TechStop


September 30, 2011  1:23 PM

Cisco’s New Zone-Based Firewall



Posted by: Joshua Wood
Cisco, Firewall, ZFW, Zone Based Firewall

Hi all, Cisco has not so recently come out with a new firewall solution for their routers. I guess their felt that the IOS firewall feature set was getting a little old and so they needed something fresh. Zone-based Firewall or ZFW is what they seem to have come up with and I must say it is pretty nice.

With routers getting more and more ports these days it makes sense that somewhere along the line you would tired of putting ports that are essentially in the same security zone in their own little island just to break out to visit the next door neighbors that they were supposed to have access to anyway. Enter ZFW to help out. Essentially you create a class of access over let’s say port 25 and then you create a zone of let’s say mail then you create a zone-pair that define the direction of traffic let’s say Internet to Mail and finally you define which ports you router are in which zones. All interfaces that are tagged with the zone Mail can inherently talk to each other and each interface tagged with Interent can talk to each other but only defined accretions in zone-pair allow traffic to cross zones. It is pretty cool, check it out.

Zone-Based Policy Firewall: http://www.cisco.com/en/US/products/ps6441/products_feature_guide09186a008060f6dd.html

Until next time,
TechStop (JW)

September 30, 2011  1:16 PM

Cisco IPS/IDS for the Router



Posted by: Joshua Wood
Cisco, IDS, IPS, ISR G2, router

Hi all, Cisco has several products. In fact most would agree that their product line is too complicated and filled out but that is a topic for another time. Let’s say you have a router and it sits at a point in your network where you want/need an IPS/IDS. You don’t want to put in another piece of hardware. Now wouldn’t it be nice if that router could also run IPS/IDS. Well it definitely can. In fact it is a full featured IPS/IDS with signature updates and the works and it can run on most ISR G2 routers.

The IPS/IDS solution from Cisco fits right inside the IOS and can be applied to any set of interfaces that you want. They provide this is an upgrade SKU or a bundle. The updates for the IPS/IDS will keep going as long as you have a SmartNet contract. Also, it is really REALLY easy to configure and get going. Have a look at the step-by-step guide listed below.

Getting Started with IOS IPS ― A Step-by-Step Guide: http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6634/prod_white_paper0900aecd805c4ea8.html

Until next time,
TechStop (JW)


September 30, 2011  1:11 PM

Managing Macs at Work



Posted by: Joshua Wood
AD, Apple, Centrify, iphone, iPod, Mac

Hi all, managing your mobile work force is tough, difficult, tricky always changing and never ever as easy as management thinks it should be. Now add Macs to the mix. With the introduction of the iPhone, iPod and iPad along with the series of desktops, laptops and netbook style devices they have their growing in popularity. Their flashy trendy cases and eye candy OS make them tough to keep away from for execs and other management. So how do you manage them with the ease that you do your PCs now?

One option that I have seen deployed is Centrify Suite for Mac OS X. The feature list is pretty nice and it ties into your current AD/OU strategy like you would expect a PC. They can even force password policies and turn on the firewall. It isn’t as fully featured as the support for a standard Windows 7 PC but it is a darn good start. Check it out.

Centrify Suite for Mac OS X
Active Directory Integration for Mac OS X: http://www.centrify.com/directcontrol/mac_os_x.asp

Until next time,
TechStop (JW)


September 30, 2011  1:05 PM

DMVPN – Not Just for Branch-to-Branch



Posted by: Joshua Wood
branches, Cisco, DMVPN, HO

Hi all, recently I have the opportunity to work with a client that needed a way to get from their branches to their HO securely but without knowing the IPs of the branches. This was complicated by the fact that the branches were using DHCP IPs for their Internet connections at the branches. The HO end-points didn’t have a static way of identifying the branches. This is where DMVPN works well.

The DMVPN technology gives you a method of connecting unknown end-points to the HO VPN end-points securely because the branches will “dial home”. The HO will create the VPN connection, tunnel the traffic across the now encrypted link and even exchange packets for a dynamic routing protocol like EIGRP. This allows you to dynamically add and remove branches without manually creating IPSec tunnels AND the routing gets updated automatically. Quite nice

Until next time,
TechSto (JW)


September 25, 2011  11:07 PM

Cisco IOS 15.x for Switches



Posted by: Joshua Wood
Cisco, IOS 15, ISR G2, Switch

Hi all, by now most if not all people have come across IOS version 15 for routers. The new ISR G2 series which is quite is amazing runs IOS 15 out of the box. But what about switches, well it turns out that for some switch platforms (note more may follow) Cisco is moving them to the same standard naming strategy as well. The switches aren’t yet getting the same licensing model as the routers. If you want the different feature sets then you still need the correct version and that doesn’t bog you down with the online registration but that is likely to follow as well.

I say that this is about time. Cisco knows that it needs to reduce and simplify its product lines. This is a good step towards that, they just need to pick up the pace.

Until next time,
TechStop (JW)


September 25, 2011  10:51 PM

DMVPN for VoIP – Branch-to-Branch Communication



Posted by: Joshua Wood
Cisco, DMVPN, IPSec

Hi all, VoIP (voice over IP) is hot these days. It isn’t as sexy as some of the emerging technologies but it still being deployed at an ever increasing rate. One of the challenges with VoIP is how to allow your branches to make calls between one another without first having to go the head office. Well, DMVPN is one answer that can really work well for companies that have that sort of a need. A national car dealership where dealerships in the same city or across the country that consistently need to talk to each other about parts or availability of stock would need such a feature.

DMPVN allows you to create a template that allows the inter-branch traffic to be sent across IPSec without having to create a VPN tunnel from each branch to each branch. In a company of 10 sites could easily be 100 independently configured IPSec tunnels. Check out the links below to get you started and then check back in a bit for some more info on the topic.

Until next time,
TechStop

General DMVPN Info: http://www.cisco.com/en/US/products/ps6658/index.html
Routing Protocols Across DMVPN: http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008014bcd7.shtml


August 30, 2011  12:46 AM

iPad – Can it replace your laptop



Posted by: Joshua Wood
Apple, ipad, tablet

Hi all, tablets and other portable devices are moving along at an amazing pace. The power and functionality is on the cusp of being able to replace your laptop. But can it do that today? Well, as always in IT, the answer is a definitive maybe.

If all you need from your laptop is office, email, browsing and a little bit of USB connectivity then you are probably in luck. The iPad and other similar devices have enough functionality to fill those needs. However, if your needs stray too far outside of that, the answer is going to be a solid no.

Until next time,
TechStop (JW)


August 30, 2011  12:36 AM

Remote Access ACLs



Posted by: Joshua Wood
ACL, Cisco, ssh, telnet

Hi all, I see it all of the time. An administrator has a solid network. Security isn’t bad in most cases in fact pretty good. But the network is highly exposed to hackers due to unrestricted access to attempt to login to routers and switches. In pretty much every network device that I have worked with there is a way to restrict the ability of remote users to have access to the logins to manage routers and switches. Mostly this access is based on an access control list or ACL that restricts which network you can manage the devices from.

Implementing them is simple enough. On a Cisco device you create an ACL, a standard one usually suffices. For example, “ip access-list 99″. Then you enter the line mode configuration with “line vty 0 15″. This will allow you to configure all 15 of the available telnet or SSH lines. Then use “access-class 99″. If all goes well you haven’t locked yourself out of your networked device. I recommend tweaking the URL via testing on a non-production device. The “reload in 10″ works well for a remote device.

Until next time,
TechStop (JW)


August 30, 2011  12:21 AM

Cisco iPhone/iPod Apps



Posted by: Joshua Wood

Hi all, the iPod, iPhone and iPad have been quite prolific. Cisco is no foreigner when it comes to Apple. Many of the Cisco reps that I work with prefer the Apple tech to the parallel Microsoft tech. In light of that it isn’t surprising that Cisco has several Apple App Store apps for free.

The apps range in quality and purpose from games to learn about binary to partner tools to paid training courses. To see all that Cisco has to offer search for Cisco on favorite “i” device.

Until next time,
TechStop (JW)


August 28, 2011  11:22 PM

Cisco Needed to Make Servers



Posted by: Joshua Wood
Cisco, HP, UCS

Hi all, I was debating with a friend recently. His stance was that Cisco should get out of the UCS (or server) business and focus on their core product lines of routers, switches, VoIP, etc. Making sure a company’s core product line is solid isn’t a bad thing. It rarely could be or should be. That said, I think that Cisco had to make their own servers. They likely want to move into a solid partnership with VMware and move several of their appliance based products onto VMware hypervisor but they need to have the hardware stable. They also need the hardware for their products to be flexible … very flexiable.

Cisco could have partnered with HP or IBM or perhaps even Dell to make the servers for their ISR G2 routers (now named UCS Express) but it would have been very very tough to do that given that almost all of their vendors also make competing switches and products. IBM even has their own phone system. Cisco’s server line isn’t huge and likely won’t ever have the breadth that HP or IBM have but it will serve them well for what appears to be a long term goal.

Until next time,
TechStop (JW)


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: