The link below is connected to the guide which is named the “HP Networking and Cisco CLI Reference Guide”. It is laid out in an easy to understand manner and hits the highlights of the commands that you would normally use in a generic network install. The logical and through nature make the PDF a necessary tool if you transitioning from one of the other two switching/routing platforms.

HP Procurve, HP ComWare, Cisco CLI Guide

http://h17007.www1.hp.com/docs/interoperability/Cisco/HP-Networking-and-Cisco-CLI-Reference-Guide_June_10_WW_Eng_ltr.pdf

Until next time,
TechStop (JW)

You would run the verify command on the IOS version. If you issue the command verify then flash:IOS_file_name then the router will perform an IOS check of the MD5 checksum included in the IOS version and give you something like what is below. And that is how you would quickly and easily verfiy IOS file integrity for routers.

verify flash:c2900-universalk9-mz.SPA.152-1.T.bin
Starting image verification
Hash Computation: 100% Done!
Computed Hash SHA2: 97CDD1896F637C9C95718A6FF417C095
77259714B640E6DD6D044B689EB89768
B55320FA3B18FFEFF5A80A230D090AF8
35FE520E264A08EEFFF64D859FC211D2

Embedded Hash SHA2: 97CDD1896F637C9C95718A6FF417C095
77259714B640E6DD6D044B689EB89768
B55320FA3B18FFEFF5A80A230D090AF8
35FE520E264A08EEFFF64D859FC211D2

CCO Hash MD5 : FC092A4EC7236022508ECCF8E789084B
Digital signature successfully verified in file flash0:c2900-universalk9-mz.SPA.152-1.T.bin

Cisco IOS Image Verification

http://www.cisco.com/web/about/security/intelligence/iosimage.html

Until next time,
TechStop (JW)

MS Lync and Cisco Jabber have started heating up their competitive nature. Cisco has decided to take the fight a step further by making their jabber product free if you one of several versions of their phone system software. This is going to escalate the situation. This should greatly increase the quality and pricing of both products for the customer. I am excited to see where the product goes.

Recap of the press release.

http://aragonresearch.com/cisco-makes-jabber-free-sets-stage-for-ucc-battle-with-microsoft-lync/

Until next time,
TechStop (JW)

Pings to a Cisco router are not always consistent. In fact it seems that the busier the router is the slower the router responds to pings. Does that mean that the router is dropping traffic going through it as well. No it doesn’t. The routers primary responsibility it to route traffic (among other possible functions). Responding to pings is waayy down on the list of other things that it has on its to-do list. Check out the link below for more information on phenomenon.

Understanding the Ping and Traceroute Commands

http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_tech_note09186a00800a6057.shtml

Until next time,
TechStop (JW)

In the previous post all of the lines that had “inspect” on them also had the line “FW-LOG” on them. Well that was 50% of the work and if you already have those your config then this is going to be really easy. You simply add the lines below to the router in global configuration mode.

parameter-map type inspect FW-LOG
audit-trail on

Yep that’s it. Well, you also have to have logging turned on (logging buffered 4096 in case you need to know) and you have view the firewall log by using the command “show log”. There will be more than your firewall events in that log but at those can be filtered out.

Until next time,
TechStop (JW)

You might be using CBAC or perhaps and ACL and you want to switch to the zone-based method that Cisco is moving to with their firewall system but you don’t know where to start. Below I have outlined how to create a very basic implementation of the ZFW firewall. The comments are the lines that start with exclamation marks as those are excluded when copied and pasted into a running config.

Before the config example though let’s run through a couple of quick points. First, the ZFW needs at least 5 parts. These are the class-map, policy-map, zone definitions, zone pairings and finally applying the zones to the interfaces. You need one zone-pair for each direction that you want traffic to travel in.

! This is the class-map section of the ZFW implementation.
! Here you define the protocols and/or ACL’s you want to use.
! Essentially this is the inspect statements of CBAC if you have used CBAC
class-map type inspect match-any FW_INSPECT_ACL_CM
match access-group name FW_INSPECT_ACL
class-map type inspect match-any FW_INSPECT_L7_CM
match protocol ssh
match protocol ftp
match protocol imap
match protocol https
match protocol dns
match protocol http
match protocol smtp
class-map type inspect match-any FW_INSPECT_L4_CM
match protocol tcp
match protocol udp
match protocol icmp

! Here is where all of the class-maps are brought together.
! Policy-maps are like an aggregation points for the class-maps.
policy-map type inspect FW_INSPECT_PM
class type inspect FW_INSPECT_ACL_CM
inspect FW-LOG
class type inspect FW_INSPECT_L4_CM
inspect FW-LOG
class type inspect FW_INSPECT_L7_CM
inspect FW-LOG
class class-default
drop log

! This is the security zones. Each zone type has a definition.
! For our purposes there are only two definitions.
zone security INTERNET
zone security LAN

! The zone-pairs match the policy-maps with the zones and define the
! direction that they work in.
zone-pair security INTERNET_TO_LAN source INTERNET destination LAN
service-policy type inspect FW_INSPECT_PM
zone-pair security LAN_TO_INTERNET source LAN destination INTERNET
service-policy type inspect FW_INSPECT_PM

! An ACL if you want one.
ip acce extended FW_INSPECT_ACL
permit ip any any

! And finally apply the ZFW entries to the correct ports.
int gig 0/1
zone-member security INTERNET
int gig 0/2
zone-member security LAN

And you are done outside some testing and tweaking. Next post I will explain how to turn on logging for the ZFW.

Until next time,
TechStop (JW)

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/prod_white_paper0900aecd806f31f9.html

Until next time,
TechStop (JW)

It takes the information about the differences between Cisco wireless and other wireless vendors and breaks it down for you. At the time of this writing you also had the option of entering to win a trip overseas!

https://www.ciscofeedback.vovici.com/se.ashx?s=705E3ECD36B01618

Until next time,
TechStop (JW)

The ASA-X series has come out with a steady stream of new features over the last few months. One thing that is coming out that hasn’t been announced at the time of this writing is the ASA 9.x ASA OS. What are some of the features that will be in the new ASA 9x code? Glad you asked.

It is planned that the ASA 9 OS will bring together the two lines of ASA that are currently diverged. At this time the older standard ASAs and the new higher powered ASA-X series have different code bases. While the look, feel and features should be similar there are some software differences that are minor. The version 9 of the ASA OS will bring these two ASA lines back to the same code base.

Change of Authorization or CoA is one feature that is very key to the implementation of some of the new security technologies that Cisco has recently come out with. This feature should be in the version 9 of the ASA OS. The feature essentially allows an end device that is authenticated to be moved, once authenticated, to another security container such as a different VLAN once they have authenticated to the network with something like 802.1x.

Until next time,
TechStop (JW)

The ASA-X series has many benefits including higher throughput and an IPS that can be installed by simply adding a license key to the ASA-X series. But what about context based security? For example, let’s say that you want to block FaceBook for people that use Mac’s (because you don’t mac users socializing) but allow it for everyone else. Or let’s say that you want to block a tricky application like Skype.

The CX module, which is a hardware module for the ASA-X series, can allow this type of functionality by scanning the traffic and providing context for the traffic not only the application that is running in the traffic.

At the time that this was written the CX module is only available in the high in ASA-X 5585 but it is planned to be moved down into the lower end ASAs over the coming months/years.

Until next time,
TechStop (JW)