Network technologies and trends


August 15, 2013  7:37 AM

How to configure disclaimer message in Cisco Iron Port Appliance? – Series 3

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

Let’s continue from where we stopped in my previous post

Step 9

Once you are done with all the steps click submit as shown below.

C370-step9

Step 10

Select Mail Policies ——-> Outgoing Mail Policies as show below and click add filter

C370-Step 10

Step 11

Now you could see by default Content filter is diabled, we need to enable it

C370-Step11

Step 12

Enable the Content filter and the policy as shown below and click submit

C370-Step12

By following the above mentioned steps you can enable the disclaimer message in Cisco Iron Port C 370 appliance.

August 15, 2013  7:29 AM

How to configure disclaimer message in Cisco Iron Port Appliance? – Series 2

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

Let’s continue from where we stopped in my previous post

Step 5

Select Mail Policies ——-> Outgoing Content Filters as show below and click add filter

C370-Step5

Step 6

Once you click add filter you will see the following template

Complete the template as show below are replace the name and description column with your our text.

C370-Step7 C370-Step6

Step 7

Click Add action

C370-Step7

Step 8

Once you click add action you will see the following screen

Select Add Disclaimer Text and choose which ever your prefer for disclaimer message  “above message  or below message”  tab.

And then select disclaimer text tab as show in the example.

C370-Step8

We will continue the rest of the steps in the next post.


August 15, 2013  6:03 AM

How to configure disclaimer message in Cisco Iron Port Appliance? – Series 1

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

In one of my previous post , I discussed about the bug Microsoft Exchange Server 2010 is carrying related to disclaimer messages.

The only option we had is to configure disclaimer message in Cisco Iron Port appliance. In this post let’s see how to enable a disclaimer message in Cisco Iron Port C 370 appliance.

Step 1

Login into the Cisco Iron Port C 370 appliance

Step 2

Select Mail Policies ——-> Text Resources as show below

C370 -Step2

Step 3

In Text Resource Click add text resources

C370-Step3

Step 4

Once you click add text resource you will find a the following template

Just give any name you like for the name tab.

In the type select the “Disclaimer Template”

The in the Inset Variables tab enter the disclaimer message you like have and click submit.

C370-Step4

We will continue the rest of the step in the next post.


August 3, 2013  11:42 AM

What is EIGRP Over the Top?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

In the recently concluded Cisco Live, Cisco made an interesting announcement about EIGRP. Yes Cisco is coming out with “EIGRP Over the Top (OTP)” which enables routers running EIGRP to peer across the service provider infrastructure without their involvement. An interesting feature which may catch up the pace in the real world networking.  With EIGRP OTP the service providers won’t even see the customers at all.  EIGRP OTP acts as a provider-independent overlay that transports customer data between the customer’s routers.

One advantage of EIGRP Over the Top solution is, it simplifies multi provider IP WAN network design. It also simplifies the interface with the WAN providers and facilitates an end-to-end EIGRP network, which makes the troubleshooting easier.

I believe EIGRP Over the Top will definitely makes things much easier for service providers as they can deploy EIGRP OTP as it doesn’t impose any special requirements for them.

Some of the key futures of EIGRP Over the Top are as follows

  • Allow customers to segment their network using an MPLS VPN backbone
  • Impose little requirements or no restrictions on customer networks
  • Work seamlessly with both traditional managed and non-managed internet connections
  • EIGRP routes are NOT distributed to MP-iBGP and never show up in the MPLS-VPN backbone
  • Compliments an L3VPN Any-to-Any architecture (no hair pinning of traffic)


August 2, 2013  9:25 AM

Multiple Cisco Products are affected by OSPF LSA Manipulation Vulnerability

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

The recent security advisory suggests that multiple Cisco products are affected by a vulnerability involving the Open Shortest Path First (OSPF) Routing Protocol Link State Advertisement (LSA) database. With the help of this vulnerability an unauthenticated attacker can take control of the OSPF Autonomous System (AS) domain routing table, backhole traffic and intercept traffic. Which could cause a huge damage to the attacked network.

The attacker could trigger this vulnerability by injecting crafted OSPF packets. Successful exploitation could cause flushing of the routing table on a targeted router, as well as propagation of the crafted OSPF LSA type 1 update throughout the OSPF AS domain.

To exploit this vulnerability, an attacker must accurately determine certain parameters within the LSA database on the target router. This vulnerability can only be triggered by sending crafted unicast or multicast LSA type 1 packets. No other LSA type packets can trigger this vulnerability.

The good news is that the OSPFv3 is not affected by this vulnerability. Fabric Shortest Path First (FSPF) protocol is also not affected by this vulnerability.

All versions of Cisco NX-OS Software are also affected by the vulnerability. There are currently no official fixed releases available on Cisco.com, but interim releases may be available through Cisco Technical Assistance Center (TAC). Customers with service contracts should contact Cisco support organization to get the interim update.

Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available. This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130801-lsaospf


July 24, 2013  7:37 AM

Windows 8.1 Preview is Incompatible with many Antivirus Software

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

Windows 8.1 preview is an update of Windows 8, it’s not a full blown new version of Windows. When its just an update ,we all end users expect that  most of the applications will run on the updated version of Windows 8.1 preview. But this is not the case. The most important issue rises here is of Anti-Virus Compatibility. Lots of Windows 8.1 preview users are complaining about the incompatibility of Anti Virus with Windows 8.1 preview.

Before upgrading to Windows 8.1 preview I was using Trend Micro Titanium Maximum Security, it was working fine with Windows 8. I had no issues. Once I upgraded to Windows 8.1 preview I noticed my Anti-Virus application was not working. I tried to re-install the AV but it failed all the time with the following error.

Trends AV

I tried to take contact Trend Micro Support team, but still they don’t have a solution for this issue. Even When I tired Kaspersky pure it failed.

Since Windows 8.1 comes with a built-in Windows defender to certain extent the PCs are  protected. I believe since this issue is already known, most of the security firm are most probably working on the fix. Already some security firms are working on either update or beta release. Here are the links


July 23, 2013  12:12 PM

Cisco UCS Outperforms HP and IBM Blade Servers on East-West Latency

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

 

These days the focus is increasing towards lower latency and high performing server-to-server data traffic (East-West). Cisco claims that they specifically designed their UCS unified fabric for this type of traffic. Cisco want to prove the claim made by their competitors that Cisco UCS unified fabric would increase latency and slow blade-to-blade traffic. Cisco ran the tests, and the results were simply amazing.

cisco ucs

According to the recent concluded test Cisco claims that HP and IBM blade architectures rely on placing networking switches (HP Virtual Connect; IBM Flex System Fabric Switches) inside of every 16 or 14 blade chassis. These legacy vendors imply that data can communicate from one blade to another more efficiently because their networking switches reside within the chassis.  They fail to mention two critical points:

  1. All HP and IBM Blade-to-Blade data must still traverse the switch ASICs (HP Virtual Connect; IBM Flex System Fabric) – it does not magically jump across the mid-plane.
  2. Beyond a single enclosure requires data to exit chassis 1, travel through Top-of-Rack (ToR) switches, then down to chassis 2 through a second set of in-chassis networking switches.

Not only does Cisco UCS outperform HP and IBM, but UCS clearly provides lower latency and faster VM timing by a wide margin. Thousands of East-West samples were collected, testing raw blade-to-blade latency (UDP/TCP/RTT TCP) and virtual machine migration times. Testing was performed on a number of different fabric topologies both within a single chassis (best case for HP and IBM) as well as across multiple chassis. Full details can be obtained under NDA from your Cisco representative.

The highlights of the test are as follows

“Cisco UCS demonstrated lower latency than the HP BladeSystem c7000 with Virtual Connect for every test group and every packet size (User Datagram Protocol [UDP], TCP, and round-trip time [RTT] TCP).”

“Cisco UCS delivered better performance than IBM (faster virtual machine migration times) for every group size tested.” “As the virtual machine size and network load increases, the Cisco UCS performance advantage also increases.”

 

You can access the complete report for test carried by Cisco for HP and IBM Blade servers from the below links

Cisco UCS Outperforms HP Blade Servers on East-West Latency
Cisco UCS Outperforms IBM Flex System Blades on East-West Latency


July 21, 2013  7:35 AM

The top 12 spam-relaying countries according to Sophos are

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

According to latest “Dirty Dozen” published by Security specialist Sophos, still US maintains its grip as the top spam-relaying country followed by Belarus. Belarus over took China, as China used to be the  number two spam-relaying country.  The latest “Dirty Dozen” list covers the second quarter of 2013.

This quarter experienced addition of three new countries like Ukraine, Kazakhstan and Argentina in the top 12 spot, whereas countries like France, Peru and South Korea make a signification progress in reducing their spam-relay over the internet. Before these countries were in top 12 list of “Dirty Dozen” report.

According Sophos, US maintains the No1 spot for obvious reasons like its population and its major share of the world’s internet connectivity.

Be it economic growth or anything related to Internet no one can forget the presence of China and India. Yes both India and China are one of the top 12 spam-relaying countries in the world.

The “Dirty Dozen” list tells us how spam gets relayed from the crooks to their potential victims, said Paul Ducklin, Sophos security evangelist.

“Even if you’re the most law-abiding citizen of the most law-abiding country in the world, you might be helping to project your own country into the Dirty Dozen if you don’t take security seriously on your own computer. It may sound corny, but security really does begin at home.”

Ducklin added that a few simple precautions can help enormously, such as “timely security patching, an up-to-date anti-virus and a healthy scepticism about unwanted attachments and ‘too-good-to-be-true’ offers.

“By taking these steps, you’ll not only protect yourself, but also help to protect everyone else at the same time,” Ducklin said.

The top 12 spam-relaying countries by volume for April to June 2013 are as follows

1 U.S. 13.8%
2 Belarus 11.7%
3 China 5.9%
4 Ukraine (new to the list) 5.5%
5 Taiwan 3.6%
6 India 3.6%
7 Spain 3.4%
8 Kazakhstan (new to the list) 3.3%
9 Argentina (new to the list) 3.1%
10 Italy 2.9%
11 Russia 2.6%
12 Germany 2.5%


July 18, 2013  9:30 AM

Exchange 2010 has issues with Disclaimer Messages

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Recently we enabled Disclaimer message in Exchange 2010 Server. After enabling the disclaimer message we could see the disclaimer message was forwarded as footer with all the outgoing emails from our users. However vast majority of users including me faced issues in the delivery of certain emails. They were never delivered to the intended recipients.
At the same time I was also working on creating certain polices for outgoing emails in our Cisco C370 Iron Port email gateways. Which certainly misguided us to troubleshoot the problem. We thought may be some issues with the Iron Port policies, but upon deep troubleshooting we discovered that Iron Port has no issues and it was working fine.
When we started tracking the messages in Exchange 2010 Server we discovered some of the emails were not delivered and they were on the poison queue. Upon lot of investigation we discovered there is an unknown bug in Update Rollup 1 for Exchange Server 2010 SP3.
exchange error 1
Still Microsoft has no concrete solution to resolve this issue except disabling the disclaimer message. Microsoft support Engineer suggested us to use any third party tools for disclaimer mail. Meanwhile we were asked to use the interim update provided by them but still the issue was not resolved. Which is quite strange for us.  We were forced disabled the disclaimer message in Exchange 2010 for the normal operation and delivery of our important emails.
As our Email Security Policy Clearly defines to have a disclaimer message, thank god Iron Port is such an amazing appliance we could able to configure the disclaimer message in the Iron Port device which I will share in upcoming post.


July 17, 2013  6:59 AM

Upgrading ASA 5500 Series firewall, things to be considered – Series 1

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

When it comes to upgrade an ASA 5500 Series firewall from 8.2 version to 8.3 or so, many things comes into the picture.  Recently we upgraded our ASA 5540 Firewall from the IOS version 8.2.1 to 8.4.6. I would like to share the details about the upgrade.

Stating IOS version 8.3 and later there is pre-requisite related to memory of the ASA. Most of new ASA manufactured after Feb 2010 comes with the upgraded memory. However if your ASA was manufactured before February 2010 you may need to upgrade the memory of the ASA as per the below mentioned table.

ASA Memory

* Note:  The maximum memory supported for the ASA-5520 and ASA-5540 is 2 Gb.  If you install 4 Gb of memory in these units, they will go into a boot loop.

The first thing you need is to determine the existing memory your ASA has , which can be done in two ways first by using a command line interface (CLI) do issue a command show version | include RAM

sec/FW01-MB-IE-001#            show ver | include RAM

Hardware:   ASA5540, 1024 MB RAM, CPU Pentium 4 2000 MHz

sec/FW01-MB-IE-001#

In my case the available memory of 1 GB so I should add more 1 Giga Memory to upgrade the ASA from 8.2.1 to 8.4.6

Those who are prefer ADSM, you can always see the amount of RAM in the ASA from the ADSM home (Device Dashboard) page as shown below

ADSM memory

In upcoming post I will try to share my experience about the upgrade and the thing we need to take care after upgrading the ASA firewall.


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: