Network technologies and trends

July 4, 2013  7:50 AM

How to integrate Windows Deployment Services Server with a typical Cisco Networking devices – Series 2

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

In series 1 we discussed how to integrate Windows Deployment Services Server with a typical Cisco Networking devices. We dealt with the configuration at the distribution layer switches, yes by adding ip-helper address the issue was resolved. When we tried the same setup in our live environment which consists of Cisco NAC we faced the problem. Obliviously without NAC client and posture assessment the NAC CAS server won’t allow the client as a trusted client.

The only way is to allow access for a Client PC from untrusted mode to access Windows Deployment Service server.  This can be done by creating policy for user management in Cisco CAM device as show below

Step 1

Login to CAM Device

Step 2

Click – User management

User roles

Step 3

Select  unauthenticated roles

Unauthenticated role

Step 4

Click Polices


I will continue the reset of the steps in next post.

July 3, 2013  4:48 AM

No more Microsoft TechNet Subscriptions for IT professionals

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

Couple of days back I received an email from Microsoft with a subject “TechNet Subscriptions retirement” and following are its contents.


“As IT trends and business dynamics have evolved, so has Microsoft’s set of offerings for IT professionals who are looking to learn, evaluate and deploy Microsoft technologies and services. In recent years, we have seen a usage shift from paid to free evaluation experiences and resources.  As a result, Microsoft has decided to retire the TechNet Subscriptions service and will discontinue sales on August 31, 2013.”

I was shocked with the decision taken by Microsoft, is it a right decision? The question now arises is how are they going to provide testing environments for small time developers? Usually 90-180 day evaluation won’t give much flexibility. Well time will tell how it’s going to impact the IT professionals. Currently most of the IT professionals are not happy with this move of Microsoft.

Though Microsoft are reassuring the IT professionals with the following message

“Subscribers with active accounts may continue to access program benefits until their current subscription period concludes.

We are committed to helping customers through this transition phase and will remain focused on  providing IT professionals with free access to a broad set of TechNet assets that support the needs of IT professionals around the world.

Improved Free Offerings for IT Professionals Include:

  • TechNet Evaluation Center: Free evaluation software with no feature limits, available for 30-180 days.  Includes rich evaluation resources and TechNet Virtual Labs, which enable you to evaluate software without the need to install bits locally.
  • Microsoft Virtual Academy: Free online learning site, with over 200 expert-led technical training courses across more than 15 Microsoft technologies with more added weekly.
  • TechNet Forums: Free online forums where IT professionals can ask technical questions and receive rapid responses from members of the community.

Please note, MSDN Subscriptions  provide a paid set of offerings that are also available for those who require access to evaluation software beyond what the above free offerings provide.”

I strongly believe that  Microsoft could have reduced the type of services they were offering through TechNet subscriptions rather than stopping it completely.

July 1, 2013  7:05 PM

How to integrate Windows Deployment Services Server with a typical Cisco Networking devices – Series 1

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

Recently we tried to deploy Windows Deployment Services Server in our environment, to enable the deployment of Windows operating systems over the network for our workstations, so that our technical support team do not have to install each operating system directly from a CD or DVD.

Our Windows Deployment Services Server was connected to Cisco Nexus 5000 Series Switch as shown in the below layout. We do have a redundant network devices at each layer but to make things easier I have removed them.

Windows Deployment Ser

When our Systems Team tried to deploy the service in one of the work station connected to Cisco 3750 E Series Access Switch it failed. Our Cisco 3750 E access switch is connected to Cisco 6506 E Switch through a trunk port and the connectivity between the Distribution Switch and Core Nexus 7010 Switch is a layer three link. All our edge VLANS  are created in the distribution switch.

The workstation can ping the Windows Deployment Services Server, but the installation of Windows 7 Operating System failed over the network. Upon troubleshooting we figured out that an IP helper address should be configured in the VLAN in the Cisco 6506 E Distribution switch. Once we configured the IP helper address as shown below the problem was solved.

ITKE01(config)#interface vlan 300

ITKE01 (config-if)#ip helper-address

However the same scenario behind the Cisco NAC Servers failed, in the upcoming post I will let you know how to over come this problem.

May 15, 2013  5:28 AM

What is AsyncOS?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

When it comes to Cisco’s networking products, the default operating system comes into our mind is Cisco IOS, a very popular OS among the networking professionals, however, when it comes to Cisco Email Security Appliance (ESA),better known as Cisco IronPort appliances the OS changes.

The Cisco IronPort Appliances are geared and operated by powerful collections of software’s better known as AsyncOS. The AsyncOS is a collection of base operating system (OS), device drivers, memory management, process scheduling, and all the application and scanning software. Few unique features of AsyncOS are its high performance and security.

The AsyscOS fundamentals are built on FreeBSD, low-level components are written in C programing language. However, most of the application software and the entire management interface is written in Python and use a coroutine-based model called shrapnel.

AsysncOS versions are referred as the Major.Minor.Point-Build number format as shown below.


One interesting fact about the AsyncOS software builds is. It is complete and self-contained. When an AsyncOS is upgraded from, one version to another, the entire build image is upgraded rather than individual upgrade component.

May 14, 2013  12:54 PM

A review for “Email Security with Cisco IronPort”

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

When it comes to Email Security, no other product is as powerful as Cisco IronPort. Therefore, we opted Cisco IronPort C370 as our email security gateway. Since its inception into our network, I am searching for a great reference and study guide for the Cisco IronPort products.


At the beginning, I was depending more or less on Cisco Web Site resources, which are great. However, the moment I discovered that Chris Porter is writing a book with a title “Email Security with Cisco Iron Port” I was excited. Immediately I contacted Jamie Adams at Cisco Press, as usual she arranged a copy of book for me for a review and reference.

The title “Email Security with Cisco IronPort” is tailored made for those professionals who have a good understanding of  basic networking concepts.  The author Chris Porter did an amazing job especially with the Introduction part. I really loved it, be it the overview or history of AsyncOS versions. I think the author is quite smart in addressing his readers, be they are beginners or experts of the subject. He knows how to keep them intact.

The title “Email Security with Cisco IronPort” consists of 15 chapters covering the concepts like ESA products, the WEB user interface, Command Line interface in IronPort, and much more in detail and in simple language.

The main highlight of “Email Security with Cisco IronPort” book is the configurations recommended by Chris Porter.

After reading this title, it really enriched my knowledge and made my quite competent in managing Cisco IronPort devices, I would definitely recommend this title to all those professionals who are keen to know more about Email Security with Cisco IronPort devices.

May 9, 2013  11:23 PM

Being in Gartner Magic quadrant is sufficient to succeed?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

Currently, we are testing some of the network and application monitoring solutions, so that we can go with a product, which serves our needs. We approached many vendors and got a good response from them, and some even offered to do a proof of concept. Which we opted  happily, and in fact it helped us to take some strategic decisions, which were in the interest of the Organisation.

During this journey what we observed is that some vendors were reluctant to provide a proof of concept, and they tried to convince us they are in the in the magic quadrant of Gartner in that particular field, by doing, so they lost the opportunity with us. My question here is, it right to choose a product or solution just because it is in a magic quadrant of Gartner? Your feedback and comments are helpful.

May 9, 2013  10:47 PM

What is the error “Signature Auto Update Fails with Error HTTP connection failed [1, 110] “ in Cisco IPS sensors?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan


Recently, I configured our Cisco IPS Sensors modules SSM-40 installed in the Cisco ASA 5540 and Cisco IPS 4270 sensor to auto update the signature behind our Blue Coat Proxy SG, upon configuration, I discovered that the auto updates failed. When I tried to know status by using Cisco IOS command.

 “show statistics host” I discovered the auto updates failed, and the command was giving the following errors

IPS#show statistics host

Auto Update Statistics

lastDirectoryReadAttempt = 19:31:09 CST Thu May 9 2013

= Read directory:

= Error: AutoUpdate exception: HTTP connection failed [1,110]   <–

lastDownloadAttempt = 19:08:10 CST Thu May 9 2013

lastInstallAttempt = 19:08:44 CST Thu May 9 2013

nextAttempt = 19:35:00 CST Thu May 9 2013

These errors generally observed in IPS sensors running 7.0(7) and 7.0(8) due to a bug “CSCub08230”. In order to overcome this problem available work around is either to download the signature update package manually from and apply the updates manually to the IPS sensors or to upgrade the Cisco IPS sensors to latest  update of 7.2.

The strange thing is that the IPS Sensors were communicating with the Cisco Servers they could be able to connect bypass the proxy servers as shown in my below capture.

IPS capture

However, they failed to update signature simply because the initial connection to the locator service is performed using the HTTPS connection, and the once sensor is authenticated by the digital certificate provided by the server. The connection is switched over to HTTP for the auto-update process. This changer over from HTTPS to HTTP is failing due to the bug “CSCub08230

Hence, temporarily I was forced to revert my configuration and allow IPS sensors to communicate directly with Cisco servers bypassing our bluecoat proxy server.

May 6, 2013  4:59 AM

How to preserve encapsulation across SPAN?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

While any one of you are trying to analyze a SPAN or RSPAN traffic you may notice that certain layer 2 frames are missing. Usually SPAN/RSPAN ignores layer 2 traffic like CDP, spanning-tree BPUDs, VTP, DTP and PagP frames.  However, these traffic types can be forwarded along with the normal SPAN traffic if the “encapsulation replicate” Cisco IOS command is configured in a Cisco Catalyst Switch.

The below example shows how to enable this feature

CiscoSwitch(config)# monitor session 1 source interface g0/1

CiscoSwitch(config)# monitor session 1 destination interface g0/2 encapsulation replicate

September 11, 2012  5:01 AM

How To Configure a Cisco ASA 5540 firewall for Video Conferencing for Polycom device?

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

Recently we were asked to configure the Polycom device to have video conferencing with external world. Our Polycom device is behind a Cisco ASA 5540 firewall as shown in the below network layout.

In order to permit H.323 video conferencing you need to follow the following steps

Step 1

Define static NAT rules

In the above example we will create a NAT rule for the external IP address to the internal IP address (assigned to Polycom device) using the following Cisco IOS command in ASA firewall.

static (inside,outside) netmask

Step 2

 Create an access list to allow access to polycom device from external network, we need to allow the following ports tcp/udp to enable to video conferencing and apply the same to outside interface

H323 -udp

1720 – tcp

3230 3285 – tcp

access-list Outside_In remark Allow traffic going to polycom device

access-list Outside_In extended permit udp any host eq 1720

access-list Outside_In extended permit tcp any host eq h323

access-list Outside_In extended permit udp any host range 3230 3285

access-list Outside_In extended permit tcp any host range 3230 3243

access-group Outside_In in interface outside

Step 3

Create the Access list which will allow traffic to traverse the ASA firewall from Internal to External network, repeat the steps above, but ensure the Interface: is set to inside as shown below.

access-list Inside_In remark Allow Traffic form polycom device to outside

access-list Inside_In extended permit udp host any range 3230 3285

access-list Inside_In extended permit tcp any host eq h323

access-list Inside_In extended permit tcp host any range 3230 3242

access-group Inside_In in interface inside

By following the above three steps you can enable video conference to any polycom device behind the ASA firewall.

August 31, 2012  1:27 PM

Data Center Security Policies and Procedures – part5

Yasir Irfan Yasir Irfan Profile: Yasir Irfan

This will be my last series on Data Center Security Policies and Procedures, I will be covering the Exception Reporting and Requesting Access to the Data Center


  1. 1.     Exception Reporting

All infractions of the Data Center Physical Security Policies and Procedures shall been reported to the ITKE*.  If warranted (e.g., emergency, imminent danger, etc.).

When an unauthorized individual is found in the DataCenterit must be reported immediately to the responsible ITKE* member.  If this occurs during the evening hours, IT call center or ITKE* senior staff should be contacted.  The unauthorized individual should be escorted from theDataCenter and a full written report should be immediately submitted to ITKE*.

  1. 2.     Requesting Access to the Data Center

Departments / Projects that have computer equipment in the DataCentermay request access to the DataCenter.  The individuals designated by the requesting department/project will be granted access once ITKE* authorized them.  To initiate authorization for access, the manager of the department/project requesting access should direct a request to the ITKE* .  Upon approval by the Head of ITKE*, the person will fill the Datacenter Access Request Form and be provided with a copy of the ITKE* Data Center Access Policies and Procedures document.  A person’s department must notify the ITKE* as soon as possible so that the person’s access to the Data Center can be removed.  This is extremely important in cases where the employee was terminated for cause.  ITKE* – reserves the right not to allow entrance to the Data Centre if the Data Centre already has too many companies performing works.



  1. It is the responsibility of the ITKE*, End-user Departments, contractors/ vendors/representative to ensure implementation of this IPP.
  2. Respective department heads are responsible for ensuring adherence to the provisions of this IPP.
  3. Audit and Follow-Up Administration will monitor compliance to the provisions stipulated herein.

I hope the policies covered in these series of article will help you out to draft an effective Data Center policy.

*ITKE is used just as reference which can be replaced by your organization or department name

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: