Wednesday, December 9, 2009

Cisco ACS Express 5.0 - AAA Configuration

Homer SimpsonImage via Wikipedia

Doah!

I recently installed a new Cisco ACS Express appliance on my network. I had been told that this appliance is designed for small and medium sized businesses with a maximum of 350 users and 50 devices.

This ACS appliance is on a segmented, more secure, part of our network. So, these limitations were not a concern.

Then I start adding devices to the appliance. Authentication and accounting functionality worked just fine, with minimal issues. However, authorization capabilities would not work.

After a call to Cisco TAC, I was informed that some features deemed unnecessary for the SMB market are not supported on the ACS Express. This included authorization functionality.

Unfortunately, I was told that I would need to speak to my Cisco account management team to learn what other features have been disabled.

To me, it would seem sufficient to limit the number of devices and accounts, but not remove features. Even SMB's require the features that Cisco has determined are only used in large enterprises.

From a Q&A on the Cisco website, I found this explanation of Cisco ACS Express:
Cisco Secure ACS Express is well suited for deployments that need an access control solution for fewer than 350 users and 50 devices. This product is intended to serve small to medium-sized businesses, retail sites and enterprise branch offices where customers need an easy-to-use GUI yet require a comprehensive but simple feature set and a lower price point to address their specific deployment needs.
Interesting. But, I can't find the list identifying the 'simple feature set'. As soon as I do, I'll post it here.


*** Update ***

Through no configuration changes, or fault of our own, we were able to get authentication working. Do we have a buggy ACS appliance? I don't know. But, I'm scratching my head on why it just started working.

Anyway, I still want to know what features are deactivated, and why.

We'll see.
Reblog this post [with Zemanta]

Friday, September 11, 2009

VMworld 2009 Update

Bored at workImage by Creative_Funk via Flickr

Yes, I did make it to VMworld. It was a pretty good conference. I learned a lot and met a bunch of good folks.

If you would like to learn more about my week at VMworld, check out my other blog.

Monday, August 24, 2009

Cisco EOL/EOS Products

Is there anything at the end of the tunnel?

It can be hard to keep up with the IOS updates on all of our Cisco equipment. But, even more important than making sure we're running the latest code release, is to make sure that we can get Cisco support assistance when we need it. There is nothing worse than having a problem and you can't get help from the guys that can help.

It's a good idea to periodically check the Cisco End-of-Sale and End-of-Life list. You may be surprised to see some of the products on this list, especially some of the 6500 chassis.

Take a look, and start planning your budgets now.
Reblog this post [with Zemanta]

Monday, August 3, 2009

It worked! I'm going to VMWorld.

Fisherman's Wharf signImage via Wikipedia

Well, my groveling worked, I'm going to VMWorld!

I just completed my schedule, and I'm not sure I will have any time for sleep.

Primarily a Cisco engineer, I'm very excited to attend four of the nine Cisco related sessions. I'm on the waiting list for the fifth (VMware vSphere 4 Networking Deep Dive). Hopefully, I will be able to stand in the back.

I'm looking forward to shooting video's with my Flip, and writing about the things I will learn.

In response to the direct Twitter message from VMWareEvents.

Bench MondayImage by Balakov via Flickr

@VMWareEvents - On Friday, you sent a Tweet that said:
@VMwareEvents: The #VMworld party is going to be great-no busses ! For more insider info look for the daily #VMworldInsider on Monday!
I appreciate hash tags, and use them often with TweetDeck, when I'm on my MacBook Pro. However, I have not found an easy way to follow hash tags, when I'm using my Blackberry.

It seems to me it would be easier if you were to obtain the 'VMWorldInsider' Twitter account. Then we (the VMWorld attendees) could follow this account and configure it to send updates to our mobile devices as text messages. I do this to keep up with my favorite baseball team.

This will make it easier to receive the great insider tips, while we attend VMWorld.

I hope I've properly described my suggestion. If not, shoot me an email.

By the way, I'm a Fusion lover. So, with Mac, Windows, and Linux - I've got it all, too. Have you seen the "Mac or PC" rap music video? It's hilarious.

Tuesday, June 30, 2009

No Cisco Live - But, there's always VMWorld!

VMworld 2007Image by mtellin via Flickr

I couldn't make it to Cisco Live this year, because I had to hold the fort down so my co-worker could go. So, now I begin my journey toward attending VMWorld. Would you like to see my initial request to my supervisor? I hope it works. I would really hate to be forced to grovel...

'Boss',

I missed out on Cisco Live this year, so 'co-worker' could go. I hope he has fun, but I’m kind of selfish, and jealous, and “fill in the blank”. Really, I’m abnormally/excessively green with envy. Totally out of character for myself, and I’m really having a difficult time with it. I mean, it’s only once a year that a Cisco guy gets to rub shoulders with 10,000 other pin heads, and socially inept engineers.

I’m considering therapy.

Anyway, while you visualize that, think about this: Cisco will have a large presence at VMWorld. This conference will be held in San Francisco August 31st to September 3rd.

If possible, I would like to make arrangements to attend this training opportunity.

Attending this event would be cheaper than therapy!

Thursday, June 18, 2009

Cisco ASA IPSec VPN Hairpinning

Film poster for Firewall (film) - Copyright 20...Image via Wikipedia

I've been playing around with a Site-to-Site IPSec VPN between a Fortigate and a Cisco ASA. It's been fun getting everything working the way it should. But, my latest challenge was to allow remote access VPN users connecting to the Cisco ASA to connect to resources behind the Fortigate over the site-to-site VPN connection.

The Cisco ASA does not allow a packet to leave the same interface on which it was originally received. This makes sense for a firewall. But, this is exactly what I needed it to do.

That's when we need IPSec Hairpinning to get everything working.

The command to get this working is 'same-security-traffic permit intra-interface'.

When using this command, it's important to remember that the ASA applies firewall rules before sending traffic out to the same interface.

You can get more information about this feature at this Cisco document.

Having another LAN-to-LAN VPN issue? Cisco document id 81824 provides help to troubleshoot the most common L2L issues.
Reblog this post [with Zemanta]

Test AAA Authentication on Cisco ASA


Have you ever been in a situation where you have configured AAA authentication on your Cisco ASA firewall, but you're not sure if it's working?

It can be difficult to determine if there is a problem with the ASA configuration or with the AAA server.

There is an excellent command on the Cisco ASA that allows you to test AAA authentication from the command line. The command is:

test aaa-server {authentication | authorization} server-tag [host server-ip]

An example of this command is included below. The first couple of lines show my AAA authentication configuration. And, the next commands show the 'test aaa authentication' command in action. The first attempt is with properly entered credentials. The second attempt is with improperly entered credentials.


Reblog this post [with Zemanta]

Wednesday, June 3, 2009

Learning a Second Language - JUNOS

I'm about to start an MPLS project that requires the use Juniper routers, but I'm a Cisco guy. I don't know anything about JUNOS.

Well, fortunately, Juniper is making it a little easier to get comfortable with their OS with a nice training class.

If you are new to JUNOS and would like a high-level walk through, check out the "JUNOS as a Second Language" training site.

Thursday, May 21, 2009

Get your VMware vSphere and Nexus 1000V evaluation software

Check out the Cisco data center blog to get details on how to obtain evaluation vSphere and Nexus 1000V software.

Thursday, May 14, 2009

LAN-to-LAN VPN between ASA and Fortinet

I just created a LAN-to-LAN IPSEC VPN tunnel between a Cisco ASA 5505 and a Fortinet Fortigate 100A. This is a first for me. I really shy away from L2L tunnels between desperate equipment vendors. But, it worked like a champ, thanks to some good documentation from both vendors.

From Fortinet, read this article that provides step-by-step instructions, using the web tool or command line.
From Cisco, read this article that provides enough information to set-up the ASA tunnel configuration.

Thanks for the good documentation guys!

Wednesday, May 13, 2009

Create your own mental subnet calculator

Have you seen this video from Fast Lane Consulting? It's posted on Cisco's Learning Network site.

This video will help you to memorize a couple of tables that can be used to quickly obtain subnetting answers for certification exams.

Take a look.

Wednesday, May 6, 2009

Another Internet outage

Renesys posted details about another Internet outage that occurred on Sunday. More unraveling duct tape.

Friday, April 17, 2009

Internet House of Cards

This is a sobering article by Dan Goodin, posted by The Register, that shows, again, how vulnerable the Internet is to a massive, and sustained, interruption.

I liked one of the comments that said that everything is possible – impossible just takes longer. The theoretical difficulties of creating tools that can easily exploit these inherent vulnerabilities is negated when the first tool is released in the wild and reverse engineered.

It is not going to take long, at all, before we start seeing more Internet outages, in both duration and quantity, similar to what was experienced about a month ago when the Yugoslavian ISP engineer accidentally misconfigured BGP on his border router. But, this time, it will be accidentally on purpose.

It's time to brush the dust of off the outage notification policies, because we are going to be using them more - and soon.

Thursday, March 19, 2009

What to make of all the confusing information about Cisco UCS

There is a lot of information, and mis-information, about what Cisco's Unified Computing Solution is. And, to tell you the truth, I'm not so sure I know.

But, one thing is for sure - it has really stirred up the industry, and a wave of competing rebuttals has followed.

As Cisco continues to release more information, in the coming weeks, it will be more clear what UCS and how Cisco is going to change the data center.

Have you seen this Cisco video? Cisco Executives Speak on Unified Computing System

Huh! Yea, that answers everything!

Give it some time. Cisco will make sure that everybody understands what is happening.

What is interesting is that we were given Cisco's 'road map' for their Data Center 3.0 initiative. Unified Computing is step three. And, really, UCS is the piece that begins to pull together Cisco's strategy.As an IT professional, what should you be doing? Get acquainted with the technical aspects of Cisco's initiative. And, help your management understand the big picture of what Cisco is going to do to your data center.

Cisco is leading the charge into this new frontier. Partners like VMware are following. This is a huge shift in the market.

For instance, don't understand Cisco's Nexus 1000V virtual switch? You are not alone. In fact, it requires VMware ESX 4.0, which hasn't been released, yet!

Want to know more about the 1000V? Brad Hedlund has an excellent article on his blog that helps to clear some of the fog.

If that's not enough information, it's time to start asking questions. Start networking with your local VMware User Group. For instance, the VMUG on April 1st in Houston will have a Nexus 1000V demonstration.

If you don't have a VMUG in your area, start one. They are an excellent source of information exchange, education, and social networking.

And remember: It's not important that you always know the answer, but you should know where to get the answer!

Network! Use Twitter and monitor hashes like #unifiedcomputing, #ucs, and #vmware. These are excellent sources of information.

Wednesday, February 25, 2009

Forensic Acquisition Simplified

Check out the Raptor forensic tool.

Tuesday, February 17, 2009

Internet Outage

The company I work for provides virtual server hosting services. So, when the Internet goes down, it's gonna be a bad day at the office.

Yesterday, our provider's Internet connectivity went down, for about 1 1/2 hours. An outage of this duration causes us to lose customers. So, it was a very bad Monday!

Our data center provider has not been very forthcoming with information on the cause of the outage. But, I believe, it was related to the BGP overflow caused by an ISP in the Czech.

The unfortunate consequence is that the arm chairs quarterbacks, like myself, get to determine that the cause of this issue was absolutely avoidable. Isolated to Cisco IOS, two things could have prevented this catastrophic outage for us, and our clients.
  1. Maintain patching levels by running a newer IOS on the routers.
  2. Implement the 'bgp maxas-limit command. http://tinyurl.com/cygzbz
The offending information:

%BGP-6-ASPATH: Long AS path 3549 3257 29113 47868 47868 47868 47868
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
47868 47868 47868 47868 47868 47868 47868 47868 47868 47868 47868
47868 47868 47868 47868 47868 47868 47868 received from xxx.xxx.xxx.xxx:
Has more than 255 AS


This issue was resolved in IOS release 12.1(3a)E1 (http://tinyurl.com/db6v2d)
A Border Gateway Protocol (BGP) UPDATE contains Network Layer Reachability Information (NLRI) and attributes that describe the path to the destination. Each path attribute is a type, length, value (TLV) object.

The type is a two-octet field that includes the attribute flags and the type code. The fourth high-order bit (bit 3) of the attribute flags is the Extended Length bit. It defines whether the attribute length is one octet (if set to 0) or two octets (if set to 1). The extended length bit is used only if the length of the attribute value is greater than 255 octets.

The AS_PATH (type code 2) is represented by a series of TLVs (or path segments). The path segment type indicates whether the content is an AS_SET or AS_SEQUENCE. The path segment length indicates the number of autonomous systems in the segment. The path segment value contains the list of autonomous systems (each autonomous system is represented by two octets).

The total length of the attribute depends on the number of path segments and the number of autonomous systems in them. For example, if the AS_PATH contains only an AS_SEQUENCE, then the maximum number of autonomous systems (without having to use the extended length bit) is 126 [= (255-2)/2]. If the UPDATE is propagated across an autonomous system boundary, then the local Abstract Syntax Notation (ASN) must be appended and the extended length bit used.

This problem was caused by the mishandling of the operation during which the length of the attribute was truncated to only one octet. Because of the internal operation of the code, the receiving border router would not be affected, but its iBGP peers would detect the mismatch and issue a NOTIFICATION message (update malformed) to reset their session.

The average maximum AS_PATH length in the Internet is between 15 and 20 autonomous systems, so there is no need to use the extended length. The failure was discovered because of a malfunction in the BGP implementation of another vendor. There is no workaround. This problem is resolved in Release 12.1(3a)E1. (CSCdr54230)
Source information was obtained from the following locations:
Renesys – Reckless Driving on the Internet - http://tinyurl.com/cd2eq9
Merit Networks – North American Network Operators Group - http://tinyurl.com/dmexp2
Data Center Knowledge – Router Snafu: A ‘Global Internet Meltdown’ - http://tinyurl.com/atmo6h
Slashdot - One Broken Router Takes Out Half the Internet - http://tinyurl.com/bsqhk6

Tuesday, February 3, 2009

ITEXPO Keynote

The keynote session consisted of two presentations. The first was by John Frederiksen, GM of Microsoft Response Point. The second was Danny Windham, CEO of Digium (Asterisk).

John's well prepared presentation centered around Microsoft's Response Point and their software centric philosophy. No offense John, but honestly, my attention was glued to the presentation. So, I didn't manage to write down very many notes. One note of interest was how Microsoft sees the requirements of the current business climate. Identified as business requirements include:
  1. 'Save me money'
  2. 'Save me time'
  3. 'Increase productivity'
  4. 'Help us grow our business'
No debating these requirements. Budgets are tight, and there is no patience for an unstable phone system, when every call counts.

Included in John's presentation was a quote from Bill Gates in 2007. Paraphrasing, he said the power of software will transform communications. With Microsoft's R&D budget, we should see solutions that could very well do that.

Danny's presentation provided some very interesting statistics about OSS (Open Source Software) IPT.

Using a statistic from IDC, OSS is expected to be a $5.8B industry by 2010/2011. There were 10's of millions of downloads of open source software in 2009.

The IP PBX market continues to increase in market share and is expected to reach $7.9B by 2010.

There were a total of 1.75 million downloads of open source IPT software. Of that, 1.5M downloads were for Asterisk software.

It is estimated that there are over 86,000 IP PBX's with an average of 32.8 end points per system.

Another slide presented market share by PBX vendor.
  1. Open Source
  2. Nortel
  3. Cisco
  4. Avaya
  5. Mitel
  6. NEC
The list changes slightly, when looking at total number of end points by vendor.
  1. Nortel
  2. Open Source
  3. Cisco
  4. Avaya
There is no shortage of innovation in the IPT market. It will be exciting to see how products from both Microsoft and the Open Source community mature over the next couple of years.

ITEXPO Service Provider Roundtable

It's been a busy couple of weeks.

Last week I was in Las Vegas for Network Instruments Observer training. This week, I'm in Miami attending the Internet Telephony Conference and Expo.

In between, I've been fighting a cold. Oh well, I guess there has to be a negative for hanging out in the hot spots of the country. No pun intended.

Below are some of the highlights I scribbled down during the 'Service Provider Roundtable'.

The following service providers participated:

8X8, Inc. - Hosted PBX services for the SMB market
Broadvox - Wholesale SIP trunk provider
inPhonex - Consumer Internet phone service provider with strong Latin America presence
MagicJack - Consumer Internet phone service provider
Telefonica - Global corporate communications provider, mainly in Latin America
TW Telecom - Provider of corporate fiber communications infrastructure in 75 US markets


This was a nice discussion about industry issues from a provider perspective.

Mentioned by the panel was the need for the providers to continually innovate. The last major innovation in the industry was 10-15 years ago when DSL was released.

Another issue the SIP providers faced five years ago was their lackluster 99.9% availability. Still not as good as traditional land line solutions, most SIP providers will guarantee 4 nines.

Most enterprises readily adopt NG (Next Generation) products, but not necessarily NG services like SIP. However, budgets will drive NG service adoption because they are more cost effective.

However, like most things, efficiency and reliability depend on proper implementation. This is complicated when these services are delivered over 'plug-and-play' Ethernet connectivity - complicating troubleshooting and blurring the DMARC.

The main take away, regarding SIP services, was to focus on function, instead of features. SIP reliability is very important. Nobody wants to tell their CXO that their phone services are down, again.

Tuesday, January 20, 2009

Cisco's $7 Million Investment in Xobni

Information Week article discussing Cisco's $7 Million investment in Xobni.

It will be interesting to see where this posturing goes.

Read more.

Cisco Plans Big Push Into Server Market

The New York Times published an article yesterday helping to announce Cisco's move into the server market with a virtualized server appliance.

It will be interesting to see how this progresses. Will Cisco buy VMware?

Read more at http://tinyurl.com/8vrhen.

Tuesday, January 6, 2009

Securing the Internet router - Interface ACL

When it comes to securing the perimeter, the Internet gateway routers should be configured to protect the firewall. And, the firewall should protect the DMZ and internal networks.

One of the easiest ways to do this is to block unnecessary Internet noise at the router, using a simple interface access control list.

Here is the ACL template I use on my Internet routers.

interface GigabitEthernet0/0
description To Internet Service Provider
ip address 10.0.0.1 255.255.255.0
ip access-group iACL-external in
!
ip access-list extended iACL-external
deny tcp any 10.0.0.0 0.0.0.255 log fragments
deny udp any 10.0.0.0 0.0.0.255 log fragments
deny icmp any 10.0.0.0 0.0.0.255 log fragments
deny ip any 10.0.0.0 0.0.0.255 log fragments
deny ip 10.0.0.0 0.0.0.255 any
deny ip 0.0.0.0 0.255.255.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 14.0.0.0 0.255.255.255 any
deny ip 24.0.0.0 0.255.255.255 any
deny ip 39.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 128.0.0.0 0.0.255.255 any
deny ip 169.254.0.0 0.0.255.255 any
deny ip 172.16.0.0 0.31.255.255 any
deny ip 192.0.2.0 0.0.0.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip any 224.0.0.0 0.0.0.255
deny ip 224.0.0.0 0.0.0.255 any
deny tcp any 10.0.0.0 0.0.0.255 eq telnet
! Limit SMTP to mail gateway only
permit tcp any host 10.0.0.10 eq smtp
permit tcp any 10.0.0.0 0.0.0.255 eq www
permit tcp any 10.0.0.0 0.0.0.255 eq 443
permit tcp any eq ftp-data 10.0.0.0 0.0.0.255 gt 1023
permit tcp any 10.0.0.0 0.0.0.255 eq ftp
permit tcp any 10.0.0.0 0.0.0.255 eq 22
permit udp any eq domain 10.0.0.0 0.0.0.255 gt 1023
permit udp any eq ntp 10.0.0.0 0.0.0.255 log
permit tcp any 10.0.0.0 0.0.0.255 established
permit icmp any 10.0.0.0 0.0.0.255 echo-reply
permit icmp any 10.0.0.0 0.0.0.255 ttl-exceeded
permit icmp any 10.0.0.0 0.0.0.255 port-unreachable
permit icmp any 10.0.0.0 0.0.0.255 protocol-unreachable
permit icmp any 10.0.0.0 0.0.0.255 packet-too-big
permit icmp any host 10.0.0.1 echo-reply
permit icmp any host 10.0.0.1 ttl-exceeded
permit icmp any host 10.0.0.1 port-unreachable
permit icmp any host 10.0.0.1 protocol-unreachable
permit icmp any host 10.0.0.1 packet-too-big
deny ip any any

Now, I've got a reputation for being a stickler for pretty tight router configurations. So, in many cases, I've had to loosen my choke hold on the traffic coming through. So, test these recommendations, before you deploy them at your data center.

Do you have a script you like to use? If you feel like sharing, send me a copy, I may add it to this post.

In an upcoming post, I will share some other things you can do to protect your Internet routers.