Cisco

Is your data network ready for VoIP?

Hi folks! One of the greatest things about today’s network is that it seems to be able to handle anything. It doesn’t seem to matter what you want to do on your network, there is always a technology around the corner that can make it happen for you.

Well one of the most common things happening today is the conversion of data networks to voice and data networks. With the coming of VoIP, network engineers have been put under an increasing burden to support the world of the telephone when historically data and voice have been two separate entities.

There are a lot of people that erroneously think that VoIP is all about the phones and the PBX, but in reality if you don’t have a data network that can handle the traffic, none of that is really going to matter. Some of things network administrators find out in the end is that a switch isn’t always just a switch. What I mean by this is that administrators have been forced to cut and slash budgets and buy cheaper equipment only to find out that their switch is sub-par and cannot support a voice network. They are then faced with redoing their entire data network infrastructure which makes the cost of going to VoIP prohibitively expensive.

If administrators really look at what is offered to them when they buy network equipment such as switches, they can then plan for future VoIP deployments so when the time comes their data network will be ready. Things such as QOS and POE are two items that are not paid heed to when buying switches if VoIP isn’t in the equation, but then you find out you need it when the company starts going in the VoIP direction.

What I’m trying to say here is that in the future, almost all of us will be using VoIP, so you might as well start planning for getting your data networks ready now.

-RP

Cisco’s SDM, how much do you hate it?

Hi folks, so as a Cisco certified individual that works for a Cisco partner, it’s pretty easy to guess that I would like all things Cisco. Well almost all things. The one thing I hate immensley is the Cisco SDM. This is the gui software that was used to manage Cisco routers in the past.

Now lately you can use other things to manage the routers, and you can always use the trusty CLI (Command Line Interface) which is my favorite way of managing anything Cisco. But unfortunately I still see many administrators trying to use the SDM. Heck even in my CCNP training they advocate using the SDM. Talk about out of date training material.

So what I’m trying to say here is that I just want the SDM to die and go away. It hasn’t even been updated since 2007 according to the release notes. If you’re an administrator and you’re still using the SDM, please stay away from it. It will cause you more grief than good. There are a ton of bugs in it and there are better ways for you to be managing your routers.

-RP

The Cisco ESW 500 Series Switches for the SMB

Hello again folks! I wanted to talk a little bit about switching again. This time in the SMB! In the SMB space it has been historically hard to find good quality but cheap switching. Especially if you require POE switching for things such as VoIP or POE powered access points in your wireless network.

Well Cisco has a great solution for the SMB with their ESW 500 series line of switches. These switches are also from their Small Business Pro line. There are a variety of models to choose from including POE models. For those clients that just need basic switching with vlans and POE these are great switches to choose from.

Granted, Cisco has the 2960 switches with the Lan Lite images, but they aren’t at the same price point. The ESW 500 series are aggressively priced against competing brands.

-RP

Great small business firewall from Cisco

So as a result of Cisco getting more and more into the small business world, they have finally decided to position a small business firewall in the market for the smallest of small businesses. The Cisco SA 500 series of security appliances. This is from the Cisco Small Business Pro line.

The Cisco SA 500 series comes in a variety of models, the SA 520, 520W and 540. The 520W is particularly nice because it provides built-in wireless functionality as well. The 540 is basically the version that supports the most throughput and is the higher end version of the bunch.

From using the SA 520, it is apparent from the start that it is meant to be user friendly. The entire device is configured via the GUI and there is no command line to worry aobut. If you just need a small appliance to drop into a very small business for basic Internet access and firewalling capability, this is a great solution. On top of all that it has VPN and VLAN support so you can do some business-like configuration of the device instead of just throwing in a home based router/firewall.

-RP

DHCP security on Cisco switches

Hi folks! So I’m sure you’ve all run into the issue of having a rogue DHCP server on your network. This can happen just as easily by accident or as a determined attack.  How do you avoid this? Well on Cisco switches, you can use something called DHCP Snooping!

DHCP Snooping allows the switch to classify the interfaces as trusted or untrusted. Trusted interfaces allow DHCP traffic and untrusted interfaces drop the packets. This allows us to configure our ports that we know have a DHCP server plugged into them as trusted. All other ports no matter what will be untrusted.

Ideally you would configure all the ports on your access layer switches as untrusted that way if anyone tries to plug in a router or something else that has a built-in dhcp server, it won’t compromise your network.

Also, Cisco switches aren’t the only switches that support DHCP snooping. There are many other switch brands that do support it as well. When you are considering buying a new switch, make sure it has this feature, it’s great for security!

You can read more about configuring it here.

-RP

Port Security on Cisco Switches

So in a previous blog I mentioned something called port security. What is port security you might ask? Well in Cisco land port security is the ability to restrict access to certain ports based on mac address. Granted there are methods to spoof mac addresses but this is just one more way you can put another roadblock in front of a determined attacker.

Port security can be configured so you can specify how many and which mac addresses can speak on a certain port. This is ideal when you know what servers are plugged into which ports. You will know the macs that are needed and you can therefore restrict traffic only to them. If someone tries to plugin something else on that port then your switch can be configured to alert you or even shutdown the port altogether.

Port security can even be configured with aging in mind. You can set it so it remembers a mac address for X amount of time and then it will age out the mac address and allow it to learn another one on that port. There are certain situations where you might find this valuable.

You can read more about configuring port security here.

-RP

VTP - should you use it?

Hi folks! So welcome to the wonderful world of networking! You buy that fancy brand new Cisco switch and you think to yourself, “I have this cool feature called VTP (Vlan Trunking Protocol) and I want to use it to automatically deploy vlans across all of my switches! This will save me tons of configuration time!” Well should you really do this? Here are my thoughts on the matter.

It seems there are two schools of thought to this. VTP is a great protocol for quickly configuring switches, it takes the monotony out of configuring switches with tons of vlans. On the otherside, VTP is easily taken advantage of. If your network is not properly secured an attacker could easily use VTP to compromise your network!

So this is what I would recommend, don’t use it unless you absolutely have to. Even if you do end up using it then remember to lock down your switch using best practices. Turn off all unnecessary trunk ports, and enable port security where possible. Also even if you use a password with VTP it has been proven that there are methods to retrieve this password.

-RP

Preparing for the ISCW

Hello again folks! So this time I’m getting ready to write my 3rd exam in the CCNP series of exams. The next exam is called the ISCW ( Implementing Secure Converged Wide Area Networks).  This is exam # 642-825.

The ISCW exam material seems to be smaller to me. I’ve also heard it is easier than the BSCI and the BCMSN. It covers topics such as

• Basic configurations for Cisco routers when you’re configuring them in a teleworker scenario such as with DSL or Cable Internet.
• IPSec VPN
• MPLS
• Mitigation of Common Network attacks
• IOS Firewall
• IPS
• Hardening of Cisco Devices

Now that does sound like a lot of material but it shouldn’t be too bad considering how crazy the BSCI exam was. I figure if I wrote the BSCI successfully the rest should be comparitively easier (not easy, but just in comparison). So since I was so successful with the last two, I’m not going to abandon my strategy. A combination of the learning from my boot camp combined with the Cisco self-study guide, more lab time and the Bryant’s Advantage study guide should allow me to pass the exam.

-RP

Passed the BCMSN!

Hi folks! As you can probably tell from the title of this post, I passed the BCMSN! Yay! It was a hard exam but not as hard as the BSCI in my opinion. Before I had written either exam, I had heard that the BSCI was 10 times harder than the BCMSN. I don’t think that’s quite correct. It was probably more like 2 times as hard as it.

In any case, they both are difficult exams! The BCMSN had lots of different questions on redundancy, voip, wireless, STP, inter-vlan routing etc. Basically all the stuff they list on the exam guide in the Cisco exam curriculum on their website.

What did I use to study? Well I used what I learned from Bryan Baize at the Boson CCNP bootcamps and I also used the Bryant Advantage study guides again along with the normal Cisco self study guides. Combining all of that together got me the information I needed to pass!

Two more exams left in the CCNP for me. Next exam up will be the ISCW (Implementing Secure Converged Wide Area Networks) 642-825. Wish me luck!

-RP

CCNP - BCMSN Next!

Hi folks, so I’m almost done preparing for the BCMSN exam which is part of the CCNP certification. The exam is called Building Cisco Multilayer Switched Networks. I’ve already written the routing one and this is the next one on my list.

These Cisco exams are pretty tough and sure take a lot out of you but with enough practice and preparation you should be able to do them. I find that using simulators and real equipment (real world experience) helps a ton to pass these exams. A combination of both is just great.

After the BCMSN is done I will only have two more exams left to get my CCNP and then it will be on to my CCIE training. Right now I’m just focusing on passing the CCNP but if anyone has any good suggestions for CCIE training feel free to post and let me know. I know everything is changing this year with the CCIE in October I believe,  so there probably won’t be as much study material out there for it as there is for the current CCIE.

-RP