Cisco Live Topics

Hi all, as I have mentioned recently the Cisco Live conference registration is now available. Well, I have had some time to look through the course list. I have my wish list of what I want to see on the topic list and hear during the sessions and keynote speech. Some of the key ones are:

- Cisco Jabber vs Lync and what Cisco is doing to make Jabber more competitive
- Virtualization on more of their products. I want to be able to virtualize the Cisco wireless LAN controller and similar devices
- ASA firewall line. There should be big changes coming in this product line.

Which topics are your hot list?

Until next time,
TechStop (JW)

Cisco IOS Verification

Hi all, your routers need an IOS upgrade and you have downloaded the bright shiny new IOS version for your router from Cisco. But the download had “issues”. I will let you fill in the “issues” bland there with anything that I am sure you have run across more than 100 times with other downloads. So you want to confirm that the IOS version you have downloaded is intact. What to do …

You would run the verify command on the IOS version. If you issue the command verify then flash:IOS_file_name then the router will perform an IOS check of the MD5 checksum included in the IOS version and give you something like what is below. And that is how you would quickly and easily verfiy IOS file integrity for routers.

verify flash:c2900-universalk9-mz.SPA.152-1.T.bin
Starting image verification
Hash Computation: 100% Done!
Computed Hash SHA2: 97CDD1896F637C9C95718A6FF417C095
77259714B640E6DD6D044B689EB89768
B55320FA3B18FFEFF5A80A230D090AF8
35FE520E264A08EEFFF64D859FC211D2

Embedded Hash SHA2: 97CDD1896F637C9C95718A6FF417C095
77259714B640E6DD6D044B689EB89768
B55320FA3B18FFEFF5A80A230D090AF8
35FE520E264A08EEFFF64D859FC211D2

CCO Hash MD5 : FC092A4EC7236022508ECCF8E789084B
Digital signature successfully verified in file flash0:c2900-universalk9-mz.SPA.152-1.T.bin

Cisco IOS Image Verification
 http://www.cisco.com/web/about/security/…

Until next time,
TechStop (JW)

Cisco Jabber for iPhone

Hi all,

If you wanted to have a look at the Cisco Jabber app for the iPhone here is a marketing video that shows off the features of the product.

YouTube video about Jabber for iPhone
 http://www.youtube.com/watch?v=11E2DKpTn…

Until next time,
TechStop (JW)

Cisco Jabber for Free

Hi all,

MS Lync and Cisco Jabber have started heating up their competitive nature. Cisco has decided to take the fight a step further by making their jabber product free if you one of several versions of their phone system software. This is going to escalate the situation. This should greatly increase the quality and pricing of both products for the customer. I am excited to see where the product goes.

Recap of the press release.
 http://aragonresearch.com/cisco-makes-ja…

Until next time,
TechStop (JW)

Free Syslog Server

Hi all,

As technology changes so does our expectation of the free software that is out there. WhatsUpGold has a free syslog server that is looks pretty good (in the short amount of time that I have used it at least). From the link below I downloaded the free syslog service and installed it on my Windows Server 2008 server. Immediately it started picking up the devices that had their logging directed to it. A solid starting point for sure.

The software has features for sorting through all of the logging as well. Also among the features is to run the syslog as a service or application and basic alerting. For a small shop that is looking for the basics it is all there for you.

 http://www.whatsupgold.com/free-software…

Until next time,
TechStop (JW)

Ping to a Router

Hi all,

Pings to a Cisco router are not always consistent. In fact it seems that the busier the router is the slower the router responds to pings. Does that mean that the router is dropping traffic going through it as well. No it doesn’t. The routers primary responsibility it to route traffic (among other possible functions). Responding to pings is waayy down on the list of other things that it has on its to-do list. Check out the link below for more information on phenomenon.

Understanding the Ping and Traceroute Commands
 http://www.cisco.com/en/US/products/sw/i…

Until next time,
TechStop (JW)

Cisco Live Registration

Hi all,

Cisco Live registration for the US is now available. Check out the link below for registration information. The web version of the Cisco Live should be free to all.

 http://www.ciscolive.com/us/registration…

Until next time,
TechStop (JW)

Cisco ZFW Logging

Hi all, so last post I noted how to create a basic implementation of the Cisco ZFW. The ZFW is Cisco’s newest IOS or router based firewall. It has many benefits over the older CBAC implementation but the biggest one is that Cisco is going to be doing away with their support for CBAC. But what about logging in the ZFW? How would you enable that? Well, it is very straight forward. In the previous post that I wrote titled “Cisco ZFW Config Example” I gave you part of the configuration.

In the previous post all of the lines that had “inspect” on them also had the line “FW-LOG” on them. Well that was 50% of the work and if you already have those your config then this is going to be really easy. You simply add the lines below to the router in global configuration mode.

parameter-map type inspect FW-LOG
audit-trail on

Yep that’s it. Well, you also have to have logging turned on (logging buffered 4096 in case you need to know) and you have view the firewall log by using the command “show log”. There will be more than your firewall events in that log but at those can be filtered out.

Until next time,
TechStop (JW)

Cisco ZFW Config Example

Hi all, so you want to use Cisco’s new router based firewall known as the zone-based firewall or ZFW. For all of those unaware the ZFW is the next version of the firewall system that Cisco is going to be using for their routers.

You might be using CBAC or perhaps and ACL and you want to switch to the zone-based method that Cisco is moving to with their firewall system but you don’t know where to start. Below I have outlined how to create a very basic implementation of the ZFW firewall. The comments are the lines that start with exclamation marks as those are excluded when copied and pasted into a running config.

Before the config example though let’s run through a couple of quick points. First, the ZFW needs at least 5 parts. These are the class-map, policy-map, zone definitions, zone pairings and finally applying the zones to the interfaces. You need one zone-pair for each direction that you want traffic to travel in.

! This is the class-map section of the ZFW implementation.
! Here you define the protocols and/or ACL’s you want to use.
! Essentially this is the inspect statements of CBAC if you have used CBAC
class-map type inspect match-any FW_INSPECT_ACL_CM
match access-group name FW_INSPECT_ACL
class-map type inspect match-any FW_INSPECT_L7_CM
match protocol ssh
match protocol ftp
match protocol imap
match protocol https
match protocol dns
match protocol http
match protocol smtp
class-map type inspect match-any FW_INSPECT_L4_CM
match protocol tcp
match protocol udp
match protocol icmp

! Here is where all of the class-maps are brought together.
! Policy-maps are like an aggregation points for the class-maps.
policy-map type inspect FW_INSPECT_PM
class type inspect FW_INSPECT_ACL_CM
inspect FW-LOG
class type inspect FW_INSPECT_L4_CM
inspect FW-LOG
class type inspect FW_INSPECT_L7_CM
inspect FW-LOG
class class-default
drop log

! This is the security zones. Each zone type has a definition.
! For our purposes there are only two definitions.
zone security INTERNET
zone security LAN

! The zone-pairs match the policy-maps with the zones and define the
! direction that they work in.
zone-pair security INTERNET_TO_LAN source INTERNET destination LAN
service-policy type inspect FW_INSPECT_PM
zone-pair security LAN_TO_INTERNET source LAN destination INTERNET
service-policy type inspect FW_INSPECT_PM

! An ACL if you want one.
ip acce extended FW_INSPECT_ACL
permit ip any any

! And finally apply the ZFW entries to the correct ports.
int gig 0/1
zone-member security INTERNET
int gig 0/2
zone-member security LAN

And you are done outside some testing and tweaking. Next post I will explain how to turn on logging for the ZFW.

Until next time,
TechStop (JW)

Lync for Money Savings

Hi all, Lync is an emerging product. It has made very great strides in the last while in order to replace a traditional phone system. One unexpected benefit of the Lync architecture and specifically the iPhone app is how much money it has saved me personally. The company that I work has a central office with Lync. They allow most of their employees to use the Lync app on their iPhones or Android devices to its fullest extent.

I love the mobile app. It easy to use, reliable and above all lets me make call using the corporate infrastructure from my phone with minimal cost to me. They way the mobile Lync client makes calls is that you launch the app, go to the keypad and type in the number you want to call. The server makes a voice phone call to your cell that is a traditional voice call. When you answer the incoming call from the Lync server it then calls your destination number. The result is that Lync creates a 2 person conference with the server in the middle.

Since the server makes an incoming call the charges to my cell phone bill are much less than they would be if I had to make the long distance calls with my cell alone. It is a great feature that I hope they don’t change anytime soon.

Until next time,
TechStop (JW)