Cisco Cisco IOS Software Release 12.4(4)T Données agrégées
Product Bulletin
© 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 21 of 299
downloaded from the KS take over, governing the GMs behavior and the fail-close ACL and
implicit “permit ip any any” are dropped. GMs keep the policies downloaded from the KS
even if the re-registration fails and IPSec SA has expired.
implicit “permit ip any any” are dropped. GMs keep the policies downloaded from the KS
even if the re-registration fails and IPSec SA has expired.
Note:
GET VPN supported fail-close previously, using an interface ACL. With the above
feature, interface ACL may not be required. Fail-close with interface ACL might still be
useful to customers looking to enforce a policy that certain packets must always be
encrypted, regardless of the downloaded key server policy.
useful to customers looking to enforce a policy that certain packets must always be
encrypted, regardless of the downloaded key server policy.
●
Change Key Server Role
This feature allows you to switch the primary Key Server (KS)by forcing an election. Issuing
the new clear crypto gdoi ks coop role command on the primary Key Server makes it
relinquish the primary role and initiate an election. If the priorities have changed, a new
primary will be declared elected. Note: This command does not clear any policies—it merely
facilitates switching the primary KS.
the new clear crypto gdoi ks coop role command on the primary Key Server makes it
relinquish the primary role and initiate an election. If the priorities have changed, a new
primary will be declared elected. Note: This command does not clear any policies—it merely
facilitates switching the primary KS.
●
Co-operative Key Server: Sharing Keys
This feature optimizes the number of rekeys that are sent out in the event of a network split,
thereby allowing the network to stabilize rapidly. When there is a network split, a secondary
KS takes the partition that cannot reach the primary; with this new feature, the new primary
reuses the existing policies where possible. At split, the rekey is sent only if there are keys
that are due to expire within the lifetime threshold (150 seconds). Unless this threshold is
met, the current keys and policies are retained on the KS separated from the primary. This
new ability to share the keys created by another KS reduces the number of policies to
manage, thereby improving the cooperation between the KS’es.
thereby allowing the network to stabilize rapidly. When there is a network split, a secondary
KS takes the partition that cannot reach the primary; with this new feature, the new primary
reuses the existing policies where possible. At split, the rekey is sent only if there are keys
that are due to expire within the lifetime threshold (150 seconds). Unless this threshold is
met, the current keys and policies are retained on the KS separated from the primary. This
new ability to share the keys created by another KS reduces the number of policies to
manage, thereby improving the cooperation between the KS’es.
●
Re-key From Secondary on Merge
This feature distributes rekeying when a partitioned network merges back. When the merge
occurs, the newly-demoted secondary KS takes responsibility to send out rekeys to the
group members in its database. The primary KS is freed from having to send out all rekeys,
and is able to focus on sending rekeys to only the members in its own database.
occurs, the newly-demoted secondary KS takes responsibility to send out rekeys to the
group members in its database. The primary KS is freed from having to send out all rekeys,
and is able to focus on sending rekeys to only the members in its own database.
Benefits
●
Enables controlled deployments in phases
●
Provides ability to eliminate flow of unencrypted data packets
●
Allows primary key server to be changed midstream ie: for scheduled maintenance
●
Optimizes cooperative key server communications during split and merge, providing better
stability
stability
Hardware
Routers
● Group Member (GM): Cisco 870, 88, 1800, 2800, 3800 and 7200 Series and Cisco 7301
● Key Server (KS): Cisco 1840, 2800, 3800 and 7200 Series and Cisco 7301
● Key Server (KS): Cisco 1840, 2800, 3800 and 7200 Series and Cisco 7301
Additional Information:
Product Management Contact:
3.1.7) IOS SSL VPN Internationalization
Cisco IOS SSL VPN Internationalization lays the framework to support multiple languages in the
login and portal pages. Users will be able to select their language preference for their session from
a drop down menu at the time of login.
Cisco IOS SSL VPN Internationalization lays the framework to support multiple languages in the
login and portal pages. Users will be able to select their language preference for their session from
a drop down menu at the time of login.