Cisco Cisco IOS Software Release 12.4(4)T Données agrégées
Product Bulletin
© 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 19 of 299
Table 3.
Detailed Capabilities of DMVPN Per Tunnel QoS Functionality
Feature
Benefit
Dynamic QoS policy allocation for spokes during the
NHRP registration with hub
NHRP registration with hub
Simplifies QoS configuration on the hub router for dynamically
addressed spokes
addressed spokes
Cisco Modular QoS CLI (MQC) support configuration in
every spoke policy
every spoke policy
Allows prioritization to VoIP/delay sensitive data traffic
Protect critical control traffic before and after encryption
Enhances network stability
Dynamic QoS on the hub ensures optimal traffic flow
when a spoke connects to the hub
when a spoke connects to the hub
Simplifies QoS enablement in VPN networks
Protect the crypto engine by supporting full tunnel
queuing hierarchy in hierarchical queuing format; QoS
queuing and shaping happens before encryption
queuing hierarchy in hierarchical queuing format; QoS
queuing and shaping happens before encryption
Avoids anti-replay error reporting with IPSec
Shaping and queuing happens at the physical interface
Centralizes QoS policy in the router and simplifies configuration
Protection for critical control traffic before and after
encryption
encryption
Enhances network stability
Dynamic QoS allocation on the hub router protects the
spoke from traffic bursts
spoke from traffic bursts
Protects small spokes from becoming overwhelmed from large hub
sites
sites
Hardware
Routers
● Cisco 800, 1800, 2800, 3700, 3800, and 7200 Series Routers
Additional Information:
Product Management Contact:
3.1.4) Certificate IP Address Extension Support
This feature enables support for RFC3779, X.509 Extensions for IP addresses. One of the first
protocols to use this feature will be the SEcure Neighbor Discovery Protocol (SEND). IPv6 hosts
run Neighbor Discovery Protocol (NDP) to discover other devices on a link. If this link is not
secured, NDP is vulnerable to various attacks such as neighbor solicitation/advertisement spoofing
and duplicate address detection DoS attacks. SEND is designed to counter the threats to NDP and
can use X.509 IP extensions to provide a stronger control on prefix advertisements.
This feature enables support for RFC3779, X.509 Extensions for IP addresses. One of the first
protocols to use this feature will be the SEcure Neighbor Discovery Protocol (SEND). IPv6 hosts
run Neighbor Discovery Protocol (NDP) to discover other devices on a link. If this link is not
secured, NDP is vulnerable to various attacks such as neighbor solicitation/advertisement spoofing
and duplicate address detection DoS attacks. SEND is designed to counter the threats to NDP and
can use X.509 IP extensions to provide a stronger control on prefix advertisements.
Note that with SEND, RFC3779 (X.509 Extensions for IP addresses) is an optional feature. While
SEND will provide its full capabilities with this version of PKI, it could still be deployed with older
PKI versions that don't support IP extensions.
SEND will provide its full capabilities with this version of PKI, it could still be deployed with older
PKI versions that don't support IP extensions.
Benefits
●
Generates certificates with IP extensions
●
Counters threats to NDP
●
Allows for stronger control on prefix advertisements
Hardware
Routers
● Cisco 87x, 88x, 1800, 2800, 3700, 3800, 7200, and 7301 Series Routers
Additional Information:
Product Management Contact: