Overblog Follow this blog
Administration Create my blog
Cisco & Cisco Network Hardware News and Technology

Cisco Business Edition 6000 General Qs

November 26 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

Cisco Business Edition 6000 (BE 6000) is a packaged solution optimized for medium-sized business requirements. It is a combination of Cisco Unified Communications applications on the Cisco Unified Computing System (Cisco UCS) that offers midsize customers’ business agility and reduced TCO through server consolidation, operational efficiency and scalability, improved business continuity, and greater investment leverage.

Cisco BE 6000 consists of the following foundational elements:

• Cisco UCS C220 M3 Rack-Mount Server

• Cisco UC Virtualization Hypervisor

• Cisco Licensing

• Cisco Unified Communications Manager

• Cisco Instant Messaging and Presence with the Cisco Jabber messaging integration platform

• Cisco Unity Connection

• Cisco Prime Collaboration Provisioning

You can optionally install the following applications to the BE 6000 solution:

• Advance Video with Cisco TelePresence conferencing application

• Cisco Unified Contact Center Express

• Cisco Emergency Responder

• Cisco Paging Server

• Cisco Unified Provisioning Manger (older option of management application)

• Cisco Unified Attendant Console (not preloaded; needs to be purchased separately)

In addition, Cisco BE 6000 integrates with cloud-based Cisco WebEx Software-as-a-Service offerings including WebEx Connect IM and Presence, as well as WebEx Web Conferencing.

Cisco BE 6000 comes with two hardware options of Cisco UCS 220 M3 Server:

1. The Medium Density server supports a maximum of five virtual machines (four collaboration applications and one management application) - support for a maximum of 1200 devices.

2. The High Density server supports a maximum of nine virtual machines (eight collaboration applications and one management application) - support for a maximum of 2500 devices.

Note: Both options support a maximum 0f 1000 users.

What is the difference between Cisco Business Edition 6000 and generic unified communications applications on Cisco UCS ("UC on UCS")? The table will show you the Differences between Cisco BE 6000 and Deployments with Unified Communications Applications on Cisco UCS

Differences-Between-Cisco-BE-6000-and-Deployments-with-Unif.jpg

Maximum Capacities of Cisco BE 6000

Attribute

Capacity

Maximum number of users

1000 users

Maximum number of mailboxes and voicemail ports

1000 mailboxes and 24 voicemail ports per server

Message storage

Approximately 72,944 G.711 codec minutes

Number of contact center agents

100 agents and 10 supervisors

Number of presence users

1000 presence users

Number of devices supported

Medium Density server: 1200

High Density server: 2500

Maximum number of co-resident applications per server

Medium Density server: Five applications (4 collaboration + 1 management)

High Density server: Nine applications (8 collaboration + 1 management)

Busy-hour call attempts

5000

About Deployment Model-Cisco Business Edition 6000

Cisco BE 6000 supports fully featured redundancy for both LAN and WAN environments. You can deploy a redundant server for Cisco Unified Communications Manager, Cisco Unity Connection, Cisco Unified Presence, and Cisco Unified Contact Center Express applications in a remote location over your WAN.

The Cisco BE 6000 Medium Density server supports up to five co-resident applications. However, the Cisco Virtualization Hypervisor software with license comes standard with Cisco BE 6000, and is entitled for two CPU sockets and 16 GB of virtual memory to deploy additional applications. Following are configuration scenario examples:

Scenario 1: Fully redundant configuration

• Cisco BE6000 Medium Density server 1: Cisco Unified Communications Manager, Cisco Unity Connection, Cisco Unified Presence, Cisco Unified Contact Center Express, and Cisco Unified Provisioning Manager (primary)

• Cisco BE6000 Medium Density server 2: Cisco Unified Communications Manager, Cisco Unity Connection, Cisco Unified Presence, and Cisco Unified Contact Center Express (secondary)

• Cisco BE6000 Medium Density server 3: Cisco Unified Attendant Console

Scenario 2: Redundancy for Cisco Unified Communications Manager with Cisco Unified Contact Center Express only

• Cisco BE6000 Medium Density server 1: Cisco Unified Communications Manager, Cisco Unity Connection, Cisco Unified Presence, Cisco Unified Contact Center Express, and Cisco Unified Provisioning Manager (primary)

• Cisco BE6000 Medium Density server 2: Cisco Unified Communications Manager, Cisco Unified Attendant Console, and Cisco Unified Contact Center Express (secondary)

Scenario 3: Cloud-based IM and presence

• Cisco BE6000 Medium Density server 1: Cisco Unified Communications Manager, Cisco Unity Connection, Cisco Unified Contact Center Express, Cisco Unified Attendant Console, and Cisco Unified Provisioning Manager (primary)

• Cisco BE6000 Medium Density server 2: Cisco Unified Communications Manager, Cisco Unity Connection, and Cisco Unified Contact Center Express (secondary)

Optional Cisco Virtualization Foundation Edition is entitled for two CPU sockets and 32 GB of virtual memory and enables the VMware vCenter compatibility feature.

Cisco Business Edition 6000 supports more than two nodes in the cluster. You can deploy Cisco BE 6000 with more than three nodes in the cluster as long as the user count does not exceed 1000 users.

Is Cisco Prime Collaboration Provisioning bundled with Business Edition 6000 different from the enterprise version of Cisco Prime Collaboration Provisioning? I have been using Cisco Unified Provisioning Manager Business Edition to manage Business Edition 6000. How do I migrate to the new management application Cisco Prime Collaboration Provisioning? Can I install Cisco Business Edition 6000 on a different specifications-based Cisco UCS Server or on a third-party server? Can I install any third-party application server on Cisco Business Edition 6000 hardware? Etc. More Qs about Cisco BE6000 and its licensing options you can read the full page Cisco Business Edition 6000 Q&A

More Cisco BE6000 REVIEWS:

Cisco BE6000 (Business Edition 6000) Solution

Read more

Common Issues with ASA 8.6 Version

November 14 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

In this article it describes the issue faced by a user on ASA 8.6.

Here the Problem is:

User is using ASA 5525 with 8.6 versions, and he is trying to ping through different interfaces, however he is not able to do that. The test results are mentioned below:

     Can PING between the outside interface and the next hop (same subnet)

     Cannot PING between the inside interface and the next hop (same subnet)

     Cannot PING between the DMZ interface and the next hop (same subnet)

Please see below configuration for firewall for reference.

interface GigabitEthernet0/0

speed 100

duplex full

nameif outside

security-level 0

ip address 16.x.x.x 255.255.255.248

interface GigabitEthernet0/1

no nameif

security-level 0

no ip address

!

interface GigabitEthernet0/1.16

vlan 16

nameif inside

security-level 100

ip address 17.x.x.x 255.255.255.0

interface GigabitEthernet0/3

no nameif

security-level 0

no ip address

!

interface GigabitEthernet0/3.69

vlan 69

nameif dmz

security-level 50

ip address 18.x.x.x 255.255.255.0

access-list o_inside extended permit icmp any any

access-list o_inside extended permit icmp any any echo

access-list o_inside extended permit icmp 17.x.x.x (Inside interface) 255.255.0.0 18.x.x.x (DMZ interface) 255.255.255.0 

access-list o_inside extended permit icmp 17.x.x.x (Inside interface) 255.255.0.0 18.x.x.x (DMZ interface) 255.255.255.0

 

access-list o_dmz extended permit icmp any any

access-list outside extended permit icmp any any

access-list outside extended permit icmp any any echo-reply

icmp permit any outside

icmp permit any dmz

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

 

route inside 17.x.0.0 (Whole inside interface subnet) 255.255.0.0 17.x.x.x (Internal Network) 1

route dmz 17.x.x.0 (Internal) 255.255.255.0 18.x.x.x (DMZ Nework) 1

route outside 18.x.x.0 (DMZ) 255.255.255.0 16.x.x.x (Outside Network) 1

User wants to know what should be added to achive the above mentioned result.

 

Solution:

ASA should by default without any configurations accept ICMP on its interface.

Check the output of "show arp" and see if you can see the IP address (and the MAC address) of the host/router you are trying to ping.

 

The 4 "static" configurations above are pretty basic but 2 of them are Static Identity NAT configurations that you probably won’t need in the new software

The below 2 configurations probably won’t need any corresponding configuration in the new ASA/software since the traffic should go through wihtout NAT configurations.

static (dmz,inside) 192.168.1.85 192.168.1.85 netmask 255.255.255.255

static (inside,dmz) 172.16.0.0 172.16.0.0 netmask 255.255.0.0

 

The below Static NAT configurations you can easily convert using Auto NAT / Network Object NAT. Use "object" names that describe the setup better, use generic "object" names.

static (dmz,outside) 200.190.70.87 192.168.1.56 netmask 255.255.255.255

static (dmz,outside) 200.190.70.85 192.168.1.85 netmask 255.255.255.255

object network STATIC-1

host 192.168.1.56

nat (dmz,outside) static 200.190.70.87

 

object network STATIC-2

host 192.168.1.85

nat (dmz,outside) static 200.190.70.85

 

The best way to find possible problems with the ASA configurations is to use the "packet-tracer" command. This would tell you if some traffic is getting blocked by ACL or if the traffic is failing because of NAT

 

For a connection coming from behind "outside" you can use this format of the command

packet-tracer input outside tcp <source ip> 12345 <server nat ip> <destination port>

To test anything else you naturally just switch the "input <interface name>" to the one where the traffic is sourced from. You will naturally also have to check whether you need to use "tcp" or "udp" and also select a source/destination IP/port.

 

Taking the output of the following commands should help you to troubleshoot possible problems

 

You could take "packet-tracer" command output of both of the above mentioned cases. For example testing connectivity from "outside" to the "dmz" server. And the previous problem with testing connection from "inside" to "dmz" server.

 

If you are doing Dynamic PAT from "inside" to "dmz" then you should remove the above "static" commands that refer to "(inside,dmz)" then user wouldnt be able to connect from "dmz" to those "inside" IP addresses (of those static commands). This is the main reason why Dynamic PAT is not encouraged between local interfaces. It causes complexity for the NAT configurations when user have to add extra NAT configurations to override the possible problems caused by the Dynamic PAT

 

For the "management" interface you probably need any new NAT configuration.

 

The Dynamic PAT from "inside" to "dmz" means that you would need some Static Identity NAT configuration mentioned above also in the new software otherwise the ASA would drop the connection attempts.

nat (inside,dmz) after-auto source dynamic inside-pat-source dmz-pat-global

 

More Related Cisco ASA Topics:

Cisco Released Cisco ASA Software 9.0

Cisco ASA 8.4 vs. Typical NAT/PAT Configuration

Read more

How to Configure a Cisco Console Router?

November 5 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Routers

How to set up a console server? And first we should know what a console server is.

A console server is a device which, via serial ports, has access to the physical console port of several different devices commonly located in the same rack. These are most commonly seen in two different environments: labs, where a number of different pieces of equipment will be located in close proximity and constant access to the console is essential (as the configuration changes often) and the second is in remote environments where companies locate equipment without easy access to remote personnel.

Cisco Console Router Basics

For those looking to set up a reasonably priced lab environment the older Cisco 2509 (8 ports) and 2511 (16 ports) should be considered. While these are certainly a bit dated they still work fine in many environments and operate on little power and in flexible environmental conditions. For those looking to get a more modern equivalent device there are now HWIC modules (HWIC-8A, HWIC-16A) that support the same number of serial ports as the older 2509 and 2511 devices.

In either case, they utilize what is referred to as an octal cable which connects to the device with a single connector and has 8 different serial RJ-45 connectors on the other side which connect directly to the serial port of other Cisco devices. These cables can be found online for a reasonable price.

8-port Cisco Octal Cable

8-port-Cisco-Octal-Cable.jpg
Cisco Console Router Configuration

The configuration of a console router is not overly complex. Since most Cisco (and other) equipment defaults to the same console settings (9600, 8, 1, Hardware) only some minor changes need to be added to ensure a good console experience. The steps to configure the console lines are shown in Table 1:

Table1–Console Line Configuration

1

Enter privileged EXEC mode

Console>enable

2

Enter device configuration mode

Console#configure terminal

3

Enter line configuration mode
Note: the numbers that are used depend on the specific platform; for the 2509 they are ‘line 1 8’ for a 2511 they are ‘line 1 16’

Console(config)#line 1 16

4

Disable EXEC processing
Note: This ensures that an EXEC process can’t capture the line for incoming connections

Console(config-line)#no exec

5

Disable EXEC timeout
Note: This ensures that the line is kept open until purposefully closed

Console(config-line)#exec-timeout 0 0

6

Enable input telnet transport
Note: The type of connection used to connect to another device’s console port through a console router is referred to as a ‘reverse telnet’

Console(config-line)#transport input telnet

The next part is to configure easy access to those connected devices, but first let’s cover why this is necessary. To create a connection from the console router to another connected device’s console port the user has to initiate a telnet connection to the console router using a port number that maps to the specific line.

For example, on the 2511, if a device’s console was connected to line 5 then a telnet connection would be initiated to console_router_ip_address using port number 2005 (for the 2511 line 1 maps to 2001 and line 16 maps to 2016 with the other lines mapping following this order). The specific mapping that is used depends on the platform. On platforms where the console ports are connected off an add-on module then what slot the add-on module was inserted into would also affect the port number to use. 

Once these numbers have been initially mapped out it is certainly not that convenient to remember each of these port numbers every time access to the lab is needed. To get around this it is common to configure a local hostname list. For example, if Router1 was connected off of line 6 and Switch 1 was connected off of line 12 the user would either have to access the console and telnet to the specific ports (2006 and 2012, respectively) or a hostname could be associated with a hostname/IP address/Port. Table 2 shows an example of the configuration needed to perform this:

Table2–IP Hostname List Configuration

7

Exit into global configuration mode

Console(config-line)#exit

8

Configure a local host entry
Note: An example of this would be:
Console(config)#ip host Router1 2006console-ip-address

Console(config)#ip host hostname port-number ip-address

For small lab environments it is common for console routers to only be accessed via a single Ethernet connection. This is fine for lab environments, but if the console server is being used as part of a larger Out-Of-Band management plan for a production network, this single point-of-failure is unacceptable. In these situations, multiple points of access to the console router are often required to meet redundancy requirements.

On newer platforms this can be done through multiple Ethernet connections through diverse switches and/or via a backup method like dial-up. In both cases the IP address being used to access the device is different depending on the access method. It is because of this that loopback IP addresses are typically configured on console routers which are then used in the console routers ip host statements. This way, regardless of access method, the ip host statements would still work and connect the user to the correct device. The configuration for this is shown in Table 3:

Table 3–Loopback Interface Configuration

9

Create a loopback interface

Console(config)#interface loopback 0

10

Configure an IP address for the interface
Note: The IP address used can be used only locally or it can be integrated into a wider IP addressing plan

Console(config-if)#ip address 10.10.10.10 255.255.255.255

Assuming the configuration shown in Table 3 was entered, the configuration for Router1 shown above would be ip host Router1 2006 10.10.10.10. To access it via the console router the command telnet Router1 would be used.

As the cost of used Cisco hardware continues to come down and the interest in Cisco certification continues to rise, it is becoming more common for those getting into the field to invest in a lab. Adding a console router to this environment makes the access to the lab easy and allows the student to play around with a number of different configurations without having to worry about physical access or by inadvertently closing access to the device.

For those looking to deploy console routers into production environments, the question is why have you waited this long? Out-Of-Band options are an important part of any production environment and should be a consideration from the beginning of the planning stages.

Regardless of the environment it is the intention of this article to get the console router up and going as soon as possible.

More about Cisco Router Topics you can visit:

http://blog.router-switch.com/category/reviews/cisco-routers/

Read more

Cisco Fixes Serious Security Flaws in Networking, Communications Products

November 1 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco News

Cisco released software security updates to address denial-of-service and arbitrary command execution vulnerabilities in several products, including a known flaw in the Apache Struts development framework used by some of them.Cisco.png

The company released new versions of Cisco IOS XR Software to fix an issue with handling fragmented packets that can be exploited to trigger a denial-of-service condition on various Cisco CRS Route Processor cards. The affected cards and the patched software versions available for them are listed in a Cisco advisory.

The company also released security updates for Cisco Identity Services Engine (ISE), a security policy management platform for wired, wireless, and VPN connections. The updates fix a vulnerability that could be exploited by authenticated remote attackers to execute arbitrary commands on the underlying operating system and a separate vulnerability that could allow attackers to bypass authentication and download the product’s configuration or other sensitive information, including administrative credentials.

Cisco also released updates that fix a known Apache Struts vulnerability in several of its products, including ISE. Apache Struts is a popular open-source framework for developing Java-based Web applications.

The vulnerability, identified as CVE-2013-2251, is located in Struts’ DefaultActionMapper component and was patched by Apache in Struts version 2.3.15.1 which was released in July.

The new Cisco updates integrate that patch into the Struts version used by Cisco Business Edition 3000, Cisco Identity Services Engine, Cisco Media Experience Engine (MXE) 3500 Series and Cisco Unified SIP Proxy.

“The impact of this vulnerability on Cisco products varies depending on the affected product,” Cisco said in an advisory. “Successful exploitation on Cisco ISE, Cisco Unified SIP Proxy, and Cisco Business Edition 3000 could result in an arbitrary command executed on the affected system.”

No authentication is needed to execute the attack on Cisco ISE and Cisco Unified SIP Proxy, but the flaw’s successful exploitation on Cisco Business Edition 3000 requires the attacker to have valid credentials or trick a user with valid credentials into executing a malicious URL, the company said.

“Successful exploitation on the Cisco MXE 3500 Series could allow the attacker to redirect the user to a different and possibly malicious website, however arbitrary command execution is not possible on this product,” Cisco said.

Security researchers from Trend Micro reported in August that Chinese hackers are attacking servers running Apache Struts applications by using an automated tool that exploits several Apache Struts remote command execution vulnerabilities, including CVE-2013-2251.

The existence of an attack tool in the cybercriminal underground for exploiting Struts vulnerabilities increases the risk for organizations using the affected Cisco products.

In addition, since patching CVE-2013-2251 the Apache Struts developers have further hardened the DefaultActionMapper component in more recent releases.

Struts version 2.3.15.2, which was released in September, made some changes to the DefaultActionMapper “action:” prefix that’s used to attach navigational information to buttons within forms in order to mitigate an issue that could be exploited to circumvent security constraints. The issue has been assigned the CVE-2013-4310 identifier.

Struts 2.3.15.3, released on Oct. 17, turned off support for the “action:” prefix by default and added two new settings called “struts.mapper.action.prefix.enabled” and “struts.mapper.action.prefix.crossNamespaces” that can be used to better control the behavior of DefaultActionMapper.

The Struts developers said that upgrading to Struts 2.3.15.3 is strongly recommended, but held back on releasing more details about CVE-2013-4310 until the patch is widely adopted.

It’s not clear when or if Cisco will patch CVE-2013-4310 in its products, giving that the fix appears to involve disabling support for the “action:” prefix. If the Struts applications in those products use the “action:” prefix the company might need to rework some of their code.

Original News refer to http://www.pcworld.com/article/2057660/cisco-fixes-serious-security-flaws-in-networking-communications-products.html

More Related Cisco Network Topics:

Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA Software

Cisco Patches Flaw in Security Appliances, Switches, Routers

Cisco ASA CX–Next Generation Firewall or Enterprise Firewall?

Read more