As customary with Cisco IOS releases, the newest one has an extensive range of features tucked into the code, with enhancements that could help users bolster their VOIP and security implementations.
IOS Version 12.4(11)T was made available to user -- less any fanfare -- in late November. Among the 30 new features in the code are expanded and higher availability for some key VOIP protocols -- SIP and H.323 -- as well as support for VoiceXML (VXML). Some fixes and updates on how Cisco routers perform Network Admission Control (NAC) and IPS functions are also part of the extensive features package.
While Cisco has been on a SIP push lately, with the release of its SIP-based CallManager 5.0 IP PBX in February, the vendor is now shoring up support for the protocol in IOS.
"We did have some gaps in SIP" in the IOS feature set, says Jennifer Lin, a Cisco product manager. "Many customers are still using older protocols and have not yet moved to SIP, but we're definitely seeing more mainstream SIP interest."
The software now supports SIP trunking directly to an IP circuit, connecting the router to a SIP-based VOIP network. This could help a company subscribing to an IP Centrex VOIP service by eliminating the need for an extra SIP gateway device at the site. Running SIP trunking and gateway services in IOS on the router also eases the deployment of SIP-based Cisco CallManager IP PBXs across an enterprise by offloading SIP processing from the CallManager, according to Cisco and analysts.
"SIP has its own routing overlay on top of IP," says Robert Whiteley, senior analyst with Forrester Research. "By putting SIP into the router, you're bogging down CallManager server with the heavy lifting of SIP routing."
Cisco is also adding support for videoconference failover in its Survivable Remote Site Telephony (SRST) feature in IOS. SRST allows a branch-office router with a backup ISDN connection to fail over VOIP calls to that link, in case of failure on a primary circuit (such as a T-1 or T-3) that connects the office to a main site.
SRST now covers videoconferencing, using the H.320 and H.323 protocols. In case of a primary link failure, a branch office conducting a videoconference with other sites would be able to continue if the primary links goes down.
Another VOIP-related upgrade to IOS is the ability to load-balance H.323 gateways, which are used to set up VOIP and IP video links over a WAN. In a setup where multiple H.323 gateways handle VOIP traffic, the IOS router can now determine which gateway is least utilized, and send VOIP traffic to that device; VOIP traffic distribution to H.323 gateways was done randomly in the past by Cisco routers.
The introduction of VoiceXML 2.0 is another upgrade to IOS that could help users deploying call center applications that integrate speech recognition. Cisco says that support for this protocol in IOS will allow better integration applications that support VoiceXML -- such as interactive voice response (IVR) systems that communicate with databases via the VoiceXML standard.
Besides these VOIP improvements, security fixes and add-ons around Cisco's NAC and IPS functions in IOS are included in the new code.
IOS now supports the intrusion-prevention system (IPS) signature format supported in Cisco IPS 5.0 devices on Cisco routers, allowing the routers to recognize threats in traffic flows based on this signature format. Past IOS versions could only support Cisco IPS 4.0 signatures. This was a sticking point for Rob Maerz, infrastructure manager for a national IT consulting and integration firm he preferred not to name. While Maerz had deployed IPS 5.0 devices at his company's headquarters, he could not get the Cisco ISR 2800 routers to work with the IDS box to recognize certain attack signatures.
"For people like me who have invested heavily in these routers, believing that I was getting top-of-the-line security defense, I feel like I've been duped," he said, prior to the new IOS upgrade with the IPS 5.0 support.
Maerz say he is currently planning network maintenance time to download the new IOS version and upgrade his routers with the new code.
For other users of Cisco's NAC technology on WAN routers, a new feature in IOS can allow users to set up policies for granting limited access to the network in case a Cisco Authentication Authorization and Accounting (AAA) server fails or becomes unavailable.
While a slightly obscure issue, this could be a stumbling block to users deploying NAC. In the NAC framework, Cisco AAA servers are used to verify the antivirus status of user machines attaching to the network. If the client's antivirus profile fails, the router denies access to the network but the client connection can be sent to a secure VLAN, or quarantine segment, with limited network access and links to antivirus remediation servers.
However, if the AAA server becomes available, the router denies all client access to the network. The new IOS feature -- called Auth Fail Open -- allows users to create various policies for handling client connections besides just denying access. When AAA service resumes, the router would resume NAC functions as before, Cisco says.