There may be a few network engineers out there who jump at
the chance to upgrade Cisco routers to the latest software and drool on IOS release
notes. However, I suspect that for most of you, “investigate and upgrade to the
latest router IOS” is right up there with “reorganize file cabinet” and “clean out
storage room.” As a result, I am willing to bet that most of you haven’t
upgraded your routers to the latest version of Cisco IOS 12.3.

The first release of IOS 12.3 was in 2003. Since then, Cisco
has made a number of minor releases that have included some very useful
features. So, whether you don’t have any idea what version of code you are
running or you ran out and upgraded to 12.3 when it first came out and have
ignored the subsequent releases, you should take a close look at the new
features that are included in this IOS release.

I am going to highlight some of the major features included
in IOS 12.3. I won’t talk about the new IPv6 firewall that next-to-no-one is
going to use. Below is a list of 12 features I found most important, but there
are literally hundreds of other features. You can find out more about the
various features in Cisco’s IOS 12.3 documentation.

Author’s note

The name of
each of the new features is linked to Cisco’s configuration documentation for
that feature.

  1. Network
    Admission Control (NAC)

    Cisco’s NAC runs on Cisco routers (running NAC on a switch
    is coming soon). With NAC, you also have client software on every PC on your
    network (the Cisco Trust Agent). A Cisco Secure Access Control Sever (ACS) is
    required to be on the network. Before the PC can have network access, its antivirus definition version is checked (you can have NAC
    check other software versions as well). If the PC does not have the required
    version, it is never given access to the network. Instead, it can be
    quarantined to a private network to perform the necessary upgrades. Microsoft
    has been working on a similar product called Network Access Protection (NAP).
    Fortunately, the two companies have gotten together to try to make their
    competing products compatible. For more information on that, read “Cisco and Microsoft Join Forces to
    Help Customers Address Security Threats

  2. Intrusion
    Prevention System

    In IOS 12.0(5)T, Cisco introduced
    an Intrusion Detection System (IDS). This version offered only 59 signatures to
    identify intrusions. These signatures were not updateable. Thus, as new types
    of intrusions were developed, the IOS did not protect against them.

    In IOS 12.3(11)T Cisco now offers
    an Intrusion Prevention System (IPS) with 118 signatures. The important
    difference in the new IPS is that it allows customers to add new signatures as
    new attacks are developed. It does this by using a Signature Definition File
    (SDF), located on the router’s flash. Customers can sign up for new IPS Alerts
    and read about existing alerts at Cisco’s Intrusion Prevention Alert
    . When a packet comes through the router that matches a
    signature, the router can be configured to either alert the network
    administrator or drop the packet and send an alert. Cisco claims that, due to
    the new design, this can be done without affecting router performance.

  3. Optimized
    Edge Routing (OER)

    OER is a new feature that allows load distribution at the
    WAN edge. At my company, we have two T1 circuits to the Internet running BGP
    best-path routing. (I detailed this in “How to use BGP to achieve Internet redundancy.”)
    While it does give us redundancy, it does a poor job of load balancing. This is
    because one provider is a Tier 1 and the other is a Tier 2. The Tier 1 provider
    almost always offers shorter paths and almost all the traffic goes across that
    circuit. We have tried to load-balance using weight and MED, but it doesn’t
    always work.

    OER should be able to solve this type of load-balancing
    issue. With OER, you define the policy for your latency, throughput, and link
    cost parameters. The router uses this policy to determine how to balance the
    load across your multiple WAN links. Most likely, these are Internet links, but
    they could be other types of WAN links. OER supports both static routing and
    BGP. All this can be configured on the router’s IOS. If you want to have a
    graphical interface to control a more complex OER environment, you can buy an
    add-on OER Linux-based product called OER Master Controller Engine.

  4. Transparent

    Say that you want to add a firewall between two networks.
    Normally, just like a router, each interface of a firewall has to be on a
    different network. This sounds like a large network change, right? Perhaps it doesn’t
    have to be so complicated anymore.

    With IOS 12.3(7)T, Cisco introduced
    the Transparent Firewall. The benefits of the Transparent Firewall, as it works
    at Layer 2, are that it can be added to an existing network with minimal
    configuration, and it provides firewall security for that network. In fact, you
    can run a Layer 2 Transparent Firewall on the same router that’s running the
    Layer 3 Firewall feature. In its most basic form, the Transparent Firewall
    works like this: You create a bridge group, put your interfaces in it, enable “ip inspect” (the firewall) on one of the interfaces, create
    an access-list that will be applied to the other interface, and voila, your
    Transparent Firewall is done.

  5. Warm Upgrade

    Warm Upgrade allows a running router to read an IOS image,
    decompress it, and immediately boot it. This keeps the router from having to
    shut down, go back to ROMMON, load the image, and decompress the image. Cisco
    says that this feature, which complements the Warm Reload feature introduced in
    IOS 12.3(2)T, will cut down the time for router reboot
    from four minutes to two minutes.

  6. AutoQoS for the Enterprise

    AutoQoS (Quality of Service) is a
    new feature that discovers the types of traffic on your network and the speeds
    of your interfaces, and then configures the proper network quality for that
    traffic according to best practices. This feature is primarily designed to
    assist in voice and video quality over the WAN but can be used for a variety of
    other things. AutoQoS can do in a few minutes what it
    could take a network expert a few hours to do. The downside is that AutoQoS is not full of options, it does not react to any
    future changes in the network, and once it is configured, you still need a
    network expert to analyze its results and make sure that it is working

  7. AutoSecure

    AutoSecure analyzes your router’s
    security settings and can make changes for you. I won’t go into detail on AutoSecure because I wrote a full article on it for TechProGuild called “Automate Security Configurations
    with IOS 12.3

  8. CallManager Express (CME) and Survivable
    Remote Site Telephony (SRST)

    CallManager Express (CME) has
    evolved from allowing a router to be a very limited, stand-alone, Voice-over-IP
    (VoIP) phone system to a nicely featured small to medium
    enterprise (SME) phone system (on a router).

    Concerning SRST, picture a large corporation that has a
    centrally managed CallManager (a Cisco VoIP phone system) with many remote locations. At these
    remote locations, the routers would have SRST configured so that if the WAN
    connection to the central CallManager was lost, the
    SRST-enabled router could provide limited calling features for the remote

  9. Dynamic
    Multipoint VPN (DMVPN)

    Okay, you got me: Technically, this feature came out in
    12.2(13)T, but it is so cool that I wanted to point it
    out. DMVPN allows routers to dynamically bring up, as needed, VPN tunnels to
    each other over the Internet. Better yet, these tunnels require only a very
    simple configuration. In the past, to create a fully meshed VPN network, there
    would have to be a fair amount of configuration on every router (or VPN concentrator)
    for every remote site. As the number of remote sites grew, these always-up VPN
    tunnels became very cumbersome to scale and the configurations were
    unmanageable. With DMVPN, a fully meshed VPN network can scale, and VPN tunnels
    are brought up only if needed.

  10. IPSecStatefulFailover

    This feature does exactly what it says it does. You have two
    routers, both with IPSec tunnels, being contacted on
    the LAN with Hot Standby Routing Protocol (HSRP). If one router goes down, in
    either a planned or unplanned situation, the backup router takes over and the IPSec tunnels never go down. While this has been available
    on higher-end VPN concentrators, including it free in the router’s IOS is a very
    nice addition.

  11. Network-Based
    Application Recognition (NBAR)

    Most routers just look at traffic at Layer 3. With NBAR, a
    router can look at Layers 4 through 7. That means that a router can recognize
    applications. Once it can recognize the applications, it can then take some
    action to ensure that that application gets higher priority, drop packets from
    that application, or take some other action. NBAR has been around since IOS
    12.0, but it recognized only a small number of applications. What is new in IOS
    12.3 is that NBAR can now recognize many more applications and new applications
    can be dynamically added using a PDLM (Packet Description Language Module).
    Cisco regularly releases new PDLMs for new
    applications. You can find that list at their PDLM Web page (valid CCO login required).

  12. Cisco
    Security Device Manager

    SDM is a free Java management tool for routers. It requires
    IOS 12.2 or 12.3, depending on your router’s model. I did a full article on SDM
    so I won’t go into what it offers. For more information, check out the TechProGuild article “Use the free Cisco Security Device
    Manager to work with routers

Final analysis

I hate to sound like those lawyers on TV commercials pitching
their services, but here are some things you need to know:

  • Upgrading your IOS requires
    that you are either under Cisco SmartNet Maintenance
    program or you buy the latest IOS from a Cisco reseller.
  • Some of the features mentioned
    here are available only in certain versions of the IOS. That version of
    the IOS may not function on all routers due to CPU, RAM, and flash
    requirements. Visit the Cisco
    IOS Upgrade Planner
    (valid CCO login required) to see the latest
    version of the IOS that your router supports.
  • Once you know the latest IOS
    that your router supports, you can find out if the features you want are
    in that IOS. To do that, browse the release notes for that IOS at Cisco
    IOS New Feature Documentation

Perhaps there are some features in IOS 12.3 that can make
your life easier or make your network more secure. I have ordered additional
flash memory for my core Internet router just to do the upgrade and get the OER
routing. I hope that you find some of the new Cisco IOS features as exciting as
I do. Upgrading your Cisco routers may seem like a pretty mundane chore, but
the new features make it well worth the effort.