New Features in Cisco IOS 12.2(4)T

icon New Features in Cisco IOS 12.2(4)T


As I was saying last month, I happened to be skimming the lists of new Cisco IOS features. Skim is the appropriate word here, the 12.2(4)T new feature documentation alone adds up to a mere 2450+ pages.

See also the following links:

At this point, a whole article on the new Mobile Router feature (complete with tested configurations) intervened. In case you missed it, it can be found at Mobile Router.

I propose this month to take a short look at some of the other new features accumulated by Cisco IOS version 12.2(4) T, especially ones that might be of interest. A lot of the features are useful fine features, but incremental, and I'm not going to spend your or my time writing about them. See the above links. Product Bulletin 1363 (the first link) is a particularly useful summary. However there seem to be things in the other two documents that are missing from 1363, for whatever reason.

My objective here is to call to your attention features that I think are neat, features that you may want to be aware of. My assumption is that the new releases creep up on us, and if we don't make time to skim what's now available, we can miss out on all sorts of good things the Cisco engineers have put into the code!


I noticed this one in Packet magazine: Alarm Interface Controller Network Module for the Cisco 2600 and 3600 Series. This card monitors 64 network elements, and remote controls 16. So a 3660 can monitor up to 384 elements and remote control 64. Think controller for fire/smoke/water detectors, temperature, turning on remote cameras, things like that. Remove dedicated phone lines to the monitoring boxes. Remote POP control!

Network Management

Network Management has the usual crop of new MIBs that will let you manage all sorts of things. Very useful stuff, but nobody wants more details (I suspect). 'Nuf said.

There are some other things that caught my eye:

CNS Configuration Agent, CNS Event Agent

These were something I hadn't really heard about before, more on the Service Provider side of Cisco. Cisco Network Services works with the Cisco Intelligence Engine devices to provision services. " engineers require little training to immediately begin automating routine deployment and configuration tasks". The devices supported include a variety of PE and CE classes of routers. If you're a Service Provider or managing customer devices in large quantities (or perhaps a big Enterprise customer), this might be a Very Interesting feature (and device). The one good link for this that a CCO search came up with was .

NetFlow ToS-Based Router Aggregation

With this feature, your router can roll up NetFlow records based on ToS, and greatly reduce export volume. Rolling up on ToS lets you collect bulk QoS utilization data for each Class of Service in your network. By the way, the NetFlow page off CCO has a Performance report discussing measurements of the impact of various NetFlow features on the routers. The good news is, impact is fairly small.

For a previous article I wrote on NetFlow, see NetFlow.

SA Agent Application Performance Monitor, and SA Agent Support for Frame Relay, VoIP, and MPLS VPN Monitoring

A prior article discussed SAA: Service Assurance Agent (SAA) and the Management Engine. I'm a big fan of SAA for network management. If you're considering going out and buying a whole bunch of boxes to monitor application response times in your network, read about SAA first! Seriously! It might save you a whole bunch of money.

SAA APM monitors application transactions round trip response time and frame loss rates across your network, live, by emulating transactions. The emulation sends traffic from one router (the agent) to another (the client or SAA APM responder). Any router can serve in both roles. Downloadable scripts and config files emulate the applications. APM configuration files contain information about which script and scheduler files to run. Script files are written in TCL. Execution of APM operations can be scheduled through the use of scheduler files.

The following emulation scripts are already embedded in the router running SAA:

  • Frame Relay Monitor operations
  • IPTV, NetMeeting, and RealNetworks audio and video file
  • LDAP (Lightweight Directory Access Protocol)
  • Lotus Notes "send email"
  • NNTP (Network News Transfer Protocol) article retrieval
  • ACSII/BINARY/HEX pattern matching for data integrity
  • Path Jitter Monitor operations
  • POP3 "retrieve email"
  • SAP business-to-business database transaction  (SAP authentication processes, SAP invoice generation, SAP login process, and SAP purchase order generation)
  • SMTP (Simple Mail Transfer Protocol) "send email"
  • Round Trip Time measurement over TCP/IP
  • Round Trip Time measurement over UDP


The big new routing feature in 12.2(2) and 12.2(4) T is IPv6 support. But that's a whole article or two in itself, so we won't go into it here. (For those who are doing IPv6, like cell phone folks outside the U.S., be aware there's already a Cisco course available covering the Phase I implementation. This might be helpful to you if you're trying to gear up for IPv6.)

BGP Conditional Route Injection

Route aggregation loses precision. Conditional route injection allows finer traffic engineering control, by advertising a more specific prefix than the one that would normally result from route aggregation.

BGP Link Bandwidth

Load-sharing proportional to link bandwidth for iBGP and eBGP.

BGP Prefix-Based Outbound Route Filter

ORFcapable routers can use an ORF to replace an inbound route filter. The router with the inbound filter communicates what to filter to the ORF router, which then suppresses the filtered information in what it sends to the other router. This saves bandwidth, by not transmitting information to a neighbor that the neighbor is going to filter out anyway. (Sort of like not saying things at breakfast that you know your spouse won't hear anyway!)

BGP: Multipath Load Sharing

Unequal cost load-balancing via CEF. Available for Service Provider iBGP. Also now available for both iBGP and eBGP in an MPLS VPN setting, with some per-VRF controls.

Dialer CEF

Support for CEF on dialer interfaces. (CEF is required for MPLS and a number of other features.)

OSPF ABR Type 3 LSA Filtering

This feature looks like it fixes what I've always felt was lacking in OSPF. You can now apply filters at OSPF ABR's, affecting what Type 3 LSA's go between areas. You can filter inbound or outbound (or both) Type 3 information. "This is an extension of the OSPF protocol." -- non-standard.

OSPF Stub Router Advertisement

You can configure a router to send out Max metric values. This makes is a stub router, one not used for transit traffic. Reasons you might want to do this:
  • Bring up adjacencies and introduce a new router without immediately routing traffic through the new router
  • Wait for BGP convergence before advertising routes in OSPF
  • Graceful router shutdown in a large OSPF network
You can configure the router to advertise max metric on boot or reload. You can also wait for BGP convergence or a time limit to expire (default 600 seconds).

OSPF Update Packet-Pacing Configurable Timers

Tune LSA pacing for rare CPU, buffer, or bandwidth issues associated with large volumes of LSA's.

Using 31-Bit Prefixes on IPv4 Point-to-Point Links

You can now save addressing on point-to-point links by using a /31 mask ( The Cisco routers will permit this abuse of subnetting and work. (Whether HP Openview and other tools will like this trick is another good question!)



Secure Copy is like RCP (TCP-based reliable file/IOS image transfer) but using SSH for security. This provides a secure, reliable, authenticated method for transfer of router configuration or image files!

Secure terminal line access

Instead of using reverse telnet through a terminal server, you can now do it with SSH. This helps avoid compromising remote site enable passwords when managing routers via a terminal server.

DF Bit Override Functionality with IPSec Tunnels

IPsec increases packet size and can cause MTU issues. If client PC's are setting the DF bit and expecting Path-MTU to work, and it is instead failing due to a firewall consuming ICMP MTU exceeded messages, you can configure the IPsec tunnel router to ignore DF and fragment anyway. This is not great but provides a Service Provider workaround that may scale better than educating customers about firewalls stopping all ICMP packets.

Distributed Time-Based Access Lists

Time ACL's can now be distributed to line cards for enhanced performance on 75xx models.

NAT Support of H.323 RAS

Speaks for itself. NAT now supports all H.323 RAS message types, including those with IP addressing in the payload (requiring a "fixup").

NAT—Ability to Use Route Maps with Static Translations

This enables NAT multi-homing with static translation maps. The route map sets the next hop address for the packet depending on which of the two outside addresses is used.

NAT—Static Mapping Support with HSRP for High Availability

Previously, if you set up two HSRP routers with the same static mapping, you had to wait for neighboring ARP caches to age out before failover would complete. Now, NAT responds with the HSRP MAC address in use by the HSRP router. If that router fails, the neighbors may continue using the HSRP MAC address to reach the statically mapped NAT address via the standby router.

NAT—Translation of External IP Addresses Only

This feature disables NAT fixups, and only translates the external packet header, not any IP addresses in the payload. This can facilitate IPsec and some network designs, where the internal packet payload fixup is not desired.


Two-Rate Policer

CBWFQ policing can be used with one or two threshold rates now. With one rate, you specify behaviors for conforming and excess traffic. (Conforming is traffic less than the one rate, excess is anything over the one rate.) With two rates, you have conforming, excess, and violate behaviors (think green, orange, and red light: below the lower threshold, in between the two thresholds in the warning zone, or above the top threshold and violating.)

Low Latency Queueing with Priority Percentage Support

LLQ can be configured with a percentage instead of just a raw policed bandwidth. This form is handier for cut-and-paste rapid QoS deployments (followed by tuning on high and low bandwidth interfaces, one hopes). Thanks to Scott Morris for suggesting this enhancement while sitting in a San Jose class listening to me sounding off about how this would be handy! (Hey, I was impressed!)

RSVP Scalability Enhancements

This allows Service Providers to use RSVP for Admission Control but not QoS classification.The RSVP packets can be forwarded through non-RSVP aware routers! This allows the SP customer to use RSVP for CAC, but without requiring the SP to run RSVP on its core routers, where scaling might be a concern. The SP can still use CBWFQ classification and marking to provide QoS features to the traffic admitted by RSVP.

Control Plane DSCP Support for RSVP

Faster RSVP by setting ToS/IP Precedence/DSCP bits in RSVP messages.

Other recent QoS features that pretty much describe themselves:

  • RSVP Support for ATM/PVCs
  • IP to ATM Class of Service Mapping for SVC Bundles
  • Class-Based Frame-Relay DE-Bit Matching and Marking


Advanced Voice Busyout

This has been around for a while, but is a very nice feature. In case SAA (see above) detects high round trip times for simulated voice traffic, you can busy out the PBX port, causing the PBX to make toll calls (say), instead of poor-quality calls via a VoIP gateway.

Call Admission Control for H.323 VoIP Gateways

Resource-based (smarter) CAC on your H.323 gateways.

Cisco High-Performance Gatekeeper

Clustering, failover, and other reliability enhancing features for H.323 gatekeepers.

Inter-Domain Gatekeeper Security Enhancement

Carrier to carrier gatekeeper security, with authentication and authorization control.

MGCP: Misc Features

Lots of new MGCP features and support.

Voice over ATM with AAL2

ATM AAL2 voice support.


Bisync-to-IP Conversion for Automated Teller Machines

Bank ATM connectivity over IP.

PPP over Ethernet Client

Connect your router via DSL to a Service Provider assuming a PC client running PPPoE.


I'll just list the features. If you're into MPLS, you're probably already aware of most of these. And if not, you don't care!
  • DiffServ Aware MPLS Traffic Engineering
  • MPLS Traffic Engineering—Automatic Bandwidth Adjustment for TE Tunnels
  • MPLS Traffic Engineering (TE)—IP Explicit Address Exclusion
  • BGP Multipath Load Sharing for eBGP and iBGP in an MPLS-VPN
  • SNMP Support over MPLS VPNs


I'm not yet sure what next month's article will be. I've been thinking of doing some articles on voice topics, also on Security topics (we're long overdue to cover the PIX). I can also do CCNA preparation articles. Questions, suggestions for articles, etc. can be sent to This email address is being protected from spambots. You need JavaScript enabled to view it. .


Dr. Peter J. Welcher (CCIE #1773, CCSI #94014) is a Senior Consultant with Chesapeake NetCraftsmen. NetCraftsmen is a high-end consulting firm and Cisco Premier Partner dedicated to quality consulting and knowledge transfer. NetCraftsmen has eleven CCIE's (4 of whom are double-CCIE's, R&S and Security). NetCraftsmen has expertise including large network high-availability routing/switching and design, VoIP, QoS, MPLS, network management, security, IP multicast, and other areas. See for more information about NetCraftsmen. . New articles will be posted under the Articles link. Questions, suggestions for articles, etc. can be sent to This email address is being protected from spambots. You need JavaScript enabled to view it. .

Copyright (C)  2002,  Peter J. Welcher