting products: Cisco 1710, 1721, 1751, 1760 routers
Description
•
A new crypto command can be used when manual configuration has been specified in the Easy VPN configuration. This command is useful for example, when tunnel establishment needs to be manually controlled in ISDN links.
The config commands are as follows:
crypto ipsec client ezvpn <name>
connect {[auto] | manual}
crypto ipsec client connect <name> -
Config commands:
connect {[auto] | manual} The command has two connect settings: auto and manual. Auto is the default and will automatically attempt to establish a tunnel connection when this config is attached to an interface. The manual option requires the "crypto ipsec client connect <name>" to initiate connections.
•
The pre-shared keys can be displayed in plain text with the router Show config commands in the current versions of Cisco IOS Software. This feature allows a network administrator to encrypt the pre-shared keys.
Example:
Current behavior with the Show config command:
group hw-client-groupname key hw-client-password
Present behavior of the show config command:
group hw-client-groupname key alsjdlkasjdlkajl
•
Easy VPN currently uses extended access-lists to configure NAT for client and split modes. It now uses special access lists, specific to Easy VPN, that cannot be configured by a user via the command line interface.
•
When the tunnel is down, an ISP's DNS should be used. When the tunnel is not down , a customer's DNS should be used to resolve DNS requests. Initially in Cisco IOS Software, DHCP server enhancements supported prepending and selective deletion of imported attributes so that DNS and WINS attributes could be set up correctly in the DHCP Server regardless of whether the tunnel was up or down. This feature now uses the DNS proxy feature.
•
The router acts as a Proxy DNS server. This means that it will receive DNS queries on behalf of the real DNS servers and proxy for user connected to the LAN. This enables the DHCP server to immediately send out the router's own LAN address as DNS server IP address. The router then forwards the DNS queries from local users to real DNS servers after the WAN connection is initiated, and it caches the DNS records in the answers.
•
When the Easy VPN tunnel is down, users lose Internet connectivity. Easy VPN then auto-configures NAT to implement Client Mode and Split Tunneling. NAT configuration in Easy VPN is based on some of the information learned from the Mode Config command. With NAT autoconfiguration the router must be free of any existing NAT configuration. Internet access requires a default NAT configuration, which can result in is a conflict and Easy VPN not functioning correctly. When the tunnel goes down, all automatically configured NAT config information is removed. In addition, some Internet access NAT config information is removed, which results in user loss of Internet access when the tunnel is down. This feature corrects the current behavior by saving any existing Internet access NAT configurations at tunnel creation time and then restoring it when the tunnel goes down, preventing any loss of Internet connectivity.
•
In current versions of Cisco IOS Software on 1700 platforms configured for Easy VPN, user entered access-lists fail to work. This feature addresses the interoperability issues between ACLs/Firewalls and Easy VPN.
•
The peer in an Easy VPN configuration can be specified as a dotted decimal IP address or hostname. If a hostname is specified, a DNS lookup is done immediately and the IP address is set internally. However, if the DNS entry changes, the current implementation is not flexible enough to support it. This feature modifies the existing behavior by storing the text string of the hostname and uses this information at the time of tunnel connection, to perform a DNS lookup.
•
Easy VPN currently supports just one inside interface, which defaults to Fast Ethernet on Cisco 1700, and to Ethernet on Cisco 800 and Cisco UBR900 platforms. This feature adds support for multiple inside interfaces which can be configurable under command-line interface the mode as follows:
interface <interface-name>
crypto ipsec client ezvpn <name> [[outside] | inside]
•
The Easy VPN feature assumes that the remote network resides on Fast Ethernet 0 interface. Because the Cisco 1700 platform has serveral different WAN interface cards (WICs), this presents a crucial restriction for customers. This feature adds a command that allows network administrators to specify which interfaces will accommadate remote users when they configure the Easy VPN profile.
•
This feature allows the Cisco 1700 router to support multiple WAN interfaces for Easy VPN remote tunnels.
•
This enables network adminstrators to create and maintain active crypto maps for VPN tunnels that are not created within the Easy VPN configuration. It also enables administrators to define and maintain VPN tunnels with Easy VPN specific tunnels.
•
This feature enables the router to simultaneously act as a Cisco Easy VPN client and VPN server (VPN remote office extensions, also known as a Cisco Unity™ Server) for Cisco VPN software clients.
•
In the existing releases of Easy VPN, customers occasionally cannot connect the Easy VPN to a Cisco PIX Firewall, and IPSec security associations fail to initiate between the Easy VPN client and the firewall. When Easy VPN sends a mode configuration request the firewall, the firewall does not return the mode configuration reply. This feature addresses this problem.
Cisco IOS DHCP Secured IP Address Assignment
This feature allows Cisco 1700 routers to avoid IP spoofing in the wireless LAN environment. This feature for the Cisco IOS DHCP server keeps its database in sync with the Address Resolution Protocol (ARP) table so that IP spoofing can be avoided.
The Cisco IOS DHCP server adds an ARP entry to the ARP table for a client when allocating an address that can only be deleted by the Cisco IOS DHCP server when a binding expires. The ARP entry created by the DHCP server should not be overwritten by any unsolicited ARP requests.
Cisco IOS DHCP Accounting, Accounting Start/Stop Messages
This feature addresses the requirements of clients in a public wireless LAN (PWLAN) access network. It allows a network to send an accounting start message when an address is allocated for a client and an accounting stop message when a DHCP lease is terminated. The server receiving the messages can then act on the notification for accounting purposes. For example, an accounting session can be started when an accounting start/stop messasge is received, or an accounting session can be cleaned up for a particular DHCP client upon lease termination.
Software
Maintenance Support:
Maintenance for these features will be available on future 12.2X special releases until the code is incorporated into the sixth maintenance software release of 12.2T.
Detailed Information:
For more detailed information about the platforms and features of Release 12.2(8)YJ, reference the following document: Release Notes for Cisco 1700 Series Platforms for Cisco IOS Release 12.2(8)YJ:
http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122relnt/1700/rn1700yj.htm
Life Span:
Cisco IOS Release 12.2(8)YJ will be sold until the sixth maintenance release of Cisco IOS Software 12.2T.
Image Product Numbers, descriptions and memory requirements are given below: