Follow this blog Administration + Create my blog
Cisco & Cisco Network Hardware News and Technology

Spanning Tree Protocol Priorities

November 29 2012 , Written by Cisco & Cisco Router, Network Switch Published on #Networking

STP is vital for detecting loops within a switched network. Spanning tree works by designating a common reference point(the root bridge) and systematically building a loop-free tree from the root to all other bridges. All redundant paths remain blocked unless a designated link fails. The following criteria are used by each spanning tree node to select a path to the root bridge:

  1. Lowest root bridge ID - Determines the root bridge
  2. Lowest cost to the root bridge - Favors the upstream switch with the least cost to root
  3. Lowest sender bridge ID - Serves as a tie breaker if multiple upstream switches have equal cost to root
  4. Lowest sender port ID - Serves as a tie breaker if a switch has multiple (non-Etherchannel) links to a single upstream switch


We can manually configure the priority of a switch and its individual interfaces to influence path selection. The values given below are defaults.

Switch(config)# spanning-tree vlan 1 priority 32768

Switch(config)# interface g0/1

Switch(config-if)# spanning-tree vlan 1 port-priority 128


So where do these configured STP priorities come into play? There is no BPDU field for priority; instead, both bridge and port IDs have their administratively configured priorities embedded in them. Note the Bridge Identifier and Port Identifier fields in this Wireshark capture of a PVST+ BPDU:



Although the bridge ID field has been conveniently split into a bridge priority and MAC address for us by Wireshark's protocol descriptor, it is actually a single eight-byte value. The following field, which contains the port ID unique to each interface, is similarly composed at one-fourth the size.



Because this switch is running PVST+, the VLAN ID (1) is added to the configured bridge priority of 32768 (the default priority) for a sum of 32769. The unique bridge ID, taken from a MAC address, is appended to this value to form the complete bridge ID. Similarly, the port ID is formed by prepending the 4-bit port priority (the default value of 128, or 0x80) to the interface ID, which happens to be 0x001 because we are connected to the first physical switchport. These two values form the complete port ID of 0x8001.

---from http://packetlife.net/blog/2008/may/5/spanning-tree-protocol-priorities/


More Networking Tips:

STP (Spanning Tree Protocol) Path Selection

Read more

CRN:"Cisco Competitors Say Meraki Move Makes Them More Attractive"

November 27 2012 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco News

Several of Cisco and Meraki's wireless and cloud networking market competitors say that Cisco's $1.2 billion acquisition of Meraki validates many of the moves they've already made -- and raises their profile as channel partners that much more.


Many of the wireless segment's alternative vendors told CRN Tuesday that they plan to seize on Cisco and Meraki partner's anxiety and make some channel inroads.


"Cisco paid an awfully big price for an SMB company, and it's clear they bought them for provisioning," said David Callisch, vice president of marketing for Ruckus Wireless. "I guess it makes all of us in this space look good. But if I'm a reseller and I see this, am I better off with the Meraki stuff I bought or do I look at Ruckus, which just went public and did that on the back of the channel?"


Joel Vincent, director of product marketing for Aerohive Networks, said that Cisco's choice to pay nearly three times for Meraki what it did for Airespace -- the acquisition that cemented Cisco as a wireless LAN player in 2005 -- reinforces the idea that cloud networking is on "an exciting path."

"It's Cisco's 'modus operandi' to purchase innovation that leapfrogs its current offerings," Vincent said.


Aerohive gained notices for its controller-less approach to wireless LAN, and it soon moved into cloud management behind the 2011 acquisition of startup Pareto Networks. Often viewed as another IPO candidate, as Meraki was, Aerohive is also frequently mentioned as an acquisition target for a larger vendor like an HP or Dell.


Aerohive represents a better bet for channel partners, Vincent said.


"The challenge for the Meraki team will certainly be adapting to operating as part of a vastly larger organization and the non-technology challenges that poses," Vincent said. "Channel partners should start looking for alternative products immediately because there will be channel integration, many changes in structure, and therefore margin erosion in the near-term."


Shane Buckley, CEO of Xirrus, said that with industry research pointing to 90 percent of connections in enterprises going wireless in the coming years, vendors have to get their go-to-market strategies right immediately.


"Recent Wi-Fi market activity in the IPO market and with the recent announcement by Cisco on the Meraki acquisition further validate the importance and criticality of Wi-Fi to mainstream network buying trends," Buckley said in an email to CRN Tuesday. "There is clearly no doubt that Wi-Fi is a corner stone of the IT budget, and vendors such as Xirrus with clear differentiation are well positioned as enterprises look to deliver a user experience and a wireless network that performs as well as the wired network. While we're seeing consolidation in the wireless space, Xirrus continues to focus on innovation that can help companies deal with the immediate and massive shift from wired to wireless access."

Some analysts don't see a Cisco-Meraki acquisition as particularly threatening to enterprise-focused wireless players like Aruba Networks, though certainly a problem for networking companies playing at the lower end of the market.


"While the Aruba Instant product can be sold to SMBs and K-12 markets, it primarily targets enterprise branch offices," wrote Ehud Gelblum, managing director at Morgan Stanley, in a Tuesday research note. "Yet unlike Meraki's products, Aruba's can be seamlessly upgraded to enterprise-class features, further differentiating the solution and making the Meraki acquisition largely a non-event for Aruba. The deal does appear bad for Adtran, however, in that Meraki targets the same low-end SMB Adtran's NetVanta goes after."


Richard Valera, an analyst with Needham & Company, wrote in a note: "We think Aruba's relatively new Aruba Instant product offers many of the same ease-of-deployment/management advantages of Meraki, overlaps more with Meraki than Aruba's traditional products; however, we see this nascent and quickly growing product as an incremental growth opportunity for Aruba in the midmarket rather than a meaningful piece of Aruba's business that's threatened by the Cisco/Meraki deal."


"This move validates our vision that the market is rapidly moving towards the all-wireless enterprise, and along with this, the hastening decline of wired-based primary access networks," said an Aruba spokesperson in an email to CRN. "The consumer market was the first to go all-wireless. Small businesses were next. Medium to large enterprises will follow this trend, and Aruba is laser-focused on this part of the market."


Aruba's made no secret of targeting smaller and more distributed businesses through Aruba Instant and also its distribution relationships with players like Synnex. But partners don't see Cisco-Meraki as a big threat, especially with Aruba having embraced both controller and controller-less wireless infrastructure models and with its stronghold very much in larger midmarket and enterprise customers.


"I don't think it's a threat to Aruba," said Andy Welsh, director of partner alliances for Accuvant, the Denver-based integrator. "I think Aruba's been going down that [cloud] management path for a while. What it does for Cisco is help them compete better with the Aerohives and Ruckuses. Aruba will still battle hard in those places, too, but I don't know how interested Aruba is in all those smaller deals. My experience with Meraki is that they're happy with a three-AP deal in a K-12 building."

---News resource: http://www.crn.com/news/networking/240142438/cisco-competitors-say-meraki-move-makes-them-more-attractive.htm


More Related Cisco News:

Cisco Purchases Cloupia to Control Freak Clouds

Cisco to Acquire Meraki for $1.2 Billion

Why Cisco Bought Meraki for $1.2 Billion in Cash?

Read more

Basic Spanning Tree Protocol (STP) Information

November 26 2012 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Wireless - Cisco Wireless AP

STP is used by switches to prevent loops occurring on a network, this process is implemented by using spanning tree algorithm in disabling unwanted links and blocking ports that could cause loop.


Loops and duplicate frames can have severe consequences on a network. Most LANs are designed to provide redundancy so that if a particular link fails another one can take over the forwarding of frame across the LAN.


Basically, each switch port on a network detects the MAC address of a host or PC A, it then sends messages to other switches on the network to inform them of it’s knowledge on how to get to PC A. The problem starts when another switch discovers the same host or PC A’s MAC address, In time every switch on the network will start flooding messages on the network of their discovery and how to get to the same PC A and a loop has formed.


STP Standards / Types 

STP ensures that there is only one logical path between all destinations on the network by intentionally blocking redundant paths that could cause a loop.


When a switch port detects a loop in the network, it blocks (A port is considered blocked when network traffic is prevented from entering or leaving that port) one or more redundant paths to prevent a loop forming.


To stop a loop from forming, STP chooses one switch to be Root Bridge on the network. Then other switches selects one of its ports as Root Port then, a designated port’ is chosen on each segment and all other ports are closed down.


STP outline of Process


Cisco switches runs STP by default, no configuration needed.


STP continually monitors the network for failures, be it switchports or changes in the network topology. STP acts quickly in making redundant ports available if there is a failure on a link.


Spanning Tree Protocol 

*Used by switches to turn a redundant topology into a spanning tree.

*Disables unwanted links by blocking ports

*Is defined by IEEE 802.1d

*Switches run STP by default - configuration needed.

*Choose one switch to be Root Bridge

*Choose a Root Port on each other switch

*Choose a Designated Port on each segment

*Intentionally closes down all other ports


More STP Info:

Spanning Tree Protocol Standards /Types

STP (Spanning Tree Protocol) Path Selection

Read more

Cisco Is Just Too Boring

November 21 2012 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco News

There comes a point in the life of most companies when they realize that no matter what they do it will never be enough to excite investors. This is a reality with which network giant Cisco must deal. Because despite recently logging its seventh consecutive earnings beat, the reaction from Wall Street resembled that of a big yawn. And I’m beginning to wonder if the company will be ever be able to overcome the dullness that have become synonymous with mature companies of its stature such as Microsoft, Intel and to a lesser extent Oracle . While investors want to believe in Cisco again, I worry that absent something to reinvigorate its growth prospects, Cisco may soon become yet another has-been fighting just to maintain its tech status.


It’s hard to find fault in what Cisco has been able to do. This is despite Wall Street’s reaction that what has been one of the most consistent performers on the market. But growth has not been something that the company has been able to produce in sufficient quantities. Nevertheless, in a market ravaged by poor enterprise IT spending, beating earnings estimates for seven consecutive quarters is nothing short of remarkable – including getting fiscal 2013 started on the right foot. But is it good enough?


Q1 Growth Continues To Be Decent, But…

For the period ending in October, Cisco reported $2.6 billion in net income, or 48 cents per share on revenues of $11.9 billion – beating analysts’ estimates on both the top and bottom lines. However, aside from exceeding estimates, it was what the numbers represented that speaks to the overall direction of the company, which included 11% profit growth and revenues that climbed 6%. But investors shrugged these off.


Also, it didn’t seem to matter that the company performed well in terms of profitability, including gross margins that improved slightly from the previous quarter, while also arriving better than expectations. Similarly, Cisco’s operating income surged 20% – helped by cost cutting and management attention towards streamlining the company’s operations.


On the other hand, that the company’s core routing and switching business continue to struggle while its services business grew 12% left investors with mixed feelings about what the company has really become – particularly with respect to the competition. Cisco is now seen as “too big” while rivals such as F5 and Juniper are seen as younger and more nimble – except, they’re facing their own set of growth challenges as well.


What’s more, despite Cisco’s perceived lack of dexterity, the company still enjoys 60% of the routing and switching market – this is despite the weak demand that segment continues to face. However, to appease investors, the company must figure out ways to maximize its enterprise dominance while also looking for growth opportunities outside of its core competency. Although the company’s recent string of acquisitions have not panned out too well, I think it is time for the company to open its wallet and give it another go.


Buying Time by Spending

Cisco will be the first to admit that it has not spent its cash particularly well. In fact the company has spent most of the past two years recovering from past shopping sprees that produced little to no returns on the company’s investments. But nevertheless, buying a company such as NetApp or perhaps newcomer Palo Alto Networks make too much sense for Cisco to ignore – particularly the latter.

For Palo Alto, although it’s a young company, it was able to produce 90% year-over-year revenue growth, which was also good enough to grow 15% sequentially. I will concede that Palo Alto is in the early stages of its business, but Cisco cannot ignore the opportunities that an acquisition might bring, especially in the areas of security. What’s more, unless the company acts quickly Cisco may find itself competing with Palo Alto as it becomes an entity of rivals like Dell, Hewlett-Packard or perhaps even Riverbed.


Bottom Line

Cisco’s stock is cheap by many standards. Although the company’s fundamentals are strong, including a cash hoard of almost $50 billion, it seems that it is going to take more than beating estimates each quarter to get investors excited about its prospects. It is time that the company does something radical – it needs to buy something. I think NetApp’s strong storage market as well as Palo Alto’s strong growth spurt might be enough to add a little color to Cisco’s stock chart, which continues to suffer from a significant case of boredom.

---Original Review from http://www.forbes.com/sites/richardsaintvilus/2012/11/20/cisco-is-just-too-boring/


Cisco Purchases Cloupia to Control Freak Clouds

Cisco to Acquire Meraki for $1.2 Billion

Why Cisco Bought Meraki for $1.2 Billion in Cash?

Read more

Cisco Acquire Cloupia to Advance Data Center Cloud Orchestration

November 16 2012 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco News

Networking giant Cisco announced today that it is acquiring privately held cloud software vendor Cloupia for $125 million.


Cloupia develops infrastructure management software for automating data center infrastructure. The company's core product is the Cloupia Unified Infrastructure Controller (CUIC), which is a vendor neutral management and provisioning tool for both virtual and physical infrastructures.

The Cloupia technology will be combined into Cisco's Data Center Group, which includes the UCS server platform. Cisco already has a management platform for UCS called UCS Central, which was recently improved with a new release that provides for management of up to 10,000 servers.


Cisco's overall data center strategy is about enabling a unified physical and virtual infrastructure.


"This strategy involves the delivery of the industry’s most comprehensive data center networking portfolio, which includes physical and virtual products that support multiple hypervisors and storage stacks," David Yen, senior VP and general manager, Cisco Data Center Business Group, said in a statement. "The addition of Cloupia's automation software enhances the efficiency of such unified data center infrastructures, helping to accelerate the transition from physical to cloud environments more quickly and effectively."


Hilton Romanski, VP and Head of Corporate Business Development at Cisco, added that Cloupia’s products will integrate into the Cisco data center portfolio through UCS Manager, UCS Central, and the Nexus 1000V. The Nexus 1000V is Cisco's virtual switching platform. In Romanski's view the integration of Cloupia will strengthen Cisco's overall ecosystem strategy by providing open APIs for integration with an array of both partners and developers.


ISI analyst Brian Marshall commented that, in his view, the acquisition of Cloupia by Cisco reflects the growing importance of automation/management capabilities as the industry gradually moves to software-defined datacenters.


The acquisition of Cloupia isn't the first such automation acquisition that Cisco has done in recent years. In 2009, Cisco acquired Tidal Software for $105 million. Tidal builds workload automation software that Cisco continues to develop. Cisco also has its own Intelligent Automation for Cloud (IAC) solution that includes technology assets from Tidal as well as other prior acquisitions.

---From http://www.datamation.com

More Related Cisco News:

Cisco Purchases Cloupia to Control Freak Clouds

Read more

VLAN Types

November 14 2012 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

Nowadays, there is essentially one way of implementing VLANs - port-based VLANs. A port-based VLAN is associated with a port called an access VLAN.


However in the network there are a number of terms for VLANs. Some terms define the type of network traffic they carry and others define a specific function a VLAN performs. The following describes common VLAN terminology:




A data VLAN is a VLAN that is configured to carry only user-generated traffic. A VLAN could carry voice-based traffic or traffic used to manage the switch, but this traffic would not be part of a data VLAN. It is common practice to separate voice and management traffic from data traffic. The importance of separating user data from switch management control data and voice traffic is highlighted by the use of a special term used to identify VLANs that only carry user data - a "data VLAN". A data VLAN is sometimes referred to as a user VLAN.


Default VLAN

All switch ports become a member of the default VLAN after the initial boot up of the switch. Having all the switch ports participate in the default VLAN makes them all part of the same broadcast domain. This allows any device connected to any switch port to communicate with other devices on other switch ports. The default VLAN for Cisco switches is VLAN 1.


VLAN 1 has all the features of any VLAN, except that you cannot rename it and you cannot delete it. Layer 2 control traffic, such as CDP and spanning tree protocol traffic, will always be associated with VLAN 1 - this cannot be changed. In the figure, VLAN 1 traffic is forwarded over the VLAN trunks connecting the S1, S2, and S3 switches. It is a security best practice to change the default VLAN to a VLAN other than VLAN 1; this entails configuring all the ports on the switch to be associated with a default VLAN other than VLAN 1. VLAN trunks support the transmission of traffic from more than one VLAN. Although VLAN trunks are mentioned throughout this section, they are explained in the next section on VLAN trunking.


Note: Some network administrators use the term "default VLAN" to mean a VLAN other than VLAN 1 defined by the network administrator as the VLAN that all ports are assigned to when they are not in use. In this case, the only role that VLAN 1 plays is that of handling Layer 2 control traffic for the network.


Native VLAN

A native VLAN is assigned to an 802.1Q trunk port. An 802.1Q trunk port supports traffic coming from many VLANs (tagged traffic) as well as traffic that does not come from a VLAN (untagged traffic). The 802.1Q trunk port places untagged traffic on the native VLAN. In the figure, the native VLAN is VLAN 99. Untagged traffic is generated by a computer attached to a switch port that is configured with the native VLAN. Native VLANs are set out in the IEEE 802.1Q specification to maintain backward compatibility with untagged traffic common to legacy LAN scenarios. For our purposes, a native VLAN serves as a common identifier on opposing ends of a trunk link. It is a best practice to use a VLAN other than VLAN 1 as the native VLAN.


Management VLAN

A management VLAN is any VLAN you configure to access the management capabilities of a switch. VLAN 1 would serve as the management VLAN if you did not proactively define a unique VLAN to serve as the management VLAN. You assign the management VLAN an IP address and subnet mask. A switch can be managed via HTTP, Telnet, SSH, or SNMP. Since the out-of-the-box configuration of a Cisco switch has VLAN 1 as the default VLAN, you see that VLAN 1 would be a bad choice as the management VLAN; you wouldn't want an arbitrary user connecting to a switch to default to the management VLAN. Recall that you configured the management VLAN as VLAN 99 in the Basic Switch Concepts and Configuration chapter.


Voice VLANs

It is easy to appreciate why a separate VLAN is needed to support Voice over IP (VoIP). Imagine you are receiving an emergency call and suddenly the quality of the transmission degrades so much you cannot understand what the caller is saying. VoIPtraffic requires:

Assured bandwidth to ensure voice quality 
Transmission priority over other types of network traffic
Ability to be routed around congested areas on the network
Delay of less than 150 milliseconds (ms) across the network

To meet these requirements, the entire network has to be designed to support VoIP. The details of how to configure a network to support VoIP are beyond the scope of the course, but it is useful to summarize how a voice VLAN works between a switch, a Cisco IP phone, and a computer.

In the figure, VLAN 150 is designed to carry voice traffic. The student computer PC5 is attached to the Cisco IP phone, and the phone is attached to switch S3. PC5 is in VLAN 20, which is used for student data. The F0/18 port on S3 is configured to be in voice mode so that it will tell the phone to tag voice frames with VLAN 150. Data frames coming through theCisco IP phone from PC5 are left untagged. Data destined for PC5 coming from port F0/18 is tagged with VLAN 20 on the way to the phone, which strips the VLAN tag before the data is forwarded to PC5. Tagging refers to the addition of bytes to a field in the data frame which is used by the switch to identify which VLAN the data frame should be sent to. 
A Cisco Phone is a Switch
The Cisco IP Phone contains an integrated three-port 10/100 switch as shown in the Figure. The ports provide dedicated connections to these devices:

Port 1 connects to the switch or other voice-over-IP (VoIP) device.
Port 2 is an internal 10/100 interface that carries the IP phone traffic.
Port 3 (access port) connects to a PC or other device.

The figure shows one way to connect an IP Phone.

The voice VLAN feature enables switch ports to carry IP voice traffic from an IP phone. When the switch is connected to an IP Phone, the switch sends messages that instruct the attached IP phone to send voice traffic tagged with the voice VLAN ID 150. The traffic from the PC attached to the IP Phone passes through the IP phone untagged. When the switch port has been configured with a voice VLAN, the link between the switch and the IP phone acts as a trunk to carry both the tagged voice traffic and untagged data traffic.

Sample Configuration
The figure shows sample output. A discussion of the Cisco IOS commands are beyond the scope of this course, but you can see that the highlighted areas in the sample output show the F0/18 interface configured with a VLAN configured for data (VLAN 20) and a VLAN configured for voice (VLAN 150). 

--- Reference from http://ccnaanswers-khim.blogspot.com/2011/05/types-of-vlans.html

More Related Networking Tips:

‘What Happens in the VLAN Stays in the VLAN?’

How Private VLANs Work?

How to Configure Private VLANs on Cisco 3560 Switches?

VLAN Trunking Protocol (VTP) & VTP Modes

Types of Networks

VLAN Switch Port Modes

Read more

Tips to Configure VLAN on a Cisco Switch

November 8 2012 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

VLAN stands for virtual LAN and technically we can say, a VLAN is a broadcast domain created by switch. When managing a switch, the management domain is always VLAN 1, the default VLAN. All ports of switch are assigned to VLAN 1 by default.  VLAN increase the performance of a network because it divide a network logically in different parts and limit the broadcasts.


Any member of VLAN 2 cannot talk with any member of VLAN 3 without router but all the members of VLAN 2 and VLAN 3 can talk with other members within their VLANs.


This Lab will also help how VLANs can be used to separate traffic and reduce broadcast domains. 

To create a VLAN, first enter global configuration mode to run the following commands.


Configuration to create VLAN 2 

SwitchA(config)#configure terminal               (enter in global configuration mode) 

SwitchA(config)#vlan 2                                        (defining the vlan 2) 

SwitchA(config)#vlan 2 name marketing       (assigning the name marketing to vlan 2)

SwitchA(config)#exit        (exit from vlan 2) 


Configuration to create VLAN 3 

SwitchA(config)#configure terminal                 (enter in global configuration mode) 

SwitchA(config)#vlan 3                                        (defining the vlan 3) 

SwitchA(config)#vlan 3 name management      (assigning the name management to vlan 3)

SwitchA(config)#exit        (exit from vlan 3)


Now assigning the ports 2 and 3 to VLAN 2, it must be done from the interface mode. Enter the following commands to add port 2 and 3 to VLAN 2. 

SwitchA(config)#configure terminal                                 (enter in global configuration mode) 

SwitchA(config)#interface fastethernet 0/2                     (select the Ethernet 0 of port 2) 

SwitchA(config-if)#switchport access vlan 2                  (allot the membership of vlan 2)

SwitchA(config-if)#exit                                                        (exit from interface 2)


Now adding port 3 to VLAN 2 

SwitchA(config)#interface fastethernet 0/3                     (select the Ethernet 0 of port 3) 

SwitchA(config-if)#switchport access vlan 2                  (allot the membership of vlan 2)

SwitchA(config-if)#exit                                                        (exit from interface 3) 


Now assigning the ports 4 and 5 to VLAN 3, enter the following commands to add port 4 and 5 to VLAN 3. 

SwitchA(config)#configure terminal                                 (enter in global configuration mode) 

SwitchA(config)#interface fastethernet 0/4                     (select the Ethernet 0 of port 4) 

SwitchA(config-if)#switchport access vlan 3                  (allot the membership of vlan 3)

SwitchA(config-if)#exit                                                        (exit from interface 4) 


Now adding port 5 to VLAN 3 

SwitchA(config)#interface fastethernet 0/5                     (select the Ethernet 0 of port 5) 

SwitchA(config-if)#switchport access vlan 3                  (allot the membership of vlan 3)

SwitchA(config-if)#exit                                                        (exit from interface 5) 


More Cisco Switch Tips and Tutorials you can visit http://blog.router-switch.com/category/reviews/cisco-switches/

Read more

Cisco ASA Version 9.0 Was Released

November 6 2012 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

Q. What is Cisco ASA Software Release 9.0?

A. Cisco Adaptive Security Appliance (ASA) Software Release 9.0 is the latest release of the software that powers the Cisco ASA family. The same core ASA code delivers enterprise-class security capabilities for ASA devices in a variety of form factors, including a wide range of standalone appliances, hardware blades that integrate with the organization's existing network infrastructure and software that can secure and protect public and private clouds.


Q. What's new in Cisco ASA Software Release 9.0?

A. ASA Software Release 9.0 provides several enhancements. Major new features in this release include:

• The ability to join up to eight Cisco ASA 5585-X or 5580 Series adaptive security appliances in a single cluster, for a linear, predictable increase in performance while providing high availability for always-on data centers

• Integration with Cisco Cloud Web Security (formerly ScanSafe), which allows enterprises to enforce granular web access and web application policy while providing protection from viruses and malware

Cisco TrustSec Security Group Tags (SGTs), which integrats security into the network fabric to extend the policy construct on the ASA platform

• Next-Generation Encryption, including the Suite B set of cryptographic algorithms, for much better confidentiality

• IPv6, including critical IPv4-to-IPv6 translation features, enabling ASA to be deployed in a mixed v4/v6 environment

• Dynamic routing and site-to-site VPN on a per-context basis, providing much better segmentation between departments or between customers


Q. What Cisco ASA models are supported by ASA 9.0?

A. Cisco ASA 9.0 will be supported across the ASA product line, including the Cisco ASA 5500 Series, the ASA 5500-X Series, and the Cisco Catalyst 6500 Series ASA Services Module.



Q. Does ASA 9.0 support clustering?

A. Yes. Cisco ASA Release 9.0 enables up to eight Cisco ASA 5585-X or 5580 Adaptive Security Appliance firewall modules to be joined in a single cluster to deliver up to 128 Gbps of multiprotocol throughput (300 Gbps max) and more than 50 million concurrent connections. Alternatively, slot 1 of each ASA 5585-X can be populated with an integrated Intrusion Protection System (IPS) module, for up to 60 Gbps of IPS throughput.


Q. What are some of the key features of the clustering architecture in Cisco ASA Release 9.0?

A. At the core of the clustering architecture in ASA 9.0 is the patent-pending Cisco Cluster Link Aggregation Control Protocol (cLACP). The protocol enables multiunit ASA clusters to function and be managed as a single entity, identifies the backup unit, and creates the session backup. Policies pushed to the cluster get replicated across all units within the cluster, and the health, performance, and capacity statistics of the entire cluster, as well as individual units within the cluster, can be assessed from the single management console.


Q. What ASA models will support clustering?

A. Initially, Cisco ASA Software Release 9.0 will enable clustering on the ASA 5580 and 5585-X Adaptive Security Appliances.


Q. What ASA modes are supported?

A. Clustered ASA appliances can operate in routed, transparent, or mixed-mode. All members of the cluster must be in the same mode.


Q. Do I have to purchase any license to enable clustering?

A. Yes. A cluster license must be purchased and enabled.


Q. How do feature licenses behave when ASA appliances are clustered?

A. Table 1 provides an explanation of the behavior of key features.


Table 1. Cluster Behavior of Different Cisco ASA Feature License Types

License Type

Behavior in Cluster


Enable/disable feature license

Only one unit in the cluster is required to have a license.

Security+ on the Cisco ASA 5585-X: License is only required on one unit.

Platform-agnostic licenses

The cluster capacity equals the sum of all licenses installed (subject to the total capacity of each individual appliance).

Example #1:

• 4-node cluster

• Node 1 = 200 SC

• Nodes 2,3, and 4 = 0

• Total capacity = 200

Example #2:

• 4-node cluster

• Node 1 = 200 SC

• Node2 = 100 SC

• Nodes 3 and 4 = 0

• Total capacity = 250 SC

Time-based license

If the feature is installed on one unit, it is automatically enabled on the entire cluster. The total duration of the license equals the sum of all remaining license durations.

If the botnet traffic filter is installed on one node, it becomes available to the entire cluster. If Node 1 has 9 months remaining and Node 2 has 7 months remaining, the total remaining duration of the botnet traffic filter feature will be 16 months for the entire cluster.


Q. What is meant by "scaling factor"?

A. Scaling factor is a measurement of expected performance and scale in a clustered environment. For example, if a 4-unit cluster is configured using 20-Gbps firewalls with a scaling factor of 0.8, the expected performance of that cluster will be: 0.8 x 4 x 20 Gbps = 64 Gbps.


Q. What is the expected performance and capacity with a 2-, 4-, and 8-unit cluster?

A. Cisco currently offers a scaling factor of between 0.7 and 1.0, depending on the traffic profile. Table 2 shows the expected performance of a 2-unit cluster with a multiprotocol traffic profile (the expected performance of 4- and 8-unit clusters can be calculated by multiplying the 2-unit cluster results by 2 and 4, respectively).


Table 2. Sample Data for a Two-Node Cluster


Single-Unit Throughput

2-Unit Cluster


2 G

3.2 G


5 G

8 G


10 G

16 G


20 G

32 G


Q. What is the expected behavior if the cluster uses an integrated IPS module in slot 1 of each unit?

A. All IPS modules in the cluster are configured as independent IPSs, so no configuration sync is required. However, Cisco Security Manager and Cisco IPS Manager Express can be used to simplify configuration management across the IPS modules in the cluster. When the traffic enters the cluster, one specific unit becomes the owner for that specific session. When a policy dictates that traffic be redirected to an IPS for further analysis, the IPS module physically associated with that "owner" unit will be utilized. In other words, traffic from one firewall cannot be redirected to an IPS that is integrated with a different firewall in the cluster.


Q. How is session and configuration information synchronized across the cluster members?

A. Cisco ASA Software Release 9.0 uses Cluster Control Link (CCL) to synchronize all state information across the cluster.


Q. How is the cluster managed?

A. The clustered ASA appliances behave as a single firewall instance, so a single instance of Cisco Application Security Device Manager (ASDM) is capable of managing an 8-unit cluster as a single ASA unit. To simplify the configuration phase, cluster configuration steps have been added to the ASDM High Availability and Scalability wizard (Figure 1).


Figure 1. Cluster Configuration Steps in ASDM High Availability and Scalability Wizard


Once the cluster has been deployed, the ASDM Cluster Dashboard (Figure 2) shows the entire cluster on a single screen. The dashboard displays following information:

• Devices information (IP addresses, version, role, and so on)

• Health status: CPU and memory utilizations

• Average CPU and memory status across the cluster

• Control link usage

• Performance statistics: Connections per second and throughput

• Capacity information (number of connections)


Figure 2. ASDM Cluster Dashboard


Cloud Web Security Integration


Q. What are the advantages of cloud web security being integrated with the firewall?

A. Now that Cisco Cloud Web Security is integrated with Cisco ASA Software Release 9.0, organizations gain a centralized content security solution combined with localized network security. However, in contrast to Unified Threat Management appliances (UTMs), which suffer significant performance degradation when web security services are enabled, there is little to no impact on ASA performance because the content scanning is offloaded to the Cisco web security cloud. Administrators can choose to perform deep content scanning on a subset of traffic, based on network address, Microsoft Active Directory user or group name, or hosts residing inside a specific security context.


Q. How does Cisco ASA redirect traffic to Cisco Cloud Web Security?

A. The Cisco ASA Modular Policy Framework (MPF) allows flexible policies to be created to serve a wide range of needs. The outbound traffic can be classified based on user name, user group, source, or destination. The destination aspect can be further classified into three broad categories:

• Approved traffic: Traffic from known safe websites, that is approved by corporate policy

• VPN traffic: Traffic flowing through a site-to-site VPN tunnel

• Traffic redirected to Cisco Cloud Web Security: Traffic is sent to Cisco Cloud Web Security for granular web policy control, including URL filtering, antivirus scanning, web content scanning scansafe-scanlets, and web application visibility and control

The traffic classification criteria can also be mixed and matched (for example, a group of users such as guests, vendors, or interns can be selected for Cisco Cloud Web Security inspection).


Q. How does integrated Cisco Cloud Web Security compare with web security functionalities that are offered on-box from other firewall vendors?

A. The key challenge with all-in-one approaches to security is that all security functionalities (firewall, network access control, web, antivirus, VPN, and so on) compete for fixed computing resources (for example, CPU, Regex, and crypto). As a result, performance can drop significantly as more services are enabled. In contrast, with Cisco Cloud Web Security integrated into ASA 9.0, the antivirus and web security component is executed on the scalable Cisco Cloud Web Security cloud, while the network security component is executed on the Cisco ASA. As a result, both services achieve maximum security efficacy, with little or no performance impact.


Q. My deployment is not yet ready for identity enablement. Can I still use the Cisco Cloud Web Security Connector in Cisco ASA Software Release 9.0?

A. Yes. Traffic can be redirected to Cisco Cloud Web Security based on 5-tuples, or by using a cut-through-proxy and local database users on the Cisco ASA. However, either of these methods will disable user-level and group-level reporting, as well as policy control on both the ASA and Cisco Cloud Web Security.


Q. Is Cisco Cloud Web Security available when the Cisco ASA appliance is in multicontext mode?

A. Yes. When the ASA is configured for multicontext mode, managed security providers can enable Cisco Cloud Web Security on a per-context basis. Note, however, that Cisco Cloud Web Security is not supported when Cisco ASA is in transparent mode.


Q. What are some of the configuration steps required to integrate Cisco Cloud Web Security with Cisco ASA?

A. Cisco ASA configuration has two broad components: Cisco Cloud Web Security information and traffic classification. Traffic classifications are performed using the Cisco ASA Modular Policy Framework (MPF), while Cisco Cloud Web Security classifications require the following information:

• IP address of the Cisco Cloud Web Security tower (primary and backup)

• A valid license

• A designated "retry count" before declaring a tower "dead"


Q. Up to 10 percent of the employees in my organization are remote. How can I extend Cisco Cloud Web Security capabilities to those remote users?

A. Cisco Cloud Web Security capabilities are extended to remote users via the Cisco AnyConnect® Secure Mobility Client. The AnyConnect client performs split-tunneling of web and VPN traffic to eliminate the need to backhaul Internet traffic to company headquarters, thereby enabling complex remote access use cases. For example, if a user is traveling from the United States to Japan, AnyConnect will automatically find the closest Cisco Cloud Web Security tower in Japan, even if the VPN tunnel is terminated to the U.S. headquarters location.


Q. How can I enforce Web 2.0 policies on personal handhelds (iPhone and iPads)?

A. The Cisco AnyConnect Secure Mobility Client launches the tunnel to the Cisco ASA headend. The ASA redirects part of tunnel traffic (port 80 and port 443) to the Cisco web security cloud for Web 2.0 application enforcement. This entire process is transparent to the end user.


Q. Is Cisco Cloud Web Security integration available on all Cisco ASA platforms?

A. Yes. Cisco Cloud Web Security integration is available on all currently shipping Cisco ASA appliance platforms, including the Cisco ASA 5500 Series, the Cisco ASA 5500-X Series, and the Cisco Catalyst 6500 Series ASA Services Module. It is not yet available on the Cisco ASA 1000V Cloud Firewall.


Q. How does this integration achieve high availability?

A. There are two pieces to high availability (HA): Cisco Cloud Web Security Tower HA and Cisco ASA HA. When you configure Cisco Cloud Web Security tower information, you can configure a backup Cisco Cloud Web Security tower, which automatically redirects web traffic to the secondary tower if the primary tower goes down. If you are using Cisco ASA HA, the entire system - including the ASA and the Cisco Cloud Web Security tower - can achieve full redundancy in either active/passive or active/active mode. In exceptional circumstances, if both Cisco Cloud Web Security towers are unavailable (e.g., due to the loss of Internet connectivity), the ASA can be configured to either fail-open or fail-close.


Q. Where do I go for more information on the integrated Cisco Cloud Web Security?

A. More information on Cisco Cloud Web Security web AVC can found at Application Visibility and Control now available in Cisco Cloud Web Security.

Secure Remote Access


Q. Does ASA support IPv6 remote access connections?

A. Yes. IPv4/IPv6 dual stack has been supported inside SSL tunnels since ASA 8.4. ASA 9.0 expands this support to enable IPv4 and IPv6 on the public interface when used in conjunction with Cisco AnyConnect 3.1 or greater. ASA 9.0 also enables IPv6 clientless support.


Q. Does ASA 9.0 support Suite B cryptographic standards?

A. Yes. ASA 9.0 provides comprehensive next-generation encryption capabilities, which includes the Suite B cryptographic standards for remote access and site-to-site connections using an IPsec tunnel. For more information, see the "AnyConnect VPN - Next Generation Encryption" section of this document.


Q. Is next generation encryption available on all ASA platforms?

A. No. Next Generation Encryption is fully supported on the ASA 5585-X, 5500-X Series, and 5580, as well as on the Catalyst 6500 Series ASA Services Module. It can only be partially supported on the ASA 5505, 5510, 5520, 5540, and 5550 due to hardware limitations. AnyConnect 3.1 or greater and an AnyConnect Premium License are also required to use next generation encryption for remote access connections.


Q. Can we use the Cisco AnyConnect Secure Mobility Client with ASA 9.0?

A. Yes. The Cisco AnyConnect Secure Mobility Client is fully supported in ASA 9.0. Customers are encouraged to migrate to AnyConnect for VPN remote access as soon as possible.


Q. Does ASA 9.0 support Virtual Desktop Infrastructure (VDI)?

A. Yes. ASA native clientless support for Citrix VDI deployments has been updated in ASA 9.0 to include XenApp 6.5 and the latest versions of XenDesktop (up to 5.5) both laptops, desktops, and mobile devices (Citrix Mobile Receiver). Support for VMware VDI deployments is also offered (via SmartTunnels). As in past releases, Cisco AnyConnect supports Citrix and VMWare VDI deployments.

More Related Cisco ASA Tips

Cisco ASA Software Release 9.0 Data Sheet

More Cisco ASA Related Tips:

New Cisco ASA Clustering Feature Enables 320 Gbps Firewall

Cisco ASA 8.4 vs. Typical NAT/PAT Configuration

Eight Commands on a Cisco ASA Security Appliance You Should Know

Read more

Cisco VTP: VLAN Trunking Protocol---VTP Versions’ Difference

November 1 2012 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

VLAN Trunking Protocol (VTP) is a Cisco Layer 2 messaging protocol that manages the addition, deletion, and renaming of VLANs on a network-wide basis. Virtual Local Area Network (VLAN) Trunk Protocol (VTP) reduces administration in a switched network. When you configure a new VLAN on one VTP server, the VLAN is distributed through all switches in the domain. This reduces the need to configure the same VLAN everywhere. VTP is a Cisco-proprietary protocol that is available on most of the Cisco Catalyst Family products.


VTP ensures that all switches in the VTP domain are aware of all VLANs. There are occasions, however, when VTP can create unnecessary traffic. All unknown unicasts and broadcasts in a VLAN are flooded over the entire VLAN. All switches in the network receive all broadcasts, even in situations where few users are connected in that VLAN. VTP pruning is a feature used to eliminate (or prune) this unnecessary traffic.


By default, all Cisco Catalyst switches are configured to be VTP servers. This is suitable for small-scale networks where the size of the VLAN information is small and easily stored in all switches (in NVRAM). In a large network, a judgment call must be made at some point when the NVRAM storage needed is wasted, because it is duplicated on every switch. At this point, the network administrator should choose a few well-equipped switches and keep them as VTP servers. Everything else participating in VTP can be turned into a client. The number of VTP servers should be chosen so as to provide the degree of redundancy desired in the network.


There are three version of VTP so far. VTP Version 2 (V2) is not much different than VTP Version 1 (V1). The major difference is that VTP V2 introduces the support for Token Ring VLANs. If you are using Token Ring VLANs, you need to enable VTP V2. Otherwise, there is no reason to use VTP V2. VTP version 3 differs from earlier VTP versions in that it does not directly handle VLANs. VTP version 3 is a protocol that is only responsible for distributing a list of opaque databases over an administrative domain. When enabled, VTP version 3 provides the following enhancements to previous VTP versions:

  • Support for extended VLANs.
  • Support for the creation and advertising of private VLANs.
  • Improved server authentication.
  • Protection from the "wrong" database accidentally being inserted into a VTP domain.
  • Interaction with VTP version 1 and VTP version 2.
  • Provides the ability to be configured on a per-port basis.
  • Provides the ability to propagate the VLAN database another databases.


Protocol Structure - VTP: VLAN Trunking Protocol

The format of the VTP header can vary depending on the type of VTP message. However, they all contain the following fields in the header:

  • VTP protocol version: 1 or 2 or 3
  • VTP message types:
    • Summary advertisements
    • Subset advertisement
    • Advertisement requests
    • VTP join messages
  • Management domain length
  • Management domain name


Summary Advertisements

When the switch receives a summary advertisement packet, it compares the VTP domain name to its own VTP domain name. If the name is different, the switch simply ignores the packet. If the name is the same, the switch then compares the configuration revision to its own revision. If its own configuration revision is higher or equal, the packet is ignored. If it is lower, an advertisement request is sent.

  • Followers indicate that this packet is followed by a Subset Advertisement packet.
  • The updater identity is the IP address of the switch that is the last to have incremented the configuration revision.
  • Update timestamps are the date and time of the last increment of the configuration revision.
  • Message Digest 5 (MD5) carries the VTP password if it is configured and used to authenticate the validation of a VTP update.


Subset Advertisements

When you add, delete, or change a VLAN in a switch, the server switch where the changes were made increments the configuration revision and issues a summary advertisement, followed by one or several subset advertisements. A subset advertisement contains a list of VLAN information. If there are several VLANS, more than one subset advertisement may be required in order to advertise them all.


The following formatted example shows that each VLAN information field contains information for a different VLAN (ordered with lowered-valued ISL VLAN IDs occurring first):


Most of the fields in this packet are easy to understand. Below are two clarifications:

  • Code- The format for this is 0x02 for subset advertisement.
  • Sequence number- This is the sequence of the packet in the stream of packets following a summary advertisement. The sequence starts with 1. 


Advertisement Requests

A switch needs a VTP advertisement request in the following situations:

  • The switch has been reset.
  • The VTP domain name has been changed.
  • The switch has received a VTP summary advertisement with a higher configuration revision than its own.


Upon receipt of an advertisement request, a VTP device sends a summary advertisement, followed by one or more subset advertisements. Below is an example.


  • Code- The format for this is 0x03 for an advertisement request
  • Starts Value - This is used in cases where there are several subset advertisements. If the first (N) subset advertisement has been received and the subsequent one (N+1) has not, the Catalyst only requests advertisements from the (N+1)th one.

---Reading Resource from http://www.javvin.com/protocolVTP.html

More Cisco VTP Tips:

Cisco VTP Version 3, Is VTP Making a Comeback?

VLAN Trunking Protocol (VTP) & VTP Modes

Read more