Follow this blog Administration + Create my blog
Cisco & Cisco Network Hardware News and Technology
Recent posts

Cisco ASA Version 9.0 Was Released

November 6 2012 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

Q. What is Cisco ASA Software Release 9.0?

A. Cisco Adaptive Security Appliance (ASA) Software Release 9.0 is the latest release of the software that powers the Cisco ASA family. The same core ASA code delivers enterprise-class security capabilities for ASA devices in a variety of form factors, including a wide range of standalone appliances, hardware blades that integrate with the organization's existing network infrastructure and software that can secure and protect public and private clouds.


Q. What's new in Cisco ASA Software Release 9.0?

A. ASA Software Release 9.0 provides several enhancements. Major new features in this release include:

• The ability to join up to eight Cisco ASA 5585-X or 5580 Series adaptive security appliances in a single cluster, for a linear, predictable increase in performance while providing high availability for always-on data centers

• Integration with Cisco Cloud Web Security (formerly ScanSafe), which allows enterprises to enforce granular web access and web application policy while providing protection from viruses and malware

Cisco TrustSec Security Group Tags (SGTs), which integrats security into the network fabric to extend the policy construct on the ASA platform

• Next-Generation Encryption, including the Suite B set of cryptographic algorithms, for much better confidentiality

• IPv6, including critical IPv4-to-IPv6 translation features, enabling ASA to be deployed in a mixed v4/v6 environment

• Dynamic routing and site-to-site VPN on a per-context basis, providing much better segmentation between departments or between customers


Q. What Cisco ASA models are supported by ASA 9.0?

A. Cisco ASA 9.0 will be supported across the ASA product line, including the Cisco ASA 5500 Series, the ASA 5500-X Series, and the Cisco Catalyst 6500 Series ASA Services Module.



Q. Does ASA 9.0 support clustering?

A. Yes. Cisco ASA Release 9.0 enables up to eight Cisco ASA 5585-X or 5580 Adaptive Security Appliance firewall modules to be joined in a single cluster to deliver up to 128 Gbps of multiprotocol throughput (300 Gbps max) and more than 50 million concurrent connections. Alternatively, slot 1 of each ASA 5585-X can be populated with an integrated Intrusion Protection System (IPS) module, for up to 60 Gbps of IPS throughput.


Q. What are some of the key features of the clustering architecture in Cisco ASA Release 9.0?

A. At the core of the clustering architecture in ASA 9.0 is the patent-pending Cisco Cluster Link Aggregation Control Protocol (cLACP). The protocol enables multiunit ASA clusters to function and be managed as a single entity, identifies the backup unit, and creates the session backup. Policies pushed to the cluster get replicated across all units within the cluster, and the health, performance, and capacity statistics of the entire cluster, as well as individual units within the cluster, can be assessed from the single management console.


Q. What ASA models will support clustering?

A. Initially, Cisco ASA Software Release 9.0 will enable clustering on the ASA 5580 and 5585-X Adaptive Security Appliances.


Q. What ASA modes are supported?

A. Clustered ASA appliances can operate in routed, transparent, or mixed-mode. All members of the cluster must be in the same mode.


Q. Do I have to purchase any license to enable clustering?

A. Yes. A cluster license must be purchased and enabled.


Q. How do feature licenses behave when ASA appliances are clustered?

A. Table 1 provides an explanation of the behavior of key features.


Table 1. Cluster Behavior of Different Cisco ASA Feature License Types

License Type

Behavior in Cluster


Enable/disable feature license

Only one unit in the cluster is required to have a license.

Security+ on the Cisco ASA 5585-X: License is only required on one unit.

Platform-agnostic licenses

The cluster capacity equals the sum of all licenses installed (subject to the total capacity of each individual appliance).

Example #1:

• 4-node cluster

• Node 1 = 200 SC

• Nodes 2,3, and 4 = 0

• Total capacity = 200

Example #2:

• 4-node cluster

• Node 1 = 200 SC

• Node2 = 100 SC

• Nodes 3 and 4 = 0

• Total capacity = 250 SC

Time-based license

If the feature is installed on one unit, it is automatically enabled on the entire cluster. The total duration of the license equals the sum of all remaining license durations.

If the botnet traffic filter is installed on one node, it becomes available to the entire cluster. If Node 1 has 9 months remaining and Node 2 has 7 months remaining, the total remaining duration of the botnet traffic filter feature will be 16 months for the entire cluster.


Q. What is meant by "scaling factor"?

A. Scaling factor is a measurement of expected performance and scale in a clustered environment. For example, if a 4-unit cluster is configured using 20-Gbps firewalls with a scaling factor of 0.8, the expected performance of that cluster will be: 0.8 x 4 x 20 Gbps = 64 Gbps.


Q. What is the expected performance and capacity with a 2-, 4-, and 8-unit cluster?

A. Cisco currently offers a scaling factor of between 0.7 and 1.0, depending on the traffic profile. Table 2 shows the expected performance of a 2-unit cluster with a multiprotocol traffic profile (the expected performance of 4- and 8-unit clusters can be calculated by multiplying the 2-unit cluster results by 2 and 4, respectively).


Table 2. Sample Data for a Two-Node Cluster


Single-Unit Throughput

2-Unit Cluster


2 G

3.2 G


5 G

8 G


10 G

16 G


20 G

32 G


Q. What is the expected behavior if the cluster uses an integrated IPS module in slot 1 of each unit?

A. All IPS modules in the cluster are configured as independent IPSs, so no configuration sync is required. However, Cisco Security Manager and Cisco IPS Manager Express can be used to simplify configuration management across the IPS modules in the cluster. When the traffic enters the cluster, one specific unit becomes the owner for that specific session. When a policy dictates that traffic be redirected to an IPS for further analysis, the IPS module physically associated with that "owner" unit will be utilized. In other words, traffic from one firewall cannot be redirected to an IPS that is integrated with a different firewall in the cluster.


Q. How is session and configuration information synchronized across the cluster members?

A. Cisco ASA Software Release 9.0 uses Cluster Control Link (CCL) to synchronize all state information across the cluster.


Q. How is the cluster managed?

A. The clustered ASA appliances behave as a single firewall instance, so a single instance of Cisco Application Security Device Manager (ASDM) is capable of managing an 8-unit cluster as a single ASA unit. To simplify the configuration phase, cluster configuration steps have been added to the ASDM High Availability and Scalability wizard (Figure 1).


Figure 1. Cluster Configuration Steps in ASDM High Availability and Scalability Wizard


Once the cluster has been deployed, the ASDM Cluster Dashboard (Figure 2) shows the entire cluster on a single screen. The dashboard displays following information:

• Devices information (IP addresses, version, role, and so on)

• Health status: CPU and memory utilizations

• Average CPU and memory status across the cluster

• Control link usage

• Performance statistics: Connections per second and throughput

• Capacity information (number of connections)


Figure 2. ASDM Cluster Dashboard


Cloud Web Security Integration


Q. What are the advantages of cloud web security being integrated with the firewall?

A. Now that Cisco Cloud Web Security is integrated with Cisco ASA Software Release 9.0, organizations gain a centralized content security solution combined with localized network security. However, in contrast to Unified Threat Management appliances (UTMs), which suffer significant performance degradation when web security services are enabled, there is little to no impact on ASA performance because the content scanning is offloaded to the Cisco web security cloud. Administrators can choose to perform deep content scanning on a subset of traffic, based on network address, Microsoft Active Directory user or group name, or hosts residing inside a specific security context.


Q. How does Cisco ASA redirect traffic to Cisco Cloud Web Security?

A. The Cisco ASA Modular Policy Framework (MPF) allows flexible policies to be created to serve a wide range of needs. The outbound traffic can be classified based on user name, user group, source, or destination. The destination aspect can be further classified into three broad categories:

• Approved traffic: Traffic from known safe websites, that is approved by corporate policy

• VPN traffic: Traffic flowing through a site-to-site VPN tunnel

• Traffic redirected to Cisco Cloud Web Security: Traffic is sent to Cisco Cloud Web Security for granular web policy control, including URL filtering, antivirus scanning, web content scanning scansafe-scanlets, and web application visibility and control

The traffic classification criteria can also be mixed and matched (for example, a group of users such as guests, vendors, or interns can be selected for Cisco Cloud Web Security inspection).


Q. How does integrated Cisco Cloud Web Security compare with web security functionalities that are offered on-box from other firewall vendors?

A. The key challenge with all-in-one approaches to security is that all security functionalities (firewall, network access control, web, antivirus, VPN, and so on) compete for fixed computing resources (for example, CPU, Regex, and crypto). As a result, performance can drop significantly as more services are enabled. In contrast, with Cisco Cloud Web Security integrated into ASA 9.0, the antivirus and web security component is executed on the scalable Cisco Cloud Web Security cloud, while the network security component is executed on the Cisco ASA. As a result, both services achieve maximum security efficacy, with little or no performance impact.


Q. My deployment is not yet ready for identity enablement. Can I still use the Cisco Cloud Web Security Connector in Cisco ASA Software Release 9.0?

A. Yes. Traffic can be redirected to Cisco Cloud Web Security based on 5-tuples, or by using a cut-through-proxy and local database users on the Cisco ASA. However, either of these methods will disable user-level and group-level reporting, as well as policy control on both the ASA and Cisco Cloud Web Security.


Q. Is Cisco Cloud Web Security available when the Cisco ASA appliance is in multicontext mode?

A. Yes. When the ASA is configured for multicontext mode, managed security providers can enable Cisco Cloud Web Security on a per-context basis. Note, however, that Cisco Cloud Web Security is not supported when Cisco ASA is in transparent mode.


Q. What are some of the configuration steps required to integrate Cisco Cloud Web Security with Cisco ASA?

A. Cisco ASA configuration has two broad components: Cisco Cloud Web Security information and traffic classification. Traffic classifications are performed using the Cisco ASA Modular Policy Framework (MPF), while Cisco Cloud Web Security classifications require the following information:

• IP address of the Cisco Cloud Web Security tower (primary and backup)

• A valid license

• A designated "retry count" before declaring a tower "dead"


Q. Up to 10 percent of the employees in my organization are remote. How can I extend Cisco Cloud Web Security capabilities to those remote users?

A. Cisco Cloud Web Security capabilities are extended to remote users via the Cisco AnyConnect® Secure Mobility Client. The AnyConnect client performs split-tunneling of web and VPN traffic to eliminate the need to backhaul Internet traffic to company headquarters, thereby enabling complex remote access use cases. For example, if a user is traveling from the United States to Japan, AnyConnect will automatically find the closest Cisco Cloud Web Security tower in Japan, even if the VPN tunnel is terminated to the U.S. headquarters location.


Q. How can I enforce Web 2.0 policies on personal handhelds (iPhone and iPads)?

A. The Cisco AnyConnect Secure Mobility Client launches the tunnel to the Cisco ASA headend. The ASA redirects part of tunnel traffic (port 80 and port 443) to the Cisco web security cloud for Web 2.0 application enforcement. This entire process is transparent to the end user.


Q. Is Cisco Cloud Web Security integration available on all Cisco ASA platforms?

A. Yes. Cisco Cloud Web Security integration is available on all currently shipping Cisco ASA appliance platforms, including the Cisco ASA 5500 Series, the Cisco ASA 5500-X Series, and the Cisco Catalyst 6500 Series ASA Services Module. It is not yet available on the Cisco ASA 1000V Cloud Firewall.


Q. How does this integration achieve high availability?

A. There are two pieces to high availability (HA): Cisco Cloud Web Security Tower HA and Cisco ASA HA. When you configure Cisco Cloud Web Security tower information, you can configure a backup Cisco Cloud Web Security tower, which automatically redirects web traffic to the secondary tower if the primary tower goes down. If you are using Cisco ASA HA, the entire system - including the ASA and the Cisco Cloud Web Security tower - can achieve full redundancy in either active/passive or active/active mode. In exceptional circumstances, if both Cisco Cloud Web Security towers are unavailable (e.g., due to the loss of Internet connectivity), the ASA can be configured to either fail-open or fail-close.


Q. Where do I go for more information on the integrated Cisco Cloud Web Security?

A. More information on Cisco Cloud Web Security web AVC can found at Application Visibility and Control now available in Cisco Cloud Web Security.

Secure Remote Access


Q. Does ASA support IPv6 remote access connections?

A. Yes. IPv4/IPv6 dual stack has been supported inside SSL tunnels since ASA 8.4. ASA 9.0 expands this support to enable IPv4 and IPv6 on the public interface when used in conjunction with Cisco AnyConnect 3.1 or greater. ASA 9.0 also enables IPv6 clientless support.


Q. Does ASA 9.0 support Suite B cryptographic standards?

A. Yes. ASA 9.0 provides comprehensive next-generation encryption capabilities, which includes the Suite B cryptographic standards for remote access and site-to-site connections using an IPsec tunnel. For more information, see the "AnyConnect VPN - Next Generation Encryption" section of this document.


Q. Is next generation encryption available on all ASA platforms?

A. No. Next Generation Encryption is fully supported on the ASA 5585-X, 5500-X Series, and 5580, as well as on the Catalyst 6500 Series ASA Services Module. It can only be partially supported on the ASA 5505, 5510, 5520, 5540, and 5550 due to hardware limitations. AnyConnect 3.1 or greater and an AnyConnect Premium License are also required to use next generation encryption for remote access connections.


Q. Can we use the Cisco AnyConnect Secure Mobility Client with ASA 9.0?

A. Yes. The Cisco AnyConnect Secure Mobility Client is fully supported in ASA 9.0. Customers are encouraged to migrate to AnyConnect for VPN remote access as soon as possible.


Q. Does ASA 9.0 support Virtual Desktop Infrastructure (VDI)?

A. Yes. ASA native clientless support for Citrix VDI deployments has been updated in ASA 9.0 to include XenApp 6.5 and the latest versions of XenDesktop (up to 5.5) both laptops, desktops, and mobile devices (Citrix Mobile Receiver). Support for VMware VDI deployments is also offered (via SmartTunnels). As in past releases, Cisco AnyConnect supports Citrix and VMWare VDI deployments.

More Related Cisco ASA Tips

Cisco ASA Software Release 9.0 Data Sheet

More Cisco ASA Related Tips:

New Cisco ASA Clustering Feature Enables 320 Gbps Firewall

Cisco ASA 8.4 vs. Typical NAT/PAT Configuration

Eight Commands on a Cisco ASA Security Appliance You Should Know

Read more

Cisco VTP: VLAN Trunking Protocol---VTP Versions’ Difference

November 1 2012 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

VLAN Trunking Protocol (VTP) is a Cisco Layer 2 messaging protocol that manages the addition, deletion, and renaming of VLANs on a network-wide basis. Virtual Local Area Network (VLAN) Trunk Protocol (VTP) reduces administration in a switched network. When you configure a new VLAN on one VTP server, the VLAN is distributed through all switches in the domain. This reduces the need to configure the same VLAN everywhere. VTP is a Cisco-proprietary protocol that is available on most of the Cisco Catalyst Family products.


VTP ensures that all switches in the VTP domain are aware of all VLANs. There are occasions, however, when VTP can create unnecessary traffic. All unknown unicasts and broadcasts in a VLAN are flooded over the entire VLAN. All switches in the network receive all broadcasts, even in situations where few users are connected in that VLAN. VTP pruning is a feature used to eliminate (or prune) this unnecessary traffic.


By default, all Cisco Catalyst switches are configured to be VTP servers. This is suitable for small-scale networks where the size of the VLAN information is small and easily stored in all switches (in NVRAM). In a large network, a judgment call must be made at some point when the NVRAM storage needed is wasted, because it is duplicated on every switch. At this point, the network administrator should choose a few well-equipped switches and keep them as VTP servers. Everything else participating in VTP can be turned into a client. The number of VTP servers should be chosen so as to provide the degree of redundancy desired in the network.


There are three version of VTP so far. VTP Version 2 (V2) is not much different than VTP Version 1 (V1). The major difference is that VTP V2 introduces the support for Token Ring VLANs. If you are using Token Ring VLANs, you need to enable VTP V2. Otherwise, there is no reason to use VTP V2. VTP version 3 differs from earlier VTP versions in that it does not directly handle VLANs. VTP version 3 is a protocol that is only responsible for distributing a list of opaque databases over an administrative domain. When enabled, VTP version 3 provides the following enhancements to previous VTP versions:

  • Support for extended VLANs.
  • Support for the creation and advertising of private VLANs.
  • Improved server authentication.
  • Protection from the "wrong" database accidentally being inserted into a VTP domain.
  • Interaction with VTP version 1 and VTP version 2.
  • Provides the ability to be configured on a per-port basis.
  • Provides the ability to propagate the VLAN database another databases.


Protocol Structure - VTP: VLAN Trunking Protocol

The format of the VTP header can vary depending on the type of VTP message. However, they all contain the following fields in the header:

  • VTP protocol version: 1 or 2 or 3
  • VTP message types:
    • Summary advertisements
    • Subset advertisement
    • Advertisement requests
    • VTP join messages
  • Management domain length
  • Management domain name


Summary Advertisements

When the switch receives a summary advertisement packet, it compares the VTP domain name to its own VTP domain name. If the name is different, the switch simply ignores the packet. If the name is the same, the switch then compares the configuration revision to its own revision. If its own configuration revision is higher or equal, the packet is ignored. If it is lower, an advertisement request is sent.

  • Followers indicate that this packet is followed by a Subset Advertisement packet.
  • The updater identity is the IP address of the switch that is the last to have incremented the configuration revision.
  • Update timestamps are the date and time of the last increment of the configuration revision.
  • Message Digest 5 (MD5) carries the VTP password if it is configured and used to authenticate the validation of a VTP update.


Subset Advertisements

When you add, delete, or change a VLAN in a switch, the server switch where the changes were made increments the configuration revision and issues a summary advertisement, followed by one or several subset advertisements. A subset advertisement contains a list of VLAN information. If there are several VLANS, more than one subset advertisement may be required in order to advertise them all.


The following formatted example shows that each VLAN information field contains information for a different VLAN (ordered with lowered-valued ISL VLAN IDs occurring first):


Most of the fields in this packet are easy to understand. Below are two clarifications:

  • Code- The format for this is 0x02 for subset advertisement.
  • Sequence number- This is the sequence of the packet in the stream of packets following a summary advertisement. The sequence starts with 1. 


Advertisement Requests

A switch needs a VTP advertisement request in the following situations:

  • The switch has been reset.
  • The VTP domain name has been changed.
  • The switch has received a VTP summary advertisement with a higher configuration revision than its own.


Upon receipt of an advertisement request, a VTP device sends a summary advertisement, followed by one or more subset advertisements. Below is an example.


  • Code- The format for this is 0x03 for an advertisement request
  • Starts Value - This is used in cases where there are several subset advertisements. If the first (N) subset advertisement has been received and the subsequent one (N+1) has not, the Catalyst only requests advertisements from the (N+1)th one.

---Reading Resource from http://www.javvin.com/protocolVTP.html

More Cisco VTP Tips:

Cisco VTP Version 3, Is VTP Making a Comeback?

VLAN Trunking Protocol (VTP) & VTP Modes

Read more

Cisco’s Nexus is a Big Big Deal

October 30 2012 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco News

It's hard to overstate how important the Nexus data-center switching platform, set to be unveiled Monday, is to Cisco Systems: for the dominant networking vendor's enterprise business, it's the biggest thing since the Catalyst 6000, which made its debut in 1999, according to the two key executives on the project.


At a dinner with press last week, they compared it to the CRS-1 (Carrier Routing System), a huge switch for the core of carrier networks that Cisco rolled out in 2004. To bring that platform to life, the company developed a new version of its flagship IOS (Internetworking Operating System) software and engineered the hardware to scale up to 92Tbps of throughput. The core of the Internet is Cisco's turf, and it wasn't willing to give any ground to upstarts.


The Nexus brings Cisco into not just a new territory for its business, but a new product category: a unified switch that spans storage and computing in data centers and has security built in. Given the stakes, superlatives are natural.


- A single Nexus chassis will be able to handle more than 15Tbps of traffic ripping through a data center, up from just 2Tbps for a current Catalyst 6500 switch.


- At that rate, the switch could run 5 million concurrent transcontinental conferencing sessions using Cisco's TelePresence Collaboration system. It could also copy the entire searchable Internet in 7.5 minutes.


- One interface module for the Nexus 7000 chassis will come with 32 10Gbps ports, and the platform is designed to support future interfaces including 100Gbps.


- The company spent about $250 million on research and development for the new platform, and at its peak, the Nexus R&D team numbered more than 500 engineers, according to Tom Edsall, senior vice president and chief technology officer of Cisco's Data Center Business Unit.


As with the Catalyst 6000 Series and the CRS-1, Cisco developed the Nexus with an eye to long-term needs. Where the CRS marked the debut of IOS XR, the first modular version of IOS, the Nexus will have Cisco's first OS that can be fully virtualized, called NX-OS. The Nexus will also break new ground with its lossless switching fabric, a departure from traditional Ethernet -- though backward compatible with it, Cisco said.


The system also represents a gamble on FCoE (Fibre Channel over Ethernet), a still-emerging standard for sending traditional Fibre Channel storage network traffic over Ethernet. Though the new standard will probably succeed with the backing of Cisco and other big vendors, the installed base of Fibre Channel is huge, said Yankee Group analyst Zeus Kerravala. There will be a proving period for Ethernet as a reliable, lossless data center transport, he said.


Cisco expects the uptake of the new platform to take time, just as it did with the CRS. The first Nexus product will go on sale in the second quarter of this year, and in the first year Cisco expects to see mostly trials of the new system, said Jayshree Ullal, senior vice president of Cisco's data center group. Deployments will probably start to pick up in the second, third and fourth years after the introduction, she said.


But just as the opportunity was huge for the CRS, as video and other traffic rose fast on carrier networks, the chance to capture next-generation data centers is likely to justify Cisco's efforts on the Nexus line. Web-based services and applications, as well as outsourced computing offerings from Amazon.com and other companies, are powering the growth of massive data centers. Microsoft's MSN division is a test customer of the Nexus, said Ullal. Asked whether the mighty Google would buy in as well, Ullal said, "I would hope so."

--- By Stephen Lawson, IDG News Service at networkworld.com


More Cisco Nexus Switch Tips:

Cisco Nexus Switches: Layer 2 Configuration Strategies

Cisco Nexus 3548 & Arista 7150: Dueling Ultra-low-latency Switches

Cisco Intros Cisco Nexus 3548 for High Performance Data Center Environments

Read more

Three Big Reasons to Buy Cisco

October 25 2012 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco News

While Cisco Systems has put up lackluster results thus far this year – down just over 1% on a year-to-date basis as of this writing– there are some significant reasons to buy this stock at current levels. To begin with, even as analysts wrongly try to reclassify Cisco as a value stock, the company is undervalued across various metrics. Additionally, through important strategic partnerships with players like VMware, the company continues to have significant growth potential.  Finally, despite the negative press the company has received over its deal with ZTE, the relationship is not critical to Cisco and the news will continue to fade. Ultimately, Cisco offers real growth while trading at a value multiple and paying a healthy “value-stock” dividend. The stock is a strong buy for your core portfolio.


The Valuation Question

At current levels, Cisco is trading at a trailing P/E of 12.5 and a forward P/E of 9. Competitors are trading at much higher multiples, including Juniper Networks with a trailing P/E of 36.5 and a forward P/E of 15.6. Those figures are without the benefit of the 3% dividend offered by Cisco. The respective PEG ratios for the two companies are 1.21 for Cisco and 1.57 for Juniper, so even with the growth element included, Cisco is more attractive.


It’s not that I wouldn’t prefer to own a smaller company trading at a higher multiple with less growth and no dividend, but the analysts tell me that Juniper is a growth stock and Cisco has become a value stock. Sarcasm aside, on a valuation basis – regardless of whether we choose to call Cisco a growth stock or a value stock – the networking juggernaut is a better value at current levels than its peers. On this consideration alone, Cisco is a buy.


Strategic Alliances

Arguably the most important partnership that Cisco currently has in place to target future growth is the alliance it has forged with VMware. The two companies are collaborating on a variety of projects, but the software-defined data center is amongst the most critical. When the VMware CEO was recently interviewed in conjunction with his company’s acquisition of Nicira, he admitted that as the company looks to transition the network space from hardware-based to software-based, its relationship with Cisco would change. He went on to add,” Does it change our relationship with Cisco? Well, certainly, but we are reviewing this as a positive opportunity to create more partnerships with them.”


Not that one would expect a CEO that has forged a partnership with a 70% market share player like Cisco to come out and say he plans to run them into the ground, but the nature of the relationship itself suggests otherwise. The software-defined data center is being developed by a team that is funded by the two companies, but is being run independently. As the market shifts and acquisitions are made, the relationship will evolve, but Cisco’s close ties with VMware is a second reason to own the stock.


Dying Hype

One drag this year on Cisco shares has been the negative press the company received over the end of its sales relationship with Chinese ZTE Corp. The probe, that dates back to the early part of this year, uncovered that the Chinese affiliate had sold Cisco made products inside Iran. The fallout has sparked investigations by the FBI and several Congressional committees charged with addressing security concerns. The relationship between the two companies is said to have been tense for some time, so this development may actually give the company a needed out to end the relationship. While Cisco is not reliant of this relationship, having your company name mentioned in the same sentence as “concerns over national security” can cast a pall over the stock. This cloud is dissipating, however, and this should serve as a third reason to buy Cisco.

Overall, Cisco presents investors with a myriad of reasons to own shares at current levels. 


Foolish Bottom Line

Cisco Systems has had a lot of movements both up and down, but is today's rise a sign of further gains to come? Get the answers you need in the Fool's latest premium report on Cisco, which provides our latest analysis along with a year's worth of free updates to take you well into the networking giant's future. Click here and start reading today. 


News from msnbc.msn.com


More Cisco News go to http://blog.router-switch.com/category/news/

Read more

IP Phone Recommendation: Why Cisco IP Phone 7962?

October 22 2012 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Routers

Cisco 7962 is a “must buy” IP phone product in the market. Compare to many other IP phone products in the market, Cisco 7962 is still the best, in term of quality and its affordable price. Cisco 7962 has many great features that definitely will benefit your communication needs.


Excellent features of Cisco Unified IP Phone 7962

Here are some great features you will only find in Cisco 7962 phone:

Cisco 7962 is the latest product of high class ip phone that extends the functionality and features of the existing Cisco Unified IP Phone 7961G

Cisco 7962 has better quality in its audio feature, which is loved by most people as it has the ability to produce high quality audio using the best speakerphone attached inside this smart phone.

The improved feature also done with the Internet Low-Bitrate-Codec (iLBC) support which gives you the best internet browsing feature with the freedom to surf any information you need.

This cisco 7962g phone has better service and features compared to other cisco series or even other smart phones, which enables you to have better communication with the best feature for messaging, web browser, and entertainment.

Cisco 7962 has better applications of voice, video, data and mobile applications that will make it easier for you to handle all of your business or the social networking in a simple way by only using this smart phone.

One important application that you will get in this phone is the one that we call as the institutional workspace. In addition to that, the phone will also enable you to quickly access various information, such as weather condition, stock price, or various web-based news, etc.


All right, Cisco Unified IP Phone 7962 has been famous among people with many updated features compared to other cisco series or other type of IP phones, including the extended features of the interface and the abilities in increasing the quality of communication. This type of IP phones are one of the technology that you must have to get the best out of the latest communication technology in this era.



Cisco 7962 Review

Cisco 7962 is basically a full featured IP phone which is full with the high technology feature of the audio and the abilities to support your communication. For the sake of the best quality of communication you will get the best quality speaker and headset which designed for a wideband audio which is considered as the most preferable feature by most of people to be included in their mobile phone. The phone has a large, 4-bits gray scale graphical LCD which provides features like time and date, calling-party’s name, calling-party’s number, dialed digits, and presence information.


Those features will give you more than just a smart phone in your hand but a brilliant phone which has the complete useful features to support your communication such as the feature of the calling image. You can also set the tones for each person’s number and add the images that will appear when she or he is calling your Cisco 7962. As a kind of IP Phones this magical phone also give you the easiness of browsing the internet. You will get the fastest internet browsing.


This Cisco 7962 also gives you the best application of IP Telephone of the internet browsing which has the high speed performance through the connection. You will get the satisfying internet connection with less waiting time than the common web browsing in your IP Phone 7962G. As the mean of social networking you will also get the easy connection to facebook, twitter, email, and other social networks. You will have to input your email and password and you will just click the direct button interface to your account.


As a conclusion there are many benefits that you can get from this 7962G from the complete application for communication and the social networking activities that you can do from your hand. You have to make sure that you get the best quality of smart phone that is the Cisco 7962.


More Info of Cisco Unified IP Phone 7900 Series:

Cisco IP Phone Recommendation: Cisco Unified IP Phone 7942G-Enhanced Sound Quality

Q and A: Cisco Unified IP Phone 7942G and Cisco Unified IP Phone 7962G

Quick Reference Guide: Overview of Cisco 7942/7962 IP Phone

How to Connect Cisco IP Phones?

Read more

Quick Q and A to know Cisco SMARTnet Service.

October 17 2012 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

What is Cisco SMARTnet Service?

Cisco SMARTnet Service is an award-winning technical support service that can give your IT staff direct, anytime access to Cisco experts and online self-help resources required to resolve issues with most Cisco products. With SMARTnet Service, you can choose from a broad range of service delivery options for Cisco products.


What is included with Cisco SMARTnet Service?

Cisco SMARTnet Service provides the following device-level support:

Direct access 24 hours a day, 365 days a year to specialized experts in the Cisco Technical Assistance Center (TAC).

Extensive self-help support through Cisco’s online knowledge base, communities, resources, and tools.

Smart, proactive diagnostics and immediate alerts on select devices enabled with Cisco Smart Call Home feature.

Operating system (OS) software updates, including both minor and major releases within your licensed feature set.

Advance hardware replacement options, including 2-hour, 4-hour, and next-business-day (NBD) replacement, as well as return for repair (RFR).

Optional onsite service that provides a field engineer who can install replacement parts at your location.

Increase ROI by up to 192 percent having access to Cisco operating system software enhancements

Expedite time to repair with the right parts at the right time to resolve issues quickly

Better manage scarce internal expert resources at all locations when utilizing the proactive diagnostics and realtime alerts available with Smart Call Home, on select devices

Empower your IT staff and improve productivity and revenue per employee with access to tools and technical support documentation that can increase self-sufficiency and technical knowledge


Why should you purchase Cisco SMARTnet Service?

By covering networking devices with a Cisco SMARTnet contract, you can:

Improve network availability, reliability, stability, and security with direct access to networking engineers at Cisco

Reduce the cost of network ownership by using Cisco expertise, knowledge, and availability


Is Cisco SMARTnet Service only limited to break/fix insurance?

No. The Cisco SMARTnet Service offers you help handling complex network operation and management issues such as:

Advance software configuration

Interoperability and upgrade questions

Hardware and software information

In addition, Cisco SMARTnet Service helps you protect your network investments and minimize risks by:

Keeping your networking technology up-to-date with the latest OS software features and system improvements within your licensed feature set

Supplementing your network support organization to help ensure the availability of the knowledge and skills necessary to address rapidly changing technologies

Providing access to knowledgeable resources and tools for rapid resolution of issues

Eliminating the challenges of carrying replacement hardware in inventory and delivering them to remote sites

Providing optional trained field engineering resources to perform replacement services when and where you need them

Troubleshooting Call Home-capable devices in real time and reporting details back to you using a web portal and alerts using Smart Call Home


What additional features are available under the Cisco SMARTnet onsite option?

Cisco SMARTnet onsite includes the same capabilities as Cisco SMARTnet, with the addition of an onsite technician for parts replacement and installation. It is available with all SMARTnet advance hardware replacement service levels.


How should you choose between Cisco SMARTnet and Cisco SMARTnet onsite?

Cisco SMARTnet onsite support is the appropriate choice when:

You do not have the appropriate expert resources at a given site, such as a remote site.

Trained personnel are not readily available to react quickly to a network issue. The Cisco SMARTnet onsite service option provides rapid replacement of hardware.


Features and Benefits: Service Capabilities

What are service capabilities for SMARTnet?

Table 1 illustrates SMARTnet’s five main service capabilities.

Table 1. Cisco SMARTnet Service Capabilities


1. Return for repair on select video products only.

Expert assistance: To complement your in-house resources, the Cisco TAC employs a highly skilled staff that offers you years of networking experience, including many customer support engineers with networking and CCIE certifications as well as research and development engineers. Cisco engineers hold more than 800 U.S.-issued patents and have authored numerous industry white papers and books.

Faster resolution: The Cisco TAC provides constant measurement of customer satisfaction and time-toresolution tracking, including an automated escalation sequence beginning one hour after submittal of severity 1 and severity 2 issues, resulting in CEO intervention by John Chambers after 48 hours for any severity 1 problem.

For more information, view the Cisco Severity and Escalation Guidelines.


Visibility into issue resolution status: You are kept up-todate on all changes to your case through email notifications and personalized handoffs between you and Cisco engineers if your case warrants a move to a new specialization due to the nature of the issue, or a change occurs in work shift.

Networking expertise: The Cisco TAC offers depth and breadth of knowledge and experience with Cisco devices and operating system software, as well as a broad range of networking environments and technologies. Cisco TAC engineers have a minimum of five years of industry experience, and Cisco provides continuous training to help ensure our technical staff stays current with the latest technologies.

Support 24 hours a day, 365 days a year in multiple languages: By telephone, web, or email, the Cisco TAC is there when you need it.

Tested and proven resolution methods: Cisco uses a powerful virtual lab as an invaluable engineering resource and knowledge base for testing of network problems and recommended resolutions.


Can I get support from the Cisco TAC if I do not have a service contract?

Yes. The Cisco TAC will help you if you do not have a Cisco service contract, but you will be requested to pay a “perincident fee” or to purchase a service contract.


How does the Cisco TAC prioritize service requests?

Cisco processes allow for you to designate the severity of every service request reported. Problems are reported in a standard format using the following problem severity definitions:

Severity 1: When an existing network or environment is down or there is a critical impact on the end user’s business operations. Cisco and the end user will commit full-time resources to resolve the situation.

Severity 2: When the operation of an existing network or environment is severely degraded or significant aspects of the end user’s business operation are being negatively affected by unacceptable network performance. Cisco and the end user will commit full-time resources during standard business hours to resolve the situation.

Severity 3: When the operational performance of the network or environment is impaired while most business operations remain functional. Cisco and the end user are willing to commit resources during standard business hours to restore service to satisfactory levels.

Severity 4: When information is required on Cisco product capabilities, installation, or configuration and there is little or no effect on the end user’s business operation. Cisco and the customer are willing to provide resources during standard business hours to provide information or assistance as requested.


More Related Cisco SMARTnet Service you can read at



Cisco Smart Care Service


Read more

Cisco Said to Cut Ties with China's ZTE

October 16 2012 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco News

Follows investigation into sales to Iran

Cisco has reportedly cut ties with Chinese telecom vendor ZTE after allegations that ZTE sold Cisco gear to Iran.


In June, a Reuters story revealed that Cisco, HP and Oracle gear was being sold to an Iranian mobile operator despite U.S. government sanction on such sales. Cisco conducted an internal investigation into ZTE's practices and as a result, recently ended a longstanding relationship with the Chinese company, according to a Reuters story published this week.


The Cisco/ZTE situation comes amid a report due today from the U.S. House Intelligence Committee that states that equipment from ZTE and fellow Chinese telecom company Huawei pose a security threat to the U.S. The report, which follows a year-long investigation, recommends the U.S. block any attempts by ZTE and Huawei to make acquisitions or mergers in America, and encourages U.S. firms to procure equipment from other sources.


A ZTE spokesperson said of the Cisco action that the company is "highly concerned" and "communicating" with Cisco, according to Reuters. The spokesperson also said ZTE is cooperating with the U.S. government on its investigation into sales to Iran.


Cisco did not comment by the time this story was posted. But in June, Cisco said it "... complies with all U.S. export laws and requires our business partners to expressly acknowledge that they too must abide by these laws. Products such as these, which are not subject to individual export licenses, can be purchased from distributors and resold without Cisco's knowledge or control. We continue to investigate this matter, as any violation of U.S. export controls is a very serious matter."


According to this week's Reuters story, ZTE's general counsel at its Texas-based subsidiary alleged that the parent company plotted a cover-up of the sale of Cisco gear to Iran, including possibly shredding documents. The FBI has launched a criminal probe into the allegations, the news service reports.


ZTE has continued to do business in Iran while American-made technology has been subject to U.S. sanctions. A parts list dated July 2011 for an equipment contract between ZTE and an Iranian telecommunications company included several Cisco switches, Reuters reports. ZTE later agreed to sell five Cisco switches to another Iranian firm, according to the news service.


Cisco and ZTE partnered for the past seven years. Cisco viewed ZTE as a means to combat Huawei, which had been beating out Cisco in emerging markets by offering significantly cheaper products, according to Reuters.


But ZTE wanted to expand into the U.S. and Cisco did not want that, according to the Reuters report, which quoted "a former Cisco executive with knowledge of the matter."

Reference reading from---http://www.networkworld.com/news/2012/100812-cisco-zte-263143.html

More Cisco News you can visit: http://blog.router-switch.com/category/news/

Read more

Cisco and NetApp Waggle Shrunken ExpressPod at Hitachi and Friends

October 12 2012 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco News

Get a load of our converged convergement

VMworld It looks like the vendors are sizing each other up for battle in the converged systems world at VMworld: NetApp and Cisco have announced ExpressPod, a pre-packed and tested and downsized FlexPod. Storage clustering has been added into the FlexPod mix and Oracle has announced an RAC/VMware FlexPod.


Just one day after Hitachi's converged UCP platform was announced, NetApp and Cisco have upped the converged systems' ante and moved downmarket with their ExpressPod as well as boosting existing FlexPods.


The ExpressPod is for small and medium business (SMB) and includes:


NetApp ExpressPod at VMWorld Barcelona

The data centre-class FlexPod converged systems now support vSphere on ONTAP 8 cluster mode, meaning customers can simply add more NetApp storage to a FlexPod configuration to grow the storage pool size. The storage pool supports multi-tenancy and dynamic allocation, good for cloud service providers.


Clustering also supports non-disruptive migration of data from old to new arrays, data that could be hundreds of running virtual machines. This aids load-balancing, system maintenance and upgrades.


Oracle RAC databases can now run on VMware FlexPods, inheriting all the existing FlexPod goodness.


NetApp says that there are now in excess of 1,300 customers after just under two years of availability, plus more than 600 certified FlexPod partners who have access to a Cisco/NetApp help desk for system planning, design and implementation.


By moving down into the small and medium biz (SMB) space, NetApp and Cisco are encroaching into the existing SMB businesses of Dell, HP and IBM. We might expect that Hitachi and EMC will respond to NetApp with low-end branded converged system offerings of their own.


EMC's Eric Herzog, SVP for product management and marketing, says EMC is already present in the SMB converged system space with VSPEX, since it comes in a VNXe version.


One thought: by having converged systems dedicated to specific applications, such as the RAC FlexPod and HDS's UCP Select application-specific offerings we are seeing the introduction of converged system app execution stack silo systems. Whether this is a bad thing or not depends upon future needs for general purpose systems.


 ExpressPods will be available from NetApp and Cisco partners in November.

---Original reading from http://www.theregister.co.uk/2012/10/11/netapp_expresspod/

More Cisco news and info you can read at http://blog.router-switch.com/category/news/

Read more

What Hardware Vendor IPv6 Support

October 11 2012 , Written by Cisco & Cisco Router, Network Switch Published on #Networking

There are many tested IPv6 networks deployed across the world. For actual deployment, however, all the companies need to ensure that the vendors who support companies’ network have the requisite IPv6 enhancements.IPv6-Hardware-Vendor-Support.jpg


There are two categories of IPv6 enhancements. The first is the set that supports the packet forwarding (more commonly referred to as routing) process and the other set comprises enhancements that support the computing or host infrastructure.


IPv6 enhancements of the first category include larger address formats (the ones that affect the routing table size and structure), better routing protocols such as Open Shortest First Protocol (OSPF) and Routing Information Protocol (RIP), and good support for optional extension headers (which streamline the packet forwarding process) such as the Routing Header. And, the second category of enhancements comprises enhancements to the Domain Name System (DNS), the Stateless Auto-configuration (plug and play) process, upgraded Security, and updates to the Application Programming Interfaces (APIs).


Keeping these requisite enhancements in mind, let us now discuss what kind of support ten of the premier networking vendors are equipped to provide:


Apple Computer

The open source, UNIX-based OS X operating system from Apple Computer allows for advanced BSD networking and has a TCP/IP stack and advanced sockets. Versions 10.2 and later of this operating system provide good support for IPv6.


Cisco Systems

As this vendor has been actively involved in the development of IPv6, it provides very good support for IPv6. In fact, the vendors support for IPv6 can be observed in all its products. Further, the documentation of IOS 12 has extensive details of the IPv6 features, such as Automatic and Configured tunneling, BGP extensions for IPv6, MTU Path Discovery, Neighbor Discovery, updated routing protocols, and Stateless Auto-configuration, supported in each platform.



The new HP-UX11i provides support for several IPv6 features such as automatic and configured tunnels, advanced and basic sockets application programming interfaces (APIs), IPv4/IPv6 dual stack protocols, Path Maximum Transmission Unit (PMTU) Discovery, and Stateless Auto-configuration. The new HP-UX11i runs over Infiniband, FDDI, and Ethernet links.



The GR2000 carrier-class gigabit routers from Hitachi provide IPv6 at forwarding rates of a maximum of 26 Mpps and maximum line rates of 2.4 Gbps. The custom Application Specific Integrated Circuits (ASICs) of this system have a dual stack IPv4/IPv6 architecture and support packet filtering, IPv6 over IPv4 and IPv4 over IPv6 tunneling, and Stateless Auto-configuration among other IPv6 features.



Since the release of the IPv6-enabled AIX system in1997, IBM has shown support for IPv6 and has continually added IPv6 support to its products, such as DB2 for Windows v9.1, Unix, and Linux.



The IPv6 protocols for Linux are developed by a volunteer-run collaborative effort referred to as the Universal Playground for IPv6 (USAGI). This project was undertaken to remove the bugs in Linux implementations that made it difficult for a Linux-based system to conform to the IPv6 specifications.



Naturally, when all vendors are providing support for IPv6, Microsoft cannot be far behind. Most of the new versions of the Windows operating system, including Windows Vista, Windows Server Code, Windows Server 2003, and Windows CE .NET have built-in IPv6 enhancements and facilitate an orderly transition from IPv4 to IPv6.


Nortel Networks

Nortel Networks is working towards providing IPv6 support since the 1990s. The most recent generation of Nortels Ethernet Routing Switch 8600 offers wire speed and terabit performance. Nortel products also provide other IPv6 enhancements such as IPv6 Multicast, IPv4 to IPv6 Tunneling, Neighbor Discovery, and Stateless Auto-configuration.



The IP on NetWare that comes with NetWare 6.5 uses IPv6 as the native transport protocol on its server platform. The IPv6 features supported by Novell include Automatic and Configured tunneling, Basic Socket Interface Extensions, Neighbor Discovery, Stateless Address Auto-configuration, and Transmission Mechanisms for hosts and routers. Please note that with Novell, IPv6 works as an add-on component to the existing TCP/IP protocol stack.


Sun Microsystems

The Solaris 10 operating system by Sun Microsystems offers support for important IPv6 programming interfaces and specifications. It offers the advantage of Internet Key Exchange (IKE), which lets systems connect by using authentication and encryption, and integrated IP Security (IPsec). This vendor also facilitates dual stack tunneling, such as IPv6 over IPv4 and vice versa. For more details on the IPv6 support provided by a specific vendor, visit the IPv6 section on the vendor website or refer to system documentation specific to the vendor.


More Networking Tips:

Main Feature of IPv6

IPv6 vs IPv4 – What Are They, Exactly?

Read more

Cisco Takes Next Steps to Blend Wired, Wireless Networks

October 8 2012 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Routers

Centralizing access control, security, management

Cisco revealed new WLAN access points and controllers, along with its latest steps to blend wireless and wired enterprise networks together.


The networking vendor announced upgraded server applications for access control, network management, and application management across both types of networks. Also new: virtualization options for these infrastructure products; two new lower-priced 802.11n access points for business networks; a new high-end WLAN controller, with a new high-availability feature for Wi-Fi clients.


The changes are part of a strategy that the vendor labels "Cisco Unified Access," now being formally announced though it's been featured on the company Website, and talked about with customers, for over a year. The basic idea, according to Cisco marketers, is to centralize and automate policy enforcement, security and authentication, and network management, regardless of how business end users connect to the company network, or with what kind of de-client device.


For access control functions, Cisco offers the Identity Services Engine (ISE), unveiled in 2011 as a central point to create and enforce a range of network policies based on the user's identity, role, and devices. [See our "First Look" slide on ISE]


A new update to the ISE software adds two features:

+ a Web-based portal, called My Devices," which lets end users register their personally owned devices with ISE, which in turn can enforce for these devices whatever bring-your-own-device (BYOD) policies have been set by the IT group


+ Secure Group Access, which lets a network administrator assign users to groups that have a set of pre-defined policies associated with them. New users automatically have these policies applied to them and their devices


For security and management across wired and wireless networks, Cisco offers Cisco Prime Infrastructure, also announced last year. It integrates several previously separate tools into one application with a single user interface, spanning both wired and wireless LANs.


That software, too, is being updated, adding what Cisco calls application visibility and control. Essentially, Prime can collect data from various sources and tools to create a visual picture of how specific applications are behaving, and of the end user's "network experience" in terms of delays or other quality standards.


Cisco also announced for small- and midsized WLANs, which several of these infrastructure products are now available as software that can be hosted on virtual servers: Cisco Prime Infrastructure and Cisco Identity Services Engine, along with Cisco Mobility Services Engine, and a WLAN controller that supports up to 200 access points.


The new WLAN hardware products are:

+ Cisco Aironet 2600 and 1600 Series access points, to complement the high-end 3600 Series: the two new products support 802.11n, but each in turn has fewer of the advanced features found in the flagship product. And unlike, the 2600, neither will be able to receive the 802.11ac plug-in module that Cisco recently announced it will ship in early 2013


+ Two new high-end WLAN controllers: the 8500 Series is aimed at service providers deploying Wi-Fi networks as adjuncts to wired or cellular network access, or at very large enterprise WLANs. The one-rack unit can manage up to 6,000 access points and 64,000 clients.


+ The new controller firmware release now supports what Cisco calls sub-second state-full switchover to improve WLAN availability. In effect, it's a way to shift Wi-Fi clients so quickly to a backup controller that they maintain their application sessions even if their original controller blows up.

---Written by John Cox at networkworld.com


More Cisco Info and News Related to Wireless:

Wireless Network: How to Configure Wireless Security?

Cisco’s New Aironet Wireless Access Points Make Networks Faster and Steadier

Read more