Network technologies and trends

August 2, 2013  9:25 AM

Multiple Cisco Products are affected by OSPF LSA Manipulation Vulnerability

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

The recent security advisory suggests that multiple Cisco products are affected by a vulnerability involving the Open Shortest Path First (OSPF) Routing Protocol Link State Advertisement (LSA) database. With the help of this vulnerability an unauthenticated attacker can take control of the OSPF Autonomous System (AS) domain routing table, backhole traffic and intercept traffic. Which could cause a huge damage to the attacked network.

The attacker could trigger this vulnerability by injecting crafted OSPF packets. Successful exploitation could cause flushing of the routing table on a targeted router, as well as propagation of the crafted OSPF LSA type 1 update throughout the OSPF AS domain.

To exploit this vulnerability, an attacker must accurately determine certain parameters within the LSA database on the target router. This vulnerability can only be triggered by sending crafted unicast or multicast LSA type 1 packets. No other LSA type packets can trigger this vulnerability.

The good news is that the OSPFv3 is not affected by this vulnerability. Fabric Shortest Path First (FSPF) protocol is also not affected by this vulnerability.

All versions of Cisco NX-OS Software are also affected by the vulnerability. There are currently no official fixed releases available on, but interim releases may be available through Cisco Technical Assistance Center (TAC). Customers with service contracts should contact Cisco support organization to get the interim update.

Cisco has released free software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available. This advisory is available at the following link:

July 24, 2013  7:37 AM

Windows 8.1 Preview is Incompatible with many Antivirus Software

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

Windows 8.1 preview is an update of Windows 8, it’s not a full blown new version of Windows. When its just an update ,we all end users expect that  most of the applications will run on the updated version of Windows 8.1 preview. But this is not the case. The most important issue rises here is of Anti-Virus Compatibility. Lots of Windows 8.1 preview users are complaining about the incompatibility of Anti Virus with Windows 8.1 preview.

Before upgrading to Windows 8.1 preview I was using Trend Micro Titanium Maximum Security, it was working fine with Windows 8. I had no issues. Once I upgraded to Windows 8.1 preview I noticed my Anti-Virus application was not working. I tried to re-install the AV but it failed all the time with the following error.

Trends AV

I tried to take contact Trend Micro Support team, but still they don’t have a solution for this issue. Even When I tired Kaspersky pure it failed.

Since Windows 8.1 comes with a built-in Windows defender to certain extent the PCs are  protected. I believe since this issue is already known, most of the security firm are most probably working on the fix. Already some security firms are working on either update or beta release. Here are the links

July 23, 2013  12:12 PM

Cisco UCS Outperforms HP and IBM Blade Servers on East-West Latency

Yasir Irfan Yasir Irfan Profile: Yasir Irfan


These days the focus is increasing towards lower latency and high performing server-to-server data traffic (East-West). Cisco claims that they specifically designed their UCS unified fabric for this type of traffic. Cisco want to prove the claim made by their competitors that Cisco UCS unified fabric would increase latency and slow blade-to-blade traffic. Cisco ran the tests, and the results were simply amazing.

cisco ucs

According to the recent concluded test Cisco claims that HP and IBM blade architectures rely on placing networking switches (HP Virtual Connect; IBM Flex System Fabric Switches) inside of every 16 or 14 blade chassis. These legacy vendors imply that data can communicate from one blade to another more efficiently because their networking switches reside within the chassis.  They fail to mention two critical points:

  1. All HP and IBM Blade-to-Blade data must still traverse the switch ASICs (HP Virtual Connect; IBM Flex System Fabric) – it does not magically jump across the mid-plane.
  2. Beyond a single enclosure requires data to exit chassis 1, travel through Top-of-Rack (ToR) switches, then down to chassis 2 through a second set of in-chassis networking switches.

Not only does Cisco UCS outperform HP and IBM, but UCS clearly provides lower latency and faster VM timing by a wide margin. Thousands of East-West samples were collected, testing raw blade-to-blade latency (UDP/TCP/RTT TCP) and virtual machine migration times. Testing was performed on a number of different fabric topologies both within a single chassis (best case for HP and IBM) as well as across multiple chassis. Full details can be obtained under NDA from your Cisco representative.

The highlights of the test are as follows

“Cisco UCS demonstrated lower latency than the HP BladeSystem c7000 with Virtual Connect for every test group and every packet size (User Datagram Protocol [UDP], TCP, and round-trip time [RTT] TCP).”

“Cisco UCS delivered better performance than IBM (faster virtual machine migration times) for every group size tested.” “As the virtual machine size and network load increases, the Cisco UCS performance advantage also increases.”


You can access the complete report for test carried by Cisco for HP and IBM Blade servers from the below links

Cisco UCS Outperforms HP Blade Servers on East-West Latency
Cisco UCS Outperforms IBM Flex System Blades on East-West Latency

July 21, 2013  7:35 AM

The top 12 spam-relaying countries according to Sophos are

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

According to latest “Dirty Dozen” published by Security specialist Sophos, still US maintains its grip as the top spam-relaying country followed by Belarus. Belarus over took China, as China used to be the  number two spam-relaying country.  The latest “Dirty Dozen” list covers the second quarter of 2013.

This quarter experienced addition of three new countries like Ukraine, Kazakhstan and Argentina in the top 12 spot, whereas countries like France, Peru and South Korea make a signification progress in reducing their spam-relay over the internet. Before these countries were in top 12 list of “Dirty Dozen” report.

According Sophos, US maintains the No1 spot for obvious reasons like its population and its major share of the world’s internet connectivity.

Be it economic growth or anything related to Internet no one can forget the presence of China and India. Yes both India and China are one of the top 12 spam-relaying countries in the world.

The “Dirty Dozen” list tells us how spam gets relayed from the crooks to their potential victims, said Paul Ducklin, Sophos security evangelist.

“Even if you’re the most law-abiding citizen of the most law-abiding country in the world, you might be helping to project your own country into the Dirty Dozen if you don’t take security seriously on your own computer. It may sound corny, but security really does begin at home.”

Ducklin added that a few simple precautions can help enormously, such as “timely security patching, an up-to-date anti-virus and a healthy scepticism about unwanted attachments and ‘too-good-to-be-true’ offers.

“By taking these steps, you’ll not only protect yourself, but also help to protect everyone else at the same time,” Ducklin said.

The top 12 spam-relaying countries by volume for April to June 2013 are as follows

1 U.S. 13.8%
2 Belarus 11.7%
3 China 5.9%
4 Ukraine (new to the list) 5.5%
5 Taiwan 3.6%
6 India 3.6%
7 Spain 3.4%
8 Kazakhstan (new to the list) 3.3%
9 Argentina (new to the list) 3.1%
10 Italy 2.9%
11 Russia 2.6%
12 Germany 2.5%

July 18, 2013  9:30 AM

Exchange 2010 has issues with Disclaimer Messages

Yasir Irfan Yasir Irfan Profile: Yasir Irfan
Recently we enabled Disclaimer message in Exchange 2010 Server. After enabling the disclaimer message we could see the disclaimer message was forwarded as footer with all the outgoing emails from our users. However vast majority of users including me faced issues in the delivery of certain emails. They were never delivered to the intended recipients.
At the same time I was also working on creating certain polices for outgoing emails in our Cisco C370 Iron Port email gateways. Which certainly misguided us to troubleshoot the problem. We thought may be some issues with the Iron Port policies, but upon deep troubleshooting we discovered that Iron Port has no issues and it was working fine.
When we started tracking the messages in Exchange 2010 Server we discovered some of the emails were not delivered and they were on the poison queue. Upon lot of investigation we discovered there is an unknown bug in Update Rollup 1 for Exchange Server 2010 SP3.
exchange error 1
Still Microsoft has no concrete solution to resolve this issue except disabling the disclaimer message. Microsoft support Engineer suggested us to use any third party tools for disclaimer mail. Meanwhile we were asked to use the interim update provided by them but still the issue was not resolved. Which is quite strange for us.  We were forced disabled the disclaimer message in Exchange 2010 for the normal operation and delivery of our important emails.
As our Email Security Policy Clearly defines to have a disclaimer message, thank god Iron Port is such an amazing appliance we could able to configure the disclaimer message in the Iron Port device which I will share in upcoming post.

July 17, 2013  6:59 AM

Upgrading ASA 5500 Series firewall, things to be considered – Series 1

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

When it comes to upgrade an ASA 5500 Series firewall from 8.2 version to 8.3 or so, many things comes into the picture.  Recently we upgraded our ASA 5540 Firewall from the IOS version 8.2.1 to 8.4.6. I would like to share the details about the upgrade.

Stating IOS version 8.3 and later there is pre-requisite related to memory of the ASA. Most of new ASA manufactured after Feb 2010 comes with the upgraded memory. However if your ASA was manufactured before February 2010 you may need to upgrade the memory of the ASA as per the below mentioned table.

ASA Memory

* Note:  The maximum memory supported for the ASA-5520 and ASA-5540 is 2 Gb.  If you install 4 Gb of memory in these units, they will go into a boot loop.

The first thing you need is to determine the existing memory your ASA has , which can be done in two ways first by using a command line interface (CLI) do issue a command show version | include RAM

sec/FW01-MB-IE-001#            show ver | include RAM

Hardware:   ASA5540, 1024 MB RAM, CPU Pentium 4 2000 MHz


In my case the available memory of 1 GB so I should add more 1 Giga Memory to upgrade the ASA from 8.2.1 to 8.4.6

Those who are prefer ADSM, you can always see the amount of RAM in the ASA from the ADSM home (Device Dashboard) page as shown below

ADSM memory

In upcoming post I will try to share my experience about the upgrade and the thing we need to take care after upgrading the ASA firewall.

July 15, 2013  6:58 AM

A review for CCIE Routing and Switching Certification Guide (4th Edition)

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

When it comes to CCIE Routing and Switching Written Exam you need to study lots of books especially the titles published from Cisco Press. As we all know CCIE Routing and Switching is not an easy task, it needs lots of preparation. Since I am in the process of perusing CCIE Routing and Switching I thought of starting my journey with CCIE Routing and Switching Certification Guide ( 4th Edition) published by Cisco press.

I would like to thanks Jamie Soup from Cisco Press for providing me the copy of CCIE Routing and Switching Certification guide. I thought of sharing my review on this wonderful title.

Since I am coming from CCNA,CCDA, CCNP , CCDP back ground, it was easier for me to understand the concepts and contents of this title. I feel this content is little bit higher not easy to grasp for those, who have little experience or someone who is trying to pass CCIE without reading the CCNA and CCNP Cisco Press titles. The authors are certainly targeting those Certification aspirers who have solid understanding of Routing and Switching concepts.

This title  also differs from other Cisco Press titles, as the foundation summary at the end of each chapter does not repeat the information presented in the “foundation topics” section of each chapter. I feel this approach challenges the CCIE aspires which I really like.

The title is divided into nine parts based on topics and then it further dissected into 20 chapters. The introductory part on LAN Switching and IP Addressing really refreshes your knowledge, each chapter begins with “Do I Know this Already? Quiz which certainly gives clear idea to a reader about his/her understanding on that particular topic. I really enjoyed reading the Multicasting part of this title as it’s written in a very engaging way. More or less majority of the topics are covered with sample scenarios and configurations related to that particular concept. I wish the authors would have elaborated more on troubleshooting part like debug commands and most commonly found issues in the real world scenarios.

The title also comes with a CD which comprises of a powerful  test Engine from Boson which allows the reader to focus and practice questions on either individual topic or a complete exam.  I strongly recommend all CCIE aspirers to go through these practice exams which are also an alternative source of gaining knowledge.

To conclude I would say this title is certainly not for those who just want to pass CCIE written exam by reading this title. Also this titles proves to be little boring and though for those who are not coming with CCNA and CCNP back ground. Certainly there is always room for improvement I would ask the publishers to look at certain typos, and also it would be better if topics are penned in simpler way. I would rate 4 out of 5 for this title as its one of the most important title to be read for CCIE Routing & Switching Exam.

July 13, 2013  8:38 AM

Cisco announces new Nexus 7700 Series Switches

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

Cisco Live was recently concluded in Orlando, Florida where Cisco announced the new top-end Nexus 7700 switches with new ASICS which is capable of working up to 100 Gb/ sec speed. The new 7700 line will come in two versions: a 10-slot 7710 and an 18-slot 7718. Cisco says the chassis will be available in July


Cisco says it has more than 40,000 Nexus 7000 chassis in the field. Now it has two more switches to add to the 7000 family with the Nexus 7700 line. The 7700 has a maximum throughput of 83 Tbps, and a single system can have up to 384 40-GigE ports or 192 100-GigE ports. As with other switches in the 7000 line, the 7700s will include dual redundant supervisor modules to enable software upgrades without losing packets.

The Cisco Nexus 7700 10-slot switch is scalable up to 42 terabits per second (Tbps), whereas the Cisco Nexus 7700 18-Clot Switch cab scale up to 83 terabits per seconds. Both switches are designed to offer high availability, exceptional performance, and high density 40 and 100 Gigabit Ethernet (GE) and front-to-back air flow. That makes it ideal for high performance data center access, aggregation, core, and Unified Fabric deployments.

Looks like Cisco is trying to refresh its product line in competition with other Switch manufacturing vendors.

July 9, 2013  6:51 AM

Cisco IP Source Guard stops PXE boot, especially when using Windows Deployment Services Server

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

In my previous post we saw how to overcome the Cisco NAC restrictions for the Windows Deployment Services Server, as we progressed and started implementing the solution in our production environment we discovered various challenges.

In our production network we are applying various kinds of Layer 2 security at Cisco Access Layer Switches. One of the applied layer 2 security policy is IP Source guard.

IP Source Guard provides source IP address filtering on a Layer 2 port to prevent a malicious host from impersonating a legitimate host by assuming the legitimate host’s IP address. The feature uses dynamic DHCP snooping and static IP source binding to match IP addresses to hosts on untrusted Layer 2 access ports.

Initially, all IP traffic on the protected port is blocked except for DHCP packets. After a client receives an IP address from the DHCP server, or after static IP source binding is configured by the administrator, all traffic with that IP source address is permitted from that client. Traffic from other hosts is denied. This filtering limits a host’s ability to attack the network by claiming a neighbor host’s IP address. IP Source Guard is a port-based feature that automatically creates an implicit port access control list (PACL).

In all our access switches IP Source Guard is enabled by as shown below

ip verify source

When we enable IP source guard, the Windows Deployment Services Server failed to install Windows 7 over the network. Upon troubleshooting we discovered that there is a bug CSCts44728 per which IP Source Guard stops PXE boot, you can find more info about it here

This bug is available in 12.2(55) SE3 IOS version, however its fixed in 12.2(55) SE5 and in 15.0(2)SE IOS versions.

In order to deploy Windows 7 over the PXE using Windows Deployment Services Server we were forced to disable the IP Source Guard feature by using the Cisco IOS command “no ip verify source”.

The only way enable Ip soruce guard is to upgrade the IOS of the switch from 12.2(55) SE3 to 12.2(55)SE5 or later.

July 4, 2013  8:13 AM

How to integrate Windows Deployment Services Server with a typical Cisco Networking devices – Series 3

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

Let’s continue to with rest of the steps to allow Windows Deployment Services Server through a Cisco NAC.

Step 5

Click Add Polices

Add policy


Step 6

Add the IP address of Windows Deployment Services Server along with the UDP ports required

The Windows Deployment Server needs the following UDP ports to be opened from unauthenticated role (Untrusted -> Trusted role)

The IP address of Windows Deployment Services Server in our case

The UDP ports required for any Windows Deployment Services Server is as follows





Then click update policy

Step 7

Create one more policy for the TCP ports required for Windows Deployment Services Server

The Windows Deployment Server needs the following TCP ports to be opened from unauthenticated role (Untrusted -> Trusted role)

The IP address of Windows Deployment Services Server in our case

The TCP ports required for any Windows Deployment Services Server is as follows

135,137-139, 5040

update policy


Then click update policy.


By following these steps we could deploy Windows 7 using Windows Deployment Services Server even when the workstation is connected in untrusted role in the Cisco NAC

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: