When it comes to upgrade an ASA 5500 Series firewall from 8.2 version to 8.3 or so, many things comes into the picture. Recently we upgraded our ASA 5540 Firewall from the IOS version 8.2.1 to 8.4.6. I would like to share the details about the upgrade.
Stating IOS version 8.3 and later there is pre-requisite related to memory of the ASA. Most of new ASA manufactured after Feb 2010 comes with the upgraded memory. However if your ASA was manufactured before February 2010 you may need to upgrade the memory of the ASA as per the below mentioned table.
* Note: The maximum memory supported for the ASA-5520 and ASA-5540 is 2 Gb. If you install 4 Gb of memory in these units, they will go into a boot loop.
The first thing you need is to determine the existing memory your ASA has , which can be done in two ways first by using a command line interface (CLI) do issue a command show version | include RAM
sec/FW01-MB-IE-001# show ver | include RAM
Hardware: ASA5540, 1024 MB RAM, CPU Pentium 4 2000 MHz
In my case the available memory of 1 GB so I should add more 1 Giga Memory to upgrade the ASA from 8.2.1 to 8.4.6
Those who are prefer ADSM, you can always see the amount of RAM in the ASA from the ADSM home (Device Dashboard) page as shown below
In upcoming post I will try to share my experience about the upgrade and the thing we need to take care after upgrading the ASA firewall.
When it comes to CCIE Routing and Switching Written Exam you need to study lots of books especially the titles published from Cisco Press. As we all know CCIE Routing and Switching is not an easy task, it needs lots of preparation. Since I am in the process of perusing CCIE Routing and Switching I thought of starting my journey with CCIE Routing and Switching Certification Guide ( 4th Edition) published by Cisco press.
I would like to thanks Jamie Soup from Cisco Press for providing me the copy of CCIE Routing and Switching Certification guide. I thought of sharing my review on this wonderful title.
Since I am coming from CCNA,CCDA, CCNP , CCDP back ground, it was easier for me to understand the concepts and contents of this title. I feel this content is little bit higher not easy to grasp for those, who have little experience or someone who is trying to pass CCIE without reading the CCNA and CCNP Cisco Press titles. The authors are certainly targeting those Certification aspirers who have solid understanding of Routing and Switching concepts.
This title also differs from other Cisco Press titles, as the foundation summary at the end of each chapter does not repeat the information presented in the “foundation topics” section of each chapter. I feel this approach challenges the CCIE aspires which I really like.
The title is divided into nine parts based on topics and then it further dissected into 20 chapters. The introductory part on LAN Switching and IP Addressing really refreshes your knowledge, each chapter begins with “Do I Know this Already? Quiz which certainly gives clear idea to a reader about his/her understanding on that particular topic. I really enjoyed reading the Multicasting part of this title as it’s written in a very engaging way. More or less majority of the topics are covered with sample scenarios and configurations related to that particular concept. I wish the authors would have elaborated more on troubleshooting part like debug commands and most commonly found issues in the real world scenarios.
The title also comes with a CD which comprises of a powerful test Engine from Boson which allows the reader to focus and practice questions on either individual topic or a complete exam. I strongly recommend all CCIE aspirers to go through these practice exams which are also an alternative source of gaining knowledge.
To conclude I would say this title is certainly not for those who just want to pass CCIE written exam by reading this title. Also this titles proves to be little boring and though for those who are not coming with CCNA and CCNP back ground. Certainly there is always room for improvement I would ask the publishers to look at certain typos, and also it would be better if topics are penned in simpler way. I would rate 4 out of 5 for this title as its one of the most important title to be read for CCIE Routing & Switching Exam.
Cisco Live was recently concluded in Orlando, Florida where Cisco announced the new top-end Nexus 7700 switches with new ASICS which is capable of working up to 100 Gb/ sec speed. The new 7700 line will come in two versions: a 10-slot 7710 and an 18-slot 7718. Cisco says the chassis will be available in July
Cisco says it has more than 40,000 Nexus 7000 chassis in the field. Now it has two more switches to add to the 7000 family with the Nexus 7700 line. The 7700 has a maximum throughput of 83 Tbps, and a single system can have up to 384 40-GigE ports or 192 100-GigE ports. As with other switches in the 7000 line, the 7700s will include dual redundant supervisor modules to enable software upgrades without losing packets.
The Cisco Nexus 7700 10-slot switch is scalable up to 42 terabits per second (Tbps), whereas the Cisco Nexus 7700 18-Clot Switch cab scale up to 83 terabits per seconds. Both switches are designed to offer high availability, exceptional performance, and high density 40 and 100 Gigabit Ethernet (GE) and front-to-back air flow. That makes it ideal for high performance data center access, aggregation, core, and Unified Fabric deployments.
Looks like Cisco is trying to refresh its product line in competition with other Switch manufacturing vendors.
In my previous post we saw how to overcome the Cisco NAC restrictions for the Windows Deployment Services Server, as we progressed and started implementing the solution in our production environment we discovered various challenges.
In our production network we are applying various kinds of Layer 2 security at Cisco Access Layer Switches. One of the applied layer 2 security policy is IP Source guard.
IP Source Guard provides source IP address filtering on a Layer 2 port to prevent a malicious host from impersonating a legitimate host by assuming the legitimate host’s IP address. The feature uses dynamic DHCP snooping and static IP source binding to match IP addresses to hosts on untrusted Layer 2 access ports.
Initially, all IP traffic on the protected port is blocked except for DHCP packets. After a client receives an IP address from the DHCP server, or after static IP source binding is configured by the administrator, all traffic with that IP source address is permitted from that client. Traffic from other hosts is denied. This filtering limits a host’s ability to attack the network by claiming a neighbor host’s IP address. IP Source Guard is a port-based feature that automatically creates an implicit port access control list (PACL).
In all our access switches IP Source Guard is enabled by as shown below
When we enable IP source guard, the Windows Deployment Services Server failed to install Windows 7 over the network. Upon troubleshooting we discovered that there is a bug CSCts44728 per which IP Source Guard stops PXE boot, you can find more info about it here
This bug is available in 12.2(55) SE3 IOS version, however its fixed in 12.2(55) SE5 and in 15.0(2)SE IOS versions.
In order to deploy Windows 7 over the PXE using Windows Deployment Services Server we were forced to disable the IP Source Guard feature by using the Cisco IOS command “no ip verify source”.
The only way enable Ip soruce guard is to upgrade the IOS of the switch from 12.2(55) SE3 to 12.2(55)SE5 or later.
How to integrate Windows Deployment Services Server with a typical Cisco Networking devices – Series 3
Let’s continue to with rest of the steps to allow Windows Deployment Services Server through a Cisco NAC.
Click Add Polices
Add the IP address of Windows Deployment Services Server along with the UDP ports required
The Windows Deployment Server needs the following UDP ports to be opened from unauthenticated role (Untrusted -> Trusted role)
The IP address of Windows Deployment Services Server in our case 10.204.27.49
The UDP ports required for any Windows Deployment Services Server is as follows
Then click update policy
Create one more policy for the TCP ports required for Windows Deployment Services Server
The Windows Deployment Server needs the following TCP ports to be opened from unauthenticated role (Untrusted -> Trusted role)
The IP address of Windows Deployment Services Server in our case 10.204.27.49
The TCP ports required for any Windows Deployment Services Server is as follows
Then click update policy.
By following these steps we could deploy Windows 7 using Windows Deployment Services Server even when the workstation is connected in untrusted role in the Cisco NAC
How to integrate Windows Deployment Services Server with a typical Cisco Networking devices – Series 2
In series 1 we discussed how to integrate Windows Deployment Services Server with a typical Cisco Networking devices. We dealt with the configuration at the distribution layer switches, yes by adding ip-helper address the issue was resolved. When we tried the same setup in our live environment which consists of Cisco NAC we faced the problem. Obliviously without NAC client and posture assessment the NAC CAS server won’t allow the client as a trusted client.
The only way is to allow access for a Client PC from untrusted mode to access Windows Deployment Service server. This can be done by creating policy for user management in Cisco CAM device as show below
Login to CAM Device
Click – User management
Select unauthenticated roles
I will continue the reset of the steps in next post.
Couple of days back I received an email from Microsoft with a subject “TechNet Subscriptions retirement” and following are its contents.
“As IT trends and business dynamics have evolved, so has Microsoft’s set of offerings for IT professionals who are looking to learn, evaluate and deploy Microsoft technologies and services. In recent years, we have seen a usage shift from paid to free evaluation experiences and resources. As a result, Microsoft has decided to retire the TechNet Subscriptions service and will discontinue sales on August 31, 2013.”
I was shocked with the decision taken by Microsoft, is it a right decision? The question now arises is how are they going to provide testing environments for small time developers? Usually 90-180 day evaluation won’t give much flexibility. Well time will tell how it’s going to impact the IT professionals. Currently most of the IT professionals are not happy with this move of Microsoft.
Though Microsoft are reassuring the IT professionals with the following message
“Subscribers with active accounts may continue to access program benefits until their current subscription period concludes.
We are committed to helping customers through this transition phase and will remain focused on providing IT professionals with free access to a broad set of TechNet assets that support the needs of IT professionals around the world.
Improved Free Offerings for IT Professionals Include:
- TechNet Evaluation Center: Free evaluation software with no feature limits, available for 30-180 days. Includes rich evaluation resources and TechNet Virtual Labs, which enable you to evaluate software without the need to install bits locally.
- Microsoft Virtual Academy: Free online learning site, with over 200 expert-led technical training courses across more than 15 Microsoft technologies with more added weekly.
- TechNet Forums: Free online forums where IT professionals can ask technical questions and receive rapid responses from members of the community.
Please note, MSDN Subscriptions provide a paid set of offerings that are also available for those who require access to evaluation software beyond what the above free offerings provide.”
I strongly believe that Microsoft could have reduced the type of services they were offering through TechNet subscriptions rather than stopping it completely.
How to integrate Windows Deployment Services Server with a typical Cisco Networking devices – Series 1
Recently we tried to deploy Windows Deployment Services Server in our environment, to enable the deployment of Windows operating systems over the network for our workstations, so that our technical support team do not have to install each operating system directly from a CD or DVD.
Our Windows Deployment Services Server was connected to Cisco Nexus 5000 Series Switch as shown in the below layout. We do have a redundant network devices at each layer but to make things easier I have removed them.
When our Systems Team tried to deploy the service in one of the work station connected to Cisco 3750 E Series Access Switch it failed. Our Cisco 3750 E access switch is connected to Cisco 6506 E Switch through a trunk port and the connectivity between the Distribution Switch and Core Nexus 7010 Switch is a layer three link. All our edge VLANS are created in the distribution switch.
The workstation can ping the Windows Deployment Services Server, but the installation of Windows 7 Operating System failed over the network. Upon troubleshooting we figured out that an IP helper address should be configured in the VLAN in the Cisco 6506 E Distribution switch. Once we configured the IP helper address as shown below the problem was solved.
ITKE01(config)#interface vlan 300
ITKE01 (config-if)#ip helper-address 10.204.27.49
However the same scenario behind the Cisco NAC Servers failed, in the upcoming post I will let you know how to over come this problem.
When it comes to Cisco’s networking products, the default operating system comes into our mind is Cisco IOS, a very popular OS among the networking professionals, however, when it comes to Cisco Email Security Appliance (ESA),better known as Cisco IronPort appliances the OS changes.
The Cisco IronPort Appliances are geared and operated by powerful collections of software’s better known as AsyncOS. The AsyncOS is a collection of base operating system (OS), device drivers, memory management, process scheduling, and all the application and scanning software. Few unique features of AsyncOS are its high performance and security.
The AsyscOS fundamentals are built on FreeBSD, low-level components are written in C programing language. However, most of the application software and the entire management interface is written in Python and use a coroutine-based model called shrapnel.
AsysncOS versions are referred as the Major.Minor.Point-Build number format as shown below.
One interesting fact about the AsyncOS software builds is. It is complete and self-contained. When an AsyncOS is upgraded from, one version to another, the entire build image is upgraded rather than individual upgrade component.