Table of Contents

Cisco Systems Users Magazine



Cisco Systems Users Magazine

Cisco Systems Users Magazine

Volume 8 Number 3, Third Quarter 1996

Broadcast Address

By Christine Hemrick, Vice President of Marketing, Cisco Systems Internet Business Unit


As the surge of Internet headlines and hype continues, companies are now getting down to the serious work of building enterprise-scale Internet and intranet applications. Like many technology companies, Cisco is launching new initiatives and introducing innovative technology for this emerging computing frontier. But unlike others, Cisco is already familiar with this expanding terrain. Cisco Systems has been the leading supplier of internetworking hardware and software for more than ten years, providing 80 percent of the routers used on the global Internet.

Now we're expanding our mission to complement and enhance the base of Cisco routers, switches, and internetworking software to help users build end-to-end Internet solutions. Cisco is delivering a unique mix of products that will transform the Internet and intranets into a single, universal communications network. These products solve the challenges associated with scaling Internet/intranet applications, securing Internet transactions, and reducing the complexity and cost of a TCP/IP client/server environment.

Customers and partners are telling us two key things. First, they are increasingly challenged to keep up with the resource demands and costs associated with integrating networking tools from different vendors. They want "plug-and-play" solutions that encompass servers, clients, routers, switches, and all the utilities needed for these to work seamlessly together. Secondly, they want to leverage the comprehensive functionality of the Cisco Internetwork Operating System (Cisco IOS[tm]) software they have deployed in their network routers and switches. By providing more end-system software and other products that leverage the richness of the Cisco IOS feature set, customers get early and maximum returns on their network investments.

Answering these concerns has led us into a new product line of systems and software called CiscoAdvantage[tm]. CiscoAdvantage products extend from the desktop to the server, ensuring that customers have integrated TCP/IP services that fully leverage the value-added functionality of their existing networks. These services include firewall and address translation gateways, Internet traffic distribution systems, and a broad portfolio of TCP/IP and multimedia services and applications for Windows 95, Windows NT, Sun Solaris, and Digital OpenVMS desktop and server platforms.

As an example, features such as IP multicasting and the Resource Reservation Protocol (RSVP) are critical for providing the high quality of service and bandwidth-efficient networking that multimedia applications require. Cisco is now providing the "middleware" and TCP/IP software that allow client and server applications to access these critical network features.

Many network managers wrestle with scalability problems as their Web sites grow in popularity. The CiscoAdvantage LocalDirector and DistributedDirector products leverage the intelligence of the routed internetwork to transparently distribute Internet sessions, track sessions among servers, and balance the load among multiple sites and locations.

By providing end-to-end solutions that have been designed and tested in an integrated fashion, we are reducing integration costs, improving reliability and serviceability, and helping users deploy networks more rapidly to keep them a step ahead of their competitors.

Is this a new business emphasis for Cisco? Most definitely, as evidenced by the newly formed Cisco Internet Business Unit and the company-wide charter to advance Internet technology and applications throughout the entire Cisco product line. But as we continue to work with customers and partners, we discover that many of the technical resources they need to tame the Internet landscape springs from the Cisco products and services they already have in place.


Christine Hemrick,
Vice President of Marketing,
Cisco Systems Internet Business Unit


CiscoAdvantage Products Enhance Key Dimensions of Intranet and Internet Communications

Network managers are challenged to keep pace with the demands and costs of integrating the multiple systems and tools, from different vendors, that are required to build an enterprise intranet or provide connectivity to the worldwide Internet. This complexity is continuously increasing with the explosive growth in new technology and products, prompting network managers to seek highly integrated, end-to-end solutions.

"Cisco Systems customers understand the value to be gained from the Cisco IOS software," says Christine Hemrick, Vice President of Marketing for Cisco's Internet Business Unit. "They now want to extend this functionality from the routers and switches to desktop systems in order to get early and maximum return on their investments in both intranets and Internet access."

Cisco is addressing these customer needs with the new CiscoAdvantage[tm] products, which leverage the proven, high-performance features of the Cisco Internetwork Operating System (Cisco IOS[tm]) software. These products improve network security, manage Internet and World Wide Web traffic, support connectivity from different systems, and enable multimedia applications. In combination with Cisco's routers and switches, the CiscoAdvantage products deliver the industry's only end-to-end solution for building and providing access to an intranet or the Internet.

Improving Security

Cisco's Private Internet Exchange (PIX) Firewall, available now, is a standalone product that acts as a robust firewall, concealing the architecture of an internal network from the outside world. It also allows secure access to the Internet from within an enterprise network.

The PIX Firewall product offers reliable, strong firewall security without the administrative overhead and risks associated with UNIX-based firewall systems. The network administrator receives a complete log of all transactions, including attempted break-ins on the internal network. With only five commands, setup of the PIX Firewall can be completed in less than five minutes.

The PIX Firewall products combine hardware and software in a rack-mounted enclosure, with a choice of configurations that support from 32 to more than 16,000 simultaneous TCP/IP connections. Two Ethernet interfaces provide connectivity to internal and external networks. Currently, the PIX Firewall supports 10- and 100-Mbps Ethernet.

For more information on this product, see "Firewall Security."

Managing Traffic

Cisco's LocalDirector system meets the demands of high-volume TCP/IP traffic by allowing multiple, collocated servers to appear as a single logical server. The session distribution algorithm (SDA) in LocalDirector improves access and service to World Wide Web users by dynamically allocating connections among multiple servers to maximize performance. LocalDirector also allows Web service providers to transparently support multiple domain addresses from a single server. The LocalDirector product is available now.

The Cisco DistributedDirector product transparently distributes Internet sessions and shares the load among multiple, geographically dispersed sites-all operating under a single Universal Resource Locator (URL). DistributedDirector leverages information obtained from the network infrastructure to determine how services and user access should be distributed among servers, based on the standard Domain Name Service (DNS) and the Hypertext Transfer Protocol (HTTP). DistributedDirector can be configured as a DNS caching name-server or an HTTP session redirector on a per-domain basis. This product improves service availability, reduces the delay that users encounter when accessing services, and lowers access costs for both users and Internet service providers. It encompasses dedicated hardware and software that works in conjunction with Cisco routers. The first three DistributedDirector models will be available during the fourth quarter of 1996.

For more information on LocalDirector and DistributedDirector, see "How to Cost-Effectively Scale Web Servers."

Connecting Users' Desktops

Three series of Cisco products supply users with connections to TCP/IP-based networks from a variety of desktop platforms. These products enable users to take advantage of all services and applications available on an intranet or the Internet, including the ability to browse the Web, exchange electronic mail, access files, and transfer data. All products are available now.

Desktop connectivity products include:

Building and Managing Large TCP/IP Networks

In addition to software for specific platforms, Cisco offers a product for managing names and addresses on large TCP/IP networks. The Cisco DNS/DHCP Manager includes the industry's first graphical DNS management tool, a Dynamic Host Configuration Protocol (DHCP)/BootP server that dynamically updates DNS, and a set of common networking services including a DNS server, Network Time Protocol (NTP), Trivial File Transfer Protocol (TFTP), and a syslog server. Combined, these services enable a network manager to deploy a TCP/IP network efficiently and quickly by seamlessly managing TCP/IP addresses and names for the entire enterprise network.

The Cisco DNS/DHCP Manager solves two significant problems in maintaining basic information about each network node: managing the DNS name space and synchronizing data between DHCP and DNS. Incorrect DNS names and IP address information can lead to security problems and disruptions of services such as Network File System (NFS), File Transfer Protocol (FTP), routing services, and electronic mail. The Cisco DNS/DHCP Manager is available now for Sun Solaris, HP-UX, IBM AIX, and Windows NT platforms.

Enabling Multimedia Networking

Cisco Systems is working closely with Precept Software of Palo Alto, California, to expand uses for enterprise intranets by improving support for multimedia applications.

The Precept FlashWare product offers client/server "middleware" software that enables video and audio transmissions to run on TCP/IP networks. Another Precept product, IP/TV, delivers live or prerecorded video or audio in a bandwidth-efficient, multicast transmission over the internetwork. The combination of Precept FlashWare and IP/TV with Cisco's routing products and Cisco IOS software gives customers a unique multimedia solution for Windows-based TCP/IP clients, regardless of LAN technology. Both Precept products will be available from Cisco during the fourth quarter of 1996.

The Keys to Integration

The CiscoAdvantage products address the challenges that managers face in building intranets and allowing access to the Internet while also adding beneficial applications to these environments. These products also reflect Cisco's commitment to continually enhancing the Internet infrastructure through gains in security, reliability, scalability, and cost-effective access.

With a variety of hardware and software offerings, the CiscoAdvantage product line delivers an integrated, end-to-end solution for building and accessing enterprise intranets and the Internet.



Satellite Links Small and Midsized Businesses to the Internet

Cisco, Hughes Network Systems, and Helius have announced the availability of DirecPC for NetWare, the first direct-to-LAN satellite solution for small and medium-sized businesses that use shared resources in LAN environments. DirecPC for NetWare is an affordable, high-speed, server-based information delivery service for applications such as shared Internet access and file distribution. It is ideal for the small office/home office market, businesses with many locations, and industries that share common information.

DirecPC is a spinoff from DirecTV technology, a one-way, high-speed digital broadcast to a 21-inch satellite dish. A coaxial cable connects the dish to an Industry-Standard Architecture (ISA) adapter card in a networked PC and is capable of receiving traffic at 3 Mbps.

With DirecPC, a desktop client launches an Internet application (for example, Netscape) on an IPX network. Using technology from Cisco, the client connects to a Cisco IPX-to-IP Internet Junction gateway at the Novell server. Server technology from Helius (Orem, Utah) provides traffic management and asymmetric routing. The user sends a request (such as, and DirecPC routes it over a phone connection to Hughes Network Systems' (Germantown, Maryland) control center with the return IP address of the customer's satellite dish. The response is beamed to one of the Hughes satellites, which beams it back to the customer dish.

The dish forwards the response to the Novell server, at which point the Cisco IPX-to-IP gateway sends the response back to the desktop via IPX. All traffic is encrypted using the Data Encryption Standard (DES) and shares a single IP address at the customer premise.

For more information on DirecPC, visit the URL or e-mail

With DirecPC, Cisco expands LAN technology into space.



How to Cost-Effectively Scale Web Servers

The exponentially growing demand for Internet-based marketing, sales, support, and software distribution services is increasingly driving companies to expand the capacities of their World Wide Web (WWW) servers. While the conventional solution to resolving capacity requirements has been simply to replace an existing server with a bigger and faster model, there is a far more cost-effective and beneficial approach.

That solution includes two products -- Cisco's LocalDirector and DistributedDirector. Each of these systems works to protect existing server investments, improve response time for end users, and automatically provide an alternate-path routing capability that is just not possible with the single-server approach. The result: an unprecedented ability to effectively and economically scale Web services.

With the Cisco LocalDirector and DistributedDirector, new servers can be added and removed transparently to end users, because a population of multiple servers can be made to appear as a single virtual server. As a result, only a single IP address -- and a single Universal Resource Locator (URL) -- may be needed for the entire server complex.

For service providers, this capability offers a way to increase Web server capacity in small, low-cost increments. At the same time, incremental server expansion allows service providers and others to add or remove servers from the network without impacting end users. Equally important, the network manager is empowered to provide end users the timely service they expect by matching capacity with demands and always routing requests to the nearest available servers in order to reduce the number of hops-and potential time delays.

The Cisco LocalDirector, now shipping, transparently and intelligently redirects sessions -- as they are established at a Web site to a single virtual IP address -- to other local servers as necessary. This redirection is accomplished, independently of both the Domain Name Service (DNS) and the application it serves, by rewriting the IP header information in accordance with a dynamic table of mappings between each session and the server to which it has been redirected. In other words, LocalDirector treats a cluster of servers as one virtual IP address; it is this virtual IP address that DNS registers. LocalDirector can effectively deal with client applications that cache DNS entries for extended periods of time.

When establishing a redirection, the Cisco LocalDirector considers the status of all servers and their ability to receive additional sessions on the basis of their existing loads and availability; servers might be marked unavailable if, for example, they are taken out of service for maintenance. The Cisco LocalDirector performs this analysis without incurring any network overhead and with no specialized host or client software.

Unlike the Cisco LocalDirector, the Cisco DistributedDirector -- which will be available in the fourth quarter of 1996 -- can act either as the primary DNS name-server for a specific subdomain or as a Hypertext Transfer Protocol (HTTP) session redirector for a specific URL. In the former mode, the DistributedDirector sorts responses to name service queries by the relative locations of the user and the server.

In the DistributedDirector illustration below, if a DNS query for a named service, such as, is sent from a user in Los Angeles, California, the DistributedDirector would respond with the IP address of the Web site in San Jose, California. But if the query came from a user in Sweden, that user would be directed to the Cisco Web site in Brussels, Belgium.

Operating in "HTTP redirect" mode, the Cisco DistributedDirector masquerades as the Web server defined by the user-specified URL, accepts HTTP connections, determines the best server based on the relative locations of the client and server, and redirects the client to that server.

By directing users to the server nearest to them, DistributedDirector can cut response time dramatically as it minimizes the number of hops. In the near future, DistributedDirector's configurable metrics will be enhanced with an ability to factor in servers' load conditions in addition to geographic proximity.

These parameters can be important performance issues as companies expand their Web presence and the capacity of their Web server platforms. With this growth and the increasing volumes of information and services supported by these platforms, consistency of service, availability, and ease of use are all critical issues that must be addressed. Not to be overlooked is the operational imperative of being able to maintain this high level of service throughout the maintenance process -- whether that maintenance procedure calls for adding servers or removing them for repair.

In short, what companies need is a Web strategy that provides a seamless and cost-effective growth path to tomorrow's burgeoning requirements. Cisco LocalDirector and DistributedDirector products provide that growth path, offering a simple, direct way to protect existing server investments while incrementally scaling server capacities and global connectivity options in such a way that site access and customer service are always optimized.

Using the Web for Business?
Cisco Systems' suite of online services and information is growing rapidly and gaining acclaim from the Cisco user community. For information on Cisco's new Internetworking Product Center and other Web-based tools and resources, see "Open for Business!"

How the Cisco LocalDirector Works

To provide TCP connectivity across multiple servers, Cisco LocalDirector relies on an inverse multiplexing mode (IMM) that presents the appearance of a single server to the outside, while actually using the power of multiple servers. The system supports multiple IMM groups, each consisting of a virtual address multiplexed to many actual servers, and each of these servers having a real IP address. LocalDirector measures the load on the servers specified in the IMM groups and intelligently distributes the load among them using the session distribution algorithm (SDA) developed by Cisco. SDA detects the long response time when a server fails, and redirects pending connections to the most responsive servers. The algorithm then continues to periodically check the failed server, and when it returns, SDA begins to issue connections again.

LocalDirector also operates in a forward multiplexing mode (FMM) to eliminate the multiple-domains-from-one-server problem by using multiple TCP ports to allocate multiple virtual addresses mapped to a single server. With FMM, a single server can run multiple Web server processes, each residing on a different TCP port, even while the outside world sees the virtual addresses for three separate servers. LocalDirector also allows administrators to scale this configuration by specifying multiple sets of FMM groups. In addition, administrators using this system can specify the physical addresses in groups to take advantage of load balancing, as described for IMM.

The Cisco LocalDirector tracks local network sessions and server load conditions, directing each session to the most appropriate server at the time. The servers appear as one virtual server with a single IP address.


How the Cisco DistributedDirector Works

In operation, the Cisco DistributedDirector can be configured on a per-domain basis either as a DNS caching name-server or an HTTP session redirector.

DNS Caching Name-Server Mode

DNS caching name-server mode can be used for all IP services. In this mode, the Cisco DistributedDirector acts as the primary DNS caching name-server for a specific subdomain. Using the Director Response Protocol (DRP), the DistributedDirector sorts DNS query responses by the information contained in the router-based networking infrastructure. This information describes the relative topological locations of the user and the server.

For example, when a client sends out a DNS query for a named service, such as, the Cisco DistributedDirector -- the authoritative name-server for the subdomain -- responds by using DRP to query selected routers that support the Web servers in the network infrastructure for user-to-server distance information or other configurable metrics. The DistributedDirector then sorts the DRP responses it receives from the routers and, using standard DNS, returns the IP address of the "best" server (normally defined as the closest) to the user. The client then transparently connects to this returned IP address to obtain the desired service.

HTTP Session Redirector Mode

Network administrators appreciate the ease of use offered by HTTP session redirector mode because, to operate in it, they need only add a few records to their primary domain name-servers. Applicable for HTTP services only, this mode allows network managers to configure the Cisco DistributedDirector so that it redirects HTTP sessions, such as queries sent to, to the "best" distributed Web server. DistributedDirector accepts the initial HTTP connection, and then, using DRP, queries the routers in the network infrastructure in the same way as described for the DNS caching name-server mode. After determining the nearest distributed Web server, the system creates a new URL for that server and sends it to the user along with the HTTP status code, "302 Temporarily Moved." The user is then transparently connected to this new URL.

DistributedDirector assesses the relative topological locations of end users and geographically distributed servers to determine the best server for each session, acting as a primary DNS name-server or as an HTTP session redirector.


Using Cisco LocalDirector and Cisco DistributedDirector Together

The Cisco DistributedDirector can be used to distribute traffic among several geographically dispersed Cisco LocalDirectors. In the configuration below, the Cisco DistributedDirector directs clients to the "closest" Cisco LocalDirector. The Cisco LocalDirectors then perform local, intelligent load-balancing to ensure that connections are allocated to the servers with the highest availability at each distributed server site. This configuration, recommended by Cisco for these complementary technologies, provides both local scalability for redundant clustered servers and global scalability for geographically dispersed Internet service sites.



Firewall Security

A Must-Have for Securing Corporate Information and Web Access

With the Cisco PIX Firewall, security begins with a process that removes the source IP address from outgoing traffic and replaces it with a generic IP address. This process protects the internal network, because no direct route back to the source is provided.


Increasingly, companies with a World Wide Web presence are implementing packet-filtering routers to prevent millions of Internet users from perusing their sensitive information resources. This first-level barrier is necessary -- but as the criticality of Web-based transactions increases, so too does the need for heightened security.

What is needed in this environment is a robust, dedicated firewall appliance that complements the packet filters of routers. This appliance should extend the security of the router's filtering from the network layer all the way to the application layer, while taking no toll on Web site performance or usability for internal Web users.

While some firewall products may provide the required security, only one -- the Cisco Private Internet Exchange (PIX[tm]) Firewall -- also meets the performance and support requirements of today's enterprise-wide, business-critical Web connections. The Cisco PIX Firewall provides strong security while operating at speeds that are dramatically faster than any other firewall on the market. And it comes from a company with over a decade of experience in network security: over 80 percent of the Internet backbone routers come from Cisco Systems.

The Cisco PIX Firewall is far more capable of handling dramatically larger networks than multiple smaller firewall products that consume bandwidth and create operating overhead. A single PIX Firewall device can support over 16,000 multiple sessions, or more than 64,000 users without impacting end-user performance. This capability makes the PIX Firewall well-suited for the high-speed (DS3 and E3) connections that Internet service providers require.

Using "stateful" security, the PIX Firewall keeps track of source and destination ports and addresses, Transmission Control Protocol (TCP) sequences, and additional TCP flags. Like telephone calls, stateful connections provide details that are tracked and recorded. This stateful security provides strong authentication, verification, and auditing capabilities.

With the Cisco PIX Firewall, security begins with stateful dynamic address allocation, a process that removes the source IP address from outgoing traffic and replaces it with a generic IP address. This process protects the internal network from unauthorized access, because all that's revealed is the firewall address, so no direct route back to the source is provided. This feature is comparable to having telephone service with an unlisted telephone number.

Dynamic address allocation, while secure, is not port-specific and relies on a simple configuration table to track removed addresses. As a result, it does not provide absolute security because a spoofer could, theoretically, initiate a packet from outside the network that travels with a signal coming back through the configuration table; thus the spoofer could obtain all addresses.

To remove this potential weakness of dynamic address allocation, Cisco PIX Firewalls also offer an adaptive security capability that captures the TCP sequence numbers and port numbers of originating TCP/IP connections. In order for spoofers to penetrate the firewall to reach an end server, they would need not only the IP address, but the port number and TCP sequence numbers, too.

To minimize the possibility of unauthorized network penetration, the Cisco PIX Firewall also supports sequence number randomization, a process that prevents potential IP address spoofing attacks, as described in a Security Advisory (CA-95:01) from the Computer Emergency Response Team (CERT). Essentially, this advisory proposes to randomize TCP sequence numbers in order to prevent spoofers from deciphering these numbers and then hijacking sessions. By using a randomizing algorithm to generate TCP sequence numbers, the PIX Firewall makes this spoofing process extremely difficult, if not impossible. In fact, the only accesses that can occur through the Cisco PIX Firewall are those made from designated servers, which network administrators configure with a dedicated conduit through the firewall to a specific server-and that server alone. The PIX Firewall tracks all of these connections using syslog, the standard UNIX logging mechanism, to provide detailed audit trails.

The PIX Firewall is interoperable with any router-based network topology to ensure standards-based interoperability in multivendor environments. In a typical installation, its local port is connected to the private network, while the global port connects the PIX Firewall to the isolation segment where the Internet router resides.

Cisco is currently shipping an Ethernet (10/100 Mbps) version of the product and in September will also offer a Token Ring card, as well as an enhanced-performance version of the Ethernet card. Cisco's PIX Firewall comes in a standard 19-inch rack-mountable package.

Network administrators can configure PIX Firewall in less than five minutes, using five commands. A new, hypertext markup language (HTML) graphical user interface, available during the fourth quarter of 1996, will further simplify the PIX Firewall installation process.

As businesses increasingly rely on the World Wide Web for business-critical transactions, they must protect the integrity of those transactions, as well as their own internal information resources. A robust firewall meets this requirement while leveraging existing security barriers. With Cisco PIX Firewall, router investments are protected; the appliance simply adds a security layer that empowers users to protect valuable information assets.

How the Cisco PIX Firewall Works

In operation, the Cisco PIX Firewall works as follows: an Internet-bound packet sent by a host on the inside network follows default routes to the inside interface of the PIX Firewall. Upon receipt of the outbound packet, the source address is extracted and compared to an internal table of existing translations. If the inside host's address does not appear in the translation table, a new entry is created for that host, assigning a globally unique IP number from the pool of available addresses.

The actual translation is accomplished by changing the source address of the packet to this "legal" address. The differences between the original and translated versions of the packet are known, so the checksums are efficiently updated with a simple adjustment rather than complete recalculation. After a user-configurable timeout period during which there have been no translated packets for a particular address-mapping, PIX Firewall removes the entry, freeing the global address for use by another inside host.

This dynamic address allocation is enabled only for connections initiated from the internal network and is port-specific. The translation for an outbound Hypertext Transfer Protocol (HTTP) connection from a Web client, for example, would forward only packets from the external Web server that were destined for port 80 of the client machine. In the case of File Transfer Protocol (FTP) connections, which use a dynamic port for data connection, PIX Firewall notes the port number passively opened by the client's request and only allows inbound FTP data for sessions that were initiated from inside the private network.

This high level of selectivity is enabled by retaining state information for each TCP connection established through the PIX Firewall. A table containing the destination address, port numbers, sequencing information, byte counts, and internal flags for each TCP connection associated with a particular host address translation is maintained for the life of the translation entry. PIX Firewall then compares inbound packets against entries in the connection table and permits their entry only if an appropriate connection exists to validate their passage.

By operating on packet headers, rather than by copying data between processes (as is done in typical proxy servers that run at the user level on a multiuser operating system), the PIX Firewall provides the stateful security of a proxy server without the associated network and administrative overhead or the need for special host or client software.

Cisco PIX Firewall and Network Address Translation Solutions

In 1995, Cisco Systems acquired Network Translation, Inc. (NTI), an early pioneer in network address translation (NAT) and stateful adaptive security. NTI introduced the PIX Firewall product in late 1994 -- the first firewall to use stateful NAT, a strong security mechanism. In addition to its security capabilities, users can take advantage of another PIX Firewall benefit: support for larger address classes than those assigned by the Internet Assigned Numbers Authority (IANA). By translating bogus addresses into legal IP addresses, NAT makes it possible to use existing legitimate or illegitimate IP addresses to access the Internet. This capability saves users significant time and money by avoiding the need to reconfigure their networks.

Cisco offers two options for NAT support: the PIX Firewall standalone unit and integrated stateful NAT functionality in the Cisco Internetwork Operating System (Cisco IOS[tm]) software on Cisco routers. Offered as a separately priced option to the Cisco IOS, the integrated router solution allows network managers to introduce NAT functionality without adding a new hardware element to a network topology.


Questions and Answers

How can I build a firewall with my Cisco router?

Complementing the Cisco PIX[tm] Firewall, the Cisco Internetwork Operating System (Cisco IOS[tm]) software, too, can be configured as a potent firewall. You can combine extended IP access lists for packet filtering, several methods of user authentication, and Cisco's Lock and Key security solution to provide a strong, secure perimeter between "trusted" and "untrusted" networks.

The router can be configured to log security violations to a UNIX host's syslog facility. In Release 11.2 of Cisco IOS software, network managers can enable IP network-layer encryption and Network Address Translation (NAT) capability (a separately priced software option) in their router-based firewalls.

For more information on Cisco IOS security solutions, visit the URL warp/public/732/Security/index.html.

What other configuration options should I enable on the router to secure my network?

Some additional options and the commands that will help protect the router from unauthorized access include:


New Hardware Series Connects NetWare Users to the Internet

Cisco IPeXchange server software runs on Cisco 1000 series routers, providing WAN connectivity, firewall security between local and remote networks, and access to TCP/IP services for Novell networks.


The new Cisco IPeXchange 1000 series of Internet gateways provides Novell NetWare users with easy-to-use, cost-effective, and secure connections to the Internet and other TCP/IP-based networks. Available in three models, the products combine Cisco IPeXchange software -- based on Cisco Internetwork Operating System (Cisco IOS[tm]) technologies -- with Cisco 1000 series hardware. The products incorporate Cisco ClickStart[tm] software, a new tool that simplifies router configuration with the help of any Web browser. The standalone Internet gateways provide both IPX-to-IP gateway functionality and firewall capabilities for Novell networks, eliminating the need for separate gateway and bridge/router solutions.

"With the IPeXchange Internet gateways, NetWare users can realize immediate cost savings and reduced installation time for Internet access," explains Christine Hemrick, Vice President of Marketing for Cisco's Internet Business Unit.

All IPeXchange models are available in configurations for 20 or 50 concurrent users and can be stacked to accommodate higher numbers of users. The product supports the Point-to-Point Protocol (PPP), compression, and other features for optimizing WAN bandwidth and reducing usage costs. With support for IPX protocols on the remote LAN and a single IP address for the entire Novell network, there is no requirement to install and configure TCP/IP on every desktop PC.

The Cisco IPeXchange 1000 series products are the latest in a family of IPX-to-IP gateway solutions for NetWare and Windows NT platforms.

Cisco IPeXchange server software runs on Cisco 1000 series routers, providing access to TCP/IP services over IPX networks as well as WAN connectivity and firewall security between local and remote networks. Three IPeXchange Internet gateway models are currently available:

With the combination of routing hardware, Cisco IOS technologies, and Web navigation tools, the Cisco IPeXchange 1000 series of IPX-to-IP gateways offers a simple, secure, and affordable method for running TCP/IP services on NetWare LANs across the Internet or intranets.

ClickStart for Web-Based Configuration

Today, most routers are configured using a command line interface (CLI). With Cisco's new ClickStart[tm] software, users can now take advantage of the simplicity and ubiquity of a hypertext markup language (HTML)-based graphical user interface (GUI) to install their routers.

ClickStart is an HTML-based software solution that enables users to configure a Cisco 1003 or 1004 router in minutes. It is an integral part of the Cisco IPeXchange 1000 series of Internet gateways -- and of the Cisco 1000 series multiprotocol routers -- for which there is no incremental charge. Based on Cisco Internetwork Operating System (Cisco IOS[tm]) technologies, ClickStart makes Cisco 1000 series ISDN routers and Internet gateways accessible through any Web browser on any desktop platform, including Microsoft Windows, Windows 95, NT, UNIX, and MacOS.

The easy-to-use, Web-based interface guides users through the system installation process. By completing an initial setup form, a user can easily configure the system and bring up the network connection. The system is then manageable from a central location, and users can fine-tune and perform upgrades remotely.

Available today, ClickStart software will be extended later in 1996 to provide configuration for all Cisco routers in addition to the Cisco 1000 series.


New ISDN Routers Simplify Networking

The new Cisco 765 and 766 Ethernet LAN routers enable standard phones, fax machines, and modems to share one ISDN BRI line.


The new Cisco 765 and 766 Ethernet LAN routers offer two analog telephone interfaces that permit standard telephones, facsimile machines, and modems to share one Integrated Services Digital Network (ISDN) Basic Rate Interface (BRI) line. These products, with their ability to connect each ISDN B channel to two different sites simultaneously, eliminate the need for multiple telephone lines or additional devices. The Cisco 765 and 766 are the first products in their class to support supplemental telephone services, including call waiting, call hold, and call retrieve.

The Cisco 765 provides an ISDN BRI S/T interface for connecting to an external Network Termination 1 (NT1) device. The Cisco 766 contains a built-in NT1 interface for North American users. Both models are ideal for corporate telecommuters and small office/home office (SOHO) professionals who do not require full-time WAN connectivity for their small LANs, yet who want the high speed of ISDN communication.

Cisco ConnectPro Simplifies Configuration

Users can configure the Cisco 765 and Cisco 766 products by means of a touch-tone telephone or via the included Cisco ConnectPro software, a Microsoft Windows-based application that simplifies installation, configuration, and management. In addition, Cisco's ClickStart[tm] software now enables users to install these routers via a World Wide Web interface. For more information on ClickStart software, see "ClickStart for Web-Based Configuration."

Cisco ConnectPro helps users complete initial configuration with a series of interview dialogs and context-sensitive help screens. Users can enter ISDN-specific parameters such as directory numbers and Service Profile IDs (SPIDs) in the ConnectPro software. Cisco ConnectPro also provides a graphical representation of ISDN B-channel activity and traffic throughput, which is useful for monitoring and managing link utilization.

The Cisco 765 is currently shipping for approved countries. Contact your local Cisco sales office, or your authorized distributor for approval status. The Cisco 766 is now available for North American users.


CIP Technology Gets Stronger

TN3270 Server Application Cuts Costs and Preserves Expensive Mainframe Resources

Today's mainframe data centers have arrived at a busy crossroads as established SNA networks converge with multiprotocol client/server networks that are often based on TCP/IP. Cisco Systems continues to simplify the transition, most recently with a variety of enhancements to its Channel Interface Processor (CIP) technology. Among these enhancements is Cisco's new TN3270 server, an application that offloads 100 percent of the TCP/IP and TN3270 cycles from the mainframe to CIP cards on Cisco 7000 series routers.

The CiscoBlue Roadmap
Cisco's TN3270 server capability is a Phase 7 component of the CiscoBlue Roadmap. For more information on CiscoBlue, see Packet, Vol. 8 No. 2, Second Quarter 1996.

"By offloading the TN3270 function from the mainframe, customers can preserve valuable mainframe cycles while adding a highly reliable, multiprotocol network router to the data center," suggests Lisa Lindgren, a product manager for Cisco's InterWorks Business Unit.

The TN3270 mainframe software that resides on many of today's mainframe computers is certainly capable of handling TCP/IP traffic, adds Lindgren. But it is not a very efficient use of mainframe resources; Lindgren compares it to using a luxury ocean liner to move bulk freight. Each SNA packet must be handled by the mainframe twice as it is converted from TCP/IP to SNA and back again, squandering precious mainframe cycles.

With the CIP/TN3270 server solution in place, the router takes responsibility for all aspects of intercepting 3270 terminal requests from IP clients and interfacing client sessions with mainframe access mechanisms such as the virtual telecommunications access method (VTAM). All channel processing is handled by the CIP card -- including 100 percent of TN3270 traffic -- preserving expensive mainframe resources for other tasks such as transaction processing and hosting a data warehouse.

Big Savings

According to Cisco's beta customers for the new CIP product, the benefits can be substantial. "Offloading the TN3270 function will save us a lot of mainframe mips," says a network engineer at a large, New York-based financial services company (who preferred to remain anonymous). His company has 8000 users worldwide running emulated 3270 terminal sessions from a variety of PCs and UNIX workstations. Offloading the TN3270 server function from the company's eight mainframe computers in New York City could save 20 to 25 mips at a cost of US$20,000 each, the engineer notes. "That's 40 percent of the resources the mainframe currently devotes to TCP/IP," he adds.

With offices throughout the USA and Europe as well as in Tokyo, Hong Kong, Singapore, and Melbourne all connected via TCP/IP to the data center in New York, the CIP card with TN3270 server function could be a major breakthrough for this customer. "We currently have hundreds of Cisco routers in place," the engineer adds. "If the CIP works out like we think it will, we plan to use the technology for all eight of our mainframes."

Gaining Ground

The inherent flexibility of Cisco's CIP solution allows companies to allocate front-end processing and routing to the same network device while offering room for expansion into new technologies such as Fast Ethernet and ATM. CIP cards deliver TCP/IP, SNA, and Advanced Peer-to-Peer Networking (APPN) traffic to the mainframe, eliminating the need for expensive intermediary equipment such as IBM 3172 interconnect controllers and 3745 front-end processors (FEPs).

The introduction of CIP technology in late 1995 introduced a new means for Cisco customers to extend the lives of their legacy networks, giving them multiprotocol internetwork access by connecting routers directly to the mainframe channel. Now, with the addition of the TN3270 server, Cisco is ready to take these advances even farther. Each CIP card can support up to 8000 TN3270 sessions. High- speed interfaces within the router provide the highest bandwidth available in the industry for connecting both SNA and TCP/IP networks to IBM and IBM-compatible mainframes.

"As today's data centers incorporate newer routed and switched LAN technologies into their networking architectures, the comprehensive capabilities and unmatched throughput of Cisco 7000 routers become invaluable assets to the organization," Lindgren concludes. "The CIP with TN3270 server answers an important need, fulfilling customer requirements for optimizing mainframe resources within diverse, multiprotocol environments."

With the CIP/TN3270 server solution, the Cisco router takes responsibility for all aspects of intercepting 3270 terminal requests from IP clients and interfacing client sessions. All channel processing is handled by the CIP, preserving expensive mainframe resources for other tasks.



New Modules Extend Wiring Closet Choices for Catalyst Switches

Cisco Systems has introduced new modules for the Catalyst[tm] 5000, Catalyst 3000, and the new Catalyst 3200 switches that give customers additional options for user connections. All modules are available now.

The Catalyst 5000 group switching module and other modules for the Catalyst 5000 family offer users a sophisticated wiring closet solution for migrating from shared-media hubs to switching.


Catalyst 5000 Group Switching Module

The new 10BaseT group switching Ethernet module for the Catalyst 5000 wiring-closet switch provides a method to microsegment users into managed switch groups. Group switching offers a superior alternative to shared-media hubs by combining the cost and management benefits of hubs with the scalability and performance of switching on a single Catalyst 5000 module.

The ability to segment users into groups gives greater bandwidth to each user by limiting contention for network access. Users also gain access to network resources across the 1.2-Gbps switching backplane of the Catalyst 5000 for wire-speed performance and connection to backbones based on Asynchronous Transfer Mode (ATM), Fiber Distributed Data Interface (FDDI), and Fast Ethernet.

Each 48-port group switching module supports four segments or groups of 12 users. Up to four group switching modules can be installed in a single Catalyst 5000 chassis, for a high-density configuration of up to 192 Ethernet ports and two switched Fast Ethernet connections.

The Catalyst 5000 group switching module also incorporates Release 2.1 of the Cisco Internetwork Operating System (Cisco IOS[tm]) software for switching, which provides embedded support for Remote Monitoring (RMON), dynamic configuration, management of virtual LANs (VLANs), enhanced network monitoring, and improved performance across Fast Ethernet trunk ports. For ATM LAN Emulation (LANE) environments, this release supports LAN Emulation Configuration Server (LECS), Broadcast and Unknown Server (BUS), and LAN Emulation Server (LES) functionality. Release 2.1 is available now for the Catalyst 5000 family.

Modules for the Catalyst 3000 Family

New modules for the Cisco Catalyst 3000 stackable switching system, including the new Catalyst 3200, deliver a choice of ATM or 100VG AnyLAN connectivity.

The Catalyst 3000 can function as a highly cost-effective ATM LAN Emulation (LANE) edge device. And because of its modular architecture, customers can install up to 16 ATM modules in each system.

The two-port 100VG expansion module increases the breadth of 100-Mbps interfaces supported by the Catalyst 3000 product family.


The Catalyst 3000 ATM module supports full LAN Emulation Client (LEC) functionality per the LANE standards. Throughput of 65,000 packets per second in each direction and support for 1900 switched virtual circuit (SVC) connections make the new ATM module ideal for low-latency, high-performance applications.

By taking advantage of the ATM Forum-compliant LANE services in the Cisco IOS software, the LEC functions in the Catalyst 3000 ATM module enable smooth operation with standards-compliant ATM switches and ATM-attached devices on the network. The module is fully compatible with ATM Forum User-to-Network Interface (UNI) 3.0 and 3.1 standards. With the new ATM module, network managers can combine the members of the Catalyst 3000 product family with Cisco 7000 or 4700 routers and LightStream 1010 ATM switches to gain a complete LANE solution.

The 100VG modules for the Catalyst 3000 family offer interfaces for 100VG-TX (unshielded twisted pair) or 100VG-FX (fiber) to connect 100VG servers, hubs, and switches, effectively allowing network administrators to aggregate 100VG nodes or provide switched VG connectivity to users' desktops. The 100VG module is now shipping.

With the new ATM module, network managers can combine the Catalyst 3000 family with Cisco 7000 or 4700 routers and LightStream[r] 1010 ATM switches to gain a complete LAN Emulation solution.



New Switch Adds Integrated WAN Support to Catalyst LAN Solutions

Cisco recently introduced the Catalyst[tm] 3200, a powerful new member of the Catalyst 3000 family that provides integrated switched WAN connectivity and integrated Layer 3 routing. This switch minimizes network delays and can easily connect geographically dispersed network users across a WAN.

The chassis of the Catalyst 3200 provides seven expansion slots and a stack port slot, which accommodates any existing Catalyst 3000 expansion module, stack port module, or stack matrix. Modules provide support for Ethernet, Fast Ethernet, 100VG AnyLAN, Asynchronous Transfer Mode (ATM), and switched WAN connectivity. With flexible configuration solutions, the Catalyst 3200 can be expanded to provide up to 224 ports per system.

Network managers can combine existing Catalyst 3000s with Catalyst 3200 switches in stacks of up to eight units. The Catalyst 3200 also supports Inter-Switch Link (ISL) trunking to allow even greater configuration compatibility between the Catalyst 5000 and Catalyst 3000 families.

The Catalyst 3200 protects users' hardware investments by extending their LAN infrastructures out to the wide-area, while interoperating with existing network equipment. To accommodate network growth, the Catalyst 3200's expansion slots will support future expansion modules that will meet the emerging demands of switched networks.


Performance and Growth Needs Fuel Ciba's Migration to Cisco Equipment

Dwight Lubansky manages the Ciba internetwork from headquarters in Summit, New Jersey.


Dwight Lubansky, Network Manager of Ciba's US Pharmaceutical Division (Summit, New Jersey), sets high standards for his company's network: it must grow faster than users' needs; support legacy applications from clinical trial databases to molecular modeling; and supply the bandwidth required for emerging multimedia and video applications including image document databases, online multimedia training, and videoconferencing.

Ciba, a Swiss-based chemical and manufacturing conglomerate with a staff of 80,000 worldwide, has taken a stepping-stone approach to meeting these goals. Cisco 7500 series routers play a pivotal role in the company's strategy.

Currently, Ciba's network core is composed of local bridges and routers that connect departmental Token Ring and Ethernet segments into a Token Ring backbone. The first phase of the network modernization will entail migrating from shared-LAN media to the deployment of dedicated 10-, 16-, and 100-Mbps links between LAN segments, key servers, end stations, and the Token Ring backbone. In the second phase, the company will install 100-Mbps Fast Ethernet on the backbone and campus LAN. During the final phase, the network will migrate to Asynchronous Transfer Mode (ATM).

Cisco 7500 Series Routers Connect Ciba's Backbone

Ciba already has deployed two Cisco 7500s on the campus backbone; all departmental LANs and switches now funnel into these routers. Ciba chose the Cisco 7500 as a backbone hub in part because its concentrated power gives it the ability to handle up to 24 Ethernet, 16 Token Ring or 8 Fast Ethernet LAN links. In what is becoming a common networking strategy, Ciba removed its existing backbone router-which lacked the backbone performance and port density of the Cisco 7500-and redeployed it to handle WAN traffic.

Based on the magnitude of this network overhaul, Lubansky needed to design a network with a three-year minimum lifespan. That stipulation, in turn, required a network that would scale to growing volumes of traffic. To predict where bottlenecks might occur, Lubansky examined processor utilization of network devices. The lower the utilization, the higher the system performance. "We had a 40 percent processor utilization on our Cisco 7000. I estimate it will drop to under 20 percent with the Cisco 7500s, meaning the network will have room for the high usage we're forecasting," Lubansky says. A key factor in reducing the processors' load will be the Cisco 7500's Versatile Interface Processor (VIP) cards, the first router interface cards to incorporate intelligent, multilayer switching. It is because of the VIPs that the Cisco 7500 can offer aggregate system performance exceeding one million packets per second.

Knowing that reliability was a prerequisite to gaining network acceptance, Lubansky chose Cisco's Hot Standby Routing Protocol (HSRP) to ensure continuous service. HSRP is designed for fault-tolerant networks running mission-critical applications. At Ciba, HSRP ensures that if the Cisco 7500 router fails, a parallel router operating in tandem automatically will restore connectivity within ten seconds.

Ciba's final requirement was for network security. Cisco met this requirement through access lists, router software that allows network administrators to filter packets and control the flow of data. Using access lists, a network administrator can, for example, specify that mail go only to a certain mail server, or that Telnet connections be permitted outbound but not inbound.

In its annual report, Ciba's corporate statement observes, "When markets, demand structures, and technology are constantly changing, a company must move away from old patterns of behavior. We have long since committed ourselves to living and shaping the necessary changes in our own company." For Ciba, the use of the latest Cisco technology is a clear extension of this forward-looking corporate philosophy.

Cisco 7500 routers serve as the backbone hub and concentrator of Ciba's international network. The central network interface eventually will be replaced by ATM.



Cisco to Acquire Telebit's MICA Technologies

As part of its continuing efforts to serve the fast-growing dial market, Cisco Systems has signed a definitive agreement to acquire Telebit Corporation's digital Modem ISDN Channel Aggregation (MICA) technologies.

The MICA development, product management, and customer support team will become the Dial Technology Division within Cisco's Access Business Unit. The division will help Cisco integrate the advanced features of MICA's high-density digital modem technology into current and future Cisco products, including the Cisco 2509, 2510, and 2511 access servers and the AS5200 universal access server.

For customers seeking scalable dial solutions, MICA technology will combine with Cisco Internetwork Operating System (Cisco IOS[tm]) software and WAN switching to provide a scalable, secure network connection using managed modem technology.

By providing higher dial densities, product flexibility, faster time to market, and customer investment protection, MICA technology enables the simultaneous support of remote access users through both analog modems and ISDN devices.

Under the terms of the agreement, Telebit will sell its analog modem business, NetBlazer and MicaBlazer products, and other assets and liabilities to a new entity formed via a Telebit management buyout that will retain the Telebit Corporation name. Simultaneously, Cisco will purchase the remaining Telebit Corp., which will consist of Telebit patents and MICA intellectual property.

The transaction is expected to be completed by the end of October 1996.

Telebit company information is available on the World Wide Web at


Cisco Offers Free Encryption Software Suite

Organizations such as banks, medical institutions, and law offices are increasingly challenged with privacy and security concerns when relaying information between various sites across networks. To meet their demands, Cisco has announced the release of free security software, which represents the only proposed security standard for multiprotocol, multiuser environments to date. This scalable, low-overhead software will enable secure telecommuting and scalable implementation of large, multiplatform, multiprotocol solutions for electronic commerce, remote access, and virtual private networks (VPNs).

Cisco has acquired the rights from Cylink Corporation (Sunnyvale, California) to freely distribute the source code for the Diffie-Hellman key exchange, the Digital Signature Standard (DSS), and the Digital Encryption Standard (DES). The Diffie-Hellman algorithm allows two parties to exchange nonsecret information and then independently calculate a third number for use as a session key to encrypt data passing between the parties. This feature allows the routers to change their session key as often as necessary without having to send that key across the network in any form.

Cisco is making this software available in the USA and Canada on a royalty-free basis for use solely with the Internet Engineering Task Force (IETF) Internet Security Association Key Management Protocol (ISAKMP) reference implementation. Cisco and Cylink have a pre-existing relationship that includes folding Cylink's encryption software technology, the Secure Enterprise Architecture (SEA) Stack, into the Cisco Internetwork Operating System (Cisco IOS[tm]) software.

Several companies are offering industry support for this proposed open industry standard, including RSA, Network Systems Corporation, FTP Software, and NetManage.

For a free reference implementation of ISAKMP software on the World Wide Web, visit


New Cisco Technology Enables Virtual Dial-Up Service

With the explosive growth of the Internet, service providers are looking for alternative methods to support dial-up users. To address this challenge, Cisco Systems recently announced technology that will enhance the ability of service providers to build Virtual Private Dial-Up Networks (VPDNs). Cisco has submitted this new technology -- known as Layer Two Forwarding (L2F) -- to the Internet Engineering Task Force (IETF) for approval as a standard.

An alternative to existing remote access solutions, this enabling technology provides corporations with the benefits of private network dial-in access through a public system. Access is achieved by building a secure "tunnel" across the public infrastructure that connects directly to a user's home gateway. The service requires only local dial-up capability, drastically reducing users' costs and providing the same level of security found in private networks.

This new technology is contained in the Cisco Internetwork Operating System (Cisco IOS[tm]) software -- the foundation for all Cisco products -- which supports the multimedia requirements of both LAN and WAN protocols, optimizing WAN services that control intranetwork access.

Northern Telecom Inc. (Nortel) and Shiva Corporation have announced their support for L2F. "Private access for remote users over public service backbones will become a significant piece of the emerging communications picture," says Virginia Brooks, Senior Analyst at the Aberdeen Group, Boston, Massachusetts. "Cisco, Nortel, and Shiva are paving the way for these Virtual Private Dial-Up Networks by supporting L2F technology."


HP Launches SNAplus2 Family of Products

To provide cost-effective, scalable solutions for legacy computers, Hewlett-Packard (HP) has announced the next generation of interconnect products and integration with the Cisco 7000 family of routers. SNAplus2 is the latest in its family of high-performance Systems Network Architecture (SNA) connectivity solutions.

The SNAplus2 product family enables customers to more rapidly and cost-effectively link HP 9000 commercial computing environments with large production systems from IBM. With benefits that include SNA and TCP/IP networking capabilities, support for IBM parallel channel (bus and tag) and Enterprise System Connection (ESCON) technologies, and elimination of multiple, dedicated, mainframe channel controllers, customers can achieve significant cost savings and better-managed TCP/IP and SNA network traffic.

HP has completed interoperability testing with Cisco Systems' Channel Interface Processor (CIP) card, a high-performance data center product that supports ESCON and bus/tag connectivity as part of the popular Cisco 7000 series router family. The CIP card is the strategic piece of the internetworking puzzle that meets customers' needs to place mainframe data centers onto internetworks. HP is the first computer manufacturer to integrate the CIP card into its data center offerings.

"We are pleased that our customers can incorporate HP connectivity solutions into their Cisco environments-and vice versa," states Bill Lawler, Business Development Manager for Cisco. "A new building block in the Cisco and HP technology foundation has been added, and we envision that it can deliver only benefits to our customers."

For more information about the SNAplus2 family of products, users can contact their local HP or Cisco offices.


Cisco and Precept to Support Desktop Multimedia Software

Cisco's recent minority equity investment in Precept Software (Palo Alto, California) will help bring multimedia software support to the desktops of Internet users. Precept already offers a client version of the Resource Reservation Protocol (RSVP), which will also be available as part of the Cisco Internetwork Operating System (Cisco IOS[tm]) software. According to the agreement, the companies will collaborate to develop industry-standard protocols and management tools for multicast and multimedia.

Later this year, Cisco plans to resell two of Precept's standards-based multimedia networking software products. The first product, FlashWare, is a client/server "middleware" product. (Middleware provides the connection that links application development tools-the software "in the middle" of two or more clients.) The FlashWare product allows video and audio to run on existing IP packet-switched networks. The second product, IP/TV, is a client/server application that multicasts live or prerecorded video and audio over IP networks. Both products are based on industry-standard, multimedia-enabling technologies and are compatible with software used on the multicast backbone (MBONE), the portion of the Internet that supports real-time multimedia. The combination of Precept's open-protocol products and Cisco's internetworking software will provide customers with a unique multimedia solution for Windows-based TCP/IP clients, without regard to the LAN technology employed.

For more information on the Precept products, see "CiscoAdvantage Products Enhance Key Dimensions of Intranet and Internet Communications" or connect to the World Wide Web URL:


Xpoint Licenses Cisco's VLAN Technology

Xpoint Technologies (Boca Raton, Florida) has licensed Cisco's Virtual LAN (VLAN) technology and intends to incorporate it into Xpoint's (pronounced crosspoint) Disk-to-LAN acceleration applications for use with Intelligent Fast Ethernet server adapters. Disk-to-LAN applications deliver scalable input/output performance from workgroup servers to gigabit payload enterprise servers. VLAN technology allows network managers to group users and computers into communities of interest or logical workgroups independent of their physical locations. VLANs offer greater scalability, performance, configuration flexibility, and significant network cost savings.

By incorporating Cisco's Inter-Switch Link (ISL) VLAN technology into Xpoint's Disk-to-LAN solutions, Xpoint now provides a way for servers to directly support multiple VLAN workgroups with a single Fast Ethernet connection to ISL segments of VLAN networks. Xpoint's server acceleration solutions are designed to streamline data transfers and avoid logjams caused by traditional file server input/output processing.


Cisco Supports ISDN Standards Development

Cisco Systems recently joined with 12 other networking industry leaders to form the Vendors' ISDN Association, Inc. (VIA), a nonprofit, California-based corporation dedicated to making Integrated Services Digital Network (ISDN) more accessible to businesses and individual users.

VIA will initially focus on automated ISDN configuration capabilities, but the main purpose of the organization is to expand and accelerate the deployment of ISDN products, services, and usage by providing an open forum for the exchange of ideas, user needs, and technical information regarding ISDN.

Membership is open to all companies directly involved with the development, support, or implementation of ISDN equipment or services and those able to contribute to the identification, evaluation, and implementation of ISDN enhancements.

The initial meeting of members is scheduled to be held during Networld+Interop Atlanta in September.

For membership information, e-mail


Routers Direct "Hits" for Nasdaq's Internet Home Page

Cisco's internetworking expertise, combined with its Cisco 7000 series high-speed Internet routers, have helped launch The Nasdaq Stock Market's home page on the World Wide Web at Nasdaq, based in Washington, DC, is the world's second largest stock market as measured by market capitalization, and lists more companies and trades more shares than any other stock market. Cisco is the third largest company listed on Nasdaq.

The Nasdaq web site to allow investors to access free, up-to-date financial information about more than 5300 Nasdaq-listed companies, as well as providing a direct link to home pages for individual companies. The Nasdaq Web site records more than 1 million hits per day.


Gigabit Ethernet Alliance Drives New Open Standards

Cisco Systems is among 11 major networking and computer companies to form the recently announced Gigabit Ethernet Alliance, a multivendor effort to provide customers with open, cost-effective, and interoperable Gigabit (1000-Mbps) Ethernet solutions. The alliance intends to support the extension of existing Ethernet and Fast Ethernet standards in response to industry demand for increased network bandwidth and to address interoperability needs among Ethernet products that span operating speeds of 10 to 1000 Mbps. Migration to Gigabit Ethernet will provide investment protection based on industry plans to use the traditional Ethernet frame format, media access method (Carrier Sense Multiple Access with Collision Detection, or CSMA/CD), and management objects.

In addition to Cisco Systems, founding members include 3Com, Bay Networks, Compaq Computer, Granite Systems, Intel, LSI Logic, Packet Engines, Sun Microsystems, UB Networks, and VLSI Technology. Tony Lee of Sun Microsystems has been named chairman of the alliance, and Cisco Systems' Nathan Walker was elected as vice-chairman by original alliance members.

At press time, over 50 other companies have joined the Gigabit Ethernet Alliance. Alliance members will facilitate convergence and consensus on technical specifications and submit their Gigabit Ethernet technical proposals to the Institute of Electrical and Electronics Engineers (IEEE) 802.3z standards committee. The 802.3z frame format allows easy migration to gigabit speeds using existing applications, network operating systems, protocols, and network management.

The Gigabit Ethernet Alliance expects to bring together the same suppliers and end-user companies that formed the Fast Ethernet Alliance. The alliance plans to continue its activities until formal standardization of Gigabit Ethernet is complete, relevant standards have been published by the IEEE, and interoperability among vendors is established. News of the alliance is available at the URL


Open for Business!

Cisco Launches Internetworking Product Center

As part of its industry-leading World Wide Web site, Cisco Systems has announced the availability of its Internetworking Product Center (IPC), an application that allows customers and industry partners to configure, price, and submit purchase orders for all Cisco products and services via the World Wide Web.

Internetworking Product Center eases the ordering process by breaking down the barriers of time and space between Cisco and its user community. Online access to Cisco's internal pricing and configuration databases enables users to place orders at any time from any location.

This new Web application offers several benefits to users, including access to extensive product information and pricing, online order submission, verification, and order management capabilities, and quick entry features and searching capabilities. All data submitted through the system is encrypted and password-protected to guarantee the secure transmission of information.

Cost Savings for Customers

Internetworking Product Center addresses the need for timely and cost-effective purchase capabilities for customers. It offers users prompt responses to their submitted orders and instant notification of ordering errors, eliminating processing or shipping delays. The system offers one-stop, self-service convenience for all users.

Easy Account Management

Cisco's Commerce Agent application gives users greater control over their accounts by allowing access to order status and verification, quick search capabilities, and the most current pricing, configuration, and ordering information. Using a breakthrough technology for the Internet, a powerful routing feature allows users to create internal requisitions on line and get signature approval from other internal groups. Orders can then be forwarded to Cisco for immediate processing. Customers receive an immediate confirmation upon receipt of the order and can use the Cisco Status Agent to track the progress of their order through the system.

Getting Started

To help customers get acquainted with the system, Cisco is offering "Getting Started," a user guide to ease navigation and answer commonly asked questions.

To begin using Internetworking Product Center or request a "Getting Started" guide, e-mail You can find the Commerce Agents and the Internetworking Product Center as part of the Cisco MarketPlace on the Web at

A Guide to Cisco Connection Online (CCO):
Cisco MarketPlace incorporates Internetworking Product Center and enables users to purchase all Cisco products and services on line.
Technical Assistance offers online resolution of users' service and support inquiries.
Software Image Library houses the latest Cisco software releases, configuration guidelines, early bug notification, and bug-searching utilities.
Customer Services includes Commerce Agents for product configuration, pricing, and order-status tracking.
Product Information is a comprehensive source for data sheets, white papers, and product feature comparisons. Events and Training offers a detailed schedule of seminars, training classes, and upcoming Cisco events such as Networkers user symposiums.
Documentation represents Cisco's complete documentation set. A series of technology overviews also is available here.
Partner Information provides a regularly updated listing of Cisco Gold and Silver Partners.


Routing Updates

Survey Gives Cisco Direction for Improvements

Cisco Systems' expansion of its SMARTnetTM customer support program into Europe is just one result of the company's fifth annual customer satisfaction survey, which covered 33 countries. Survey respondents, including technical users and purchase decision makers, rated their satisfaction with Cisco products, services, support, and field sales for 1996.

Rating 64 product and service attributes, customers indicated an increase in satisfaction to 4.01 (on a 5-point scale), from 3.98 in 1995. Customers were notably more satisfied with product value (including price and performance) and technical support, although they identified software quality and product delivery as focus areas for Cisco. "Customers continue to expect excellence in product and service requirements," says John Chambers, President and CEO of Cisco Systems. "Cisco and Cisco's partners need to deliver products and services that meet or exceed customer expectations."

In response to this survey, Cisco is initiating several improvements:


Datrac Wins Top Customer Satisfaction Award

Datrac AG, one of Cisco's largest partners in Switzerland, recently won Cisco Systems' "Customer Satisfaction Super Team 1995" award as a result of the company's customer survey of Europe, the Middle East, and Africa. One of Cisco's first European partners and a Gold Certified Partner, Datrac has three branch offices (in Bern, Zurich, and Lausanne) staffed with experienced sales, systems, and field engineers, including several Cisco Certified Internetwork Experts (CCIEs).

"Customers chose Datrac because of its demonstrated commitment to Cisco's broad line of internetworking products, and expertise in servicing and supporting these products," says Urs Nussbaumer, Channel Account Manager, Cisco Systems. "Datrac is Cisco's original distributor in Switzerland with a very strong local presence."


New Customer Support Options Available in Europe

To address the growing needs of European customers, Cisco has expanded its suite of customer support and service options in Europe. Cisco's authorized partners in 16 European countries currently provide a complete range of locally delivered core maintenance and value-added services at Cisco quality levels. Now they can also resell two of Cisco's direct support lines: Cisco's flagship SMARTnetTM service and Network Supported Account (NSA) service. SMARTnet, Cisco's industry-leading support program, provides subscribers with core technical support. NSA supplements the SMARTnet service contract with the services of Cisco Certified Internetwork Expert (CCIE) engineers, who provide customers with tailored, proactive support services and ongoing consultation.


Newest Wave of Industry Awards for Cisco Products

Product Award Awarded By
Cisco 7000 Family Readers' Choice Award
Backbone Routers category
LAN Times magazine
June 1996
Cisco 4000 Series Readers' Choice Award
Branch Office Routers category
LAN Times magazine
June 1996
Cisco Catalyst 5000 Editor's Choice Award
ATM Edge Switch category
Network Computing magazine
July 1996
Cisco 4700 Tester's Choice Award
DLSw Routers category
Data Communications magazine
July 1996
CiscoWorks for Windows Users' Choice Award
Network Management category
Communications News magazine
June 1996


New Partner Listings

The following tables include new Gold, Silver, CIP 7000, and TAC-Certified Cisco partners that have achieved certification since the last issue of Packet. For complete partner information, visit the World Wide Web URL:

Cisco's Gold and Silver Partners

Each Gold and Silver Certified Partner maintains a staff of trained sales and support experts, including Cisco Certified Internetwork Experts (CCIEs) to deliver Cisco-defined levels of sales and support. Certification on a country-by-country basis ensures that partners have resources in place to sell and support multinode networks within each of those countries.

Gold Certified
Company Location Company Location
AT&T Germany Open Systems Austria
BISS UK Satec Spain
Convex Portugal Skrivervik Data Norway
Cray Communications UK Unisys Italy
Hong Kong Telecom CSL Hong Kong

Silver Certified
Company Location Company Location
ICL Sweden Pacific Bell Network Integration USA
Microland India Santa Monica Software Finland
Optotrans Hungary

Cisco CIP 7000 Partners

For Cisco Systems customers deploying Cisco 7000 routers configured with the Channel Interface Processor (CIP) card, a high level of value-added support is offered by CIP 7000 certified service partners. CIP certified partners have on staff CIP 7000-certified engineers and Cisco Certified Internetwork Experts (CCIEs) to meet the specialized support needs of Cisco customers in IBM networking environments.

CIP 7000 Partners
Company Location

TAC-Certified Partners

Technical Assistance Center (TAC) certification puts Cisco Systems' partners in Europe, the Middle East, and South Africa in partnership with Cisco's networking experts to deliver prompt and effective solutions to Cisco customers.

TAC-Certified Partners
Company Location Company Location
Alcatel Norway Satec Spain
Alcatel Redes Corporativas Spain Siemens Denmark
Cray Communications UK Siemens NV Belgium
ICL Service Norway Skandia IT Sweden
Open Systems Austria Skrivervik Data Norway
Philips Communications D'Entreprise France Unisys Denmark
Santa Monica Software Finland Unisys Italy SPA Italy

Publisher's Box

Packet[tm] magazine is published quarterly and distributed free of charge to users of Cisco Systems products.

Direct address corrections and other correspondence to, or to Packet, in care of: Cisco Systems, Inc. 170 West Tasman Drive San Jose, California, 95134-1706 USA

Phone: 408 526-4000

World Wide Web URL:

Editor-in-Chief: Joanna Holmes
Assistant Editors: Deanna Andreasen, Patrice Snell Steiner
Design and Production: Donna Helliwell
Project Coordinator: Carol Rolin

Cover image by Donna Helliwell and Jeff Brand

Published by the Cisco Systems Press Group

Special thanks to the following contributors: David Baum, Jeff Brand, Andrea Cheek, Barbara Dallenbach, Sam Diamond, Anne McLeod Haynes, Janice King (MarkeTech), Kori Powers, Troy Stein, Jackie Thrasivoulos, Warren Williams (Pacific Bell), and the Cisco Graphics Group.

Catalyst, CiscoAdvantage, CiscoRemote, CiscoSecure, Cisco IOS, the Cisco IOS logo, Cisco Systems, CiscoView, ClickStart, Internet Junction, Packet, PIX, SMARTnet, and The Cell are trademarks; and Cisco, LightStream, MultiNet, and the Cisco logo are registered trademarks of Cisco Systems, Inc.

All other products or services mentioned in this document are the trademarks, service marks, registered trademarks, or registered service marks of their respective owners.

Packet, copyright ©1996 by Cisco Systems, Inc. All rights reserved. Printed in the USA.

No part of this publication may be reproduced in any form, or by any means, without prior written permission from Cisco Systems, Inc.


Copyright 1988-1996 © Cisco Systems Inc.