Overblog Follow this blog
Administration Create my blog
Cisco & Cisco Network Hardware News and Technology

Posts with #cisco & cisco network tag

Discussion: Management of ASA with Firepower Services

March 3 2016 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall, #Cisco & Cisco Network

Cisco ASA with FirePOWER Services-Key Security Features

Cisco ASA with FirePOWER Services-Key Security Features

Discussion: Management of ASA with Firepower Services

We talked Cisco ASA with Firepower Services a lot before. With Cisco ASA with FirePOWER Services, you consolidate multiple security layers in a single platform, eliminating the cost of buying and managing multiple solutions.

The Cisco Firepower Next-Generation Firewall is the industry’s first fully integrated, threat-focused next-gen firewall with unified management. It includes Application Visibility and Control (AVC), optional Firepower next-gen IPS (NGIPS), Cisco Advanced Malware Protection (AMP), and URL Filtering. Cisco Firepower NGFW provides advanced threat protection before, during, and after attacks.

Cisco ASA with FirePOWER Services, Stop more threats with a threat-focused NGFW

Beat sophisticated cyber attacks with superior security. We offer the industry’s first threat-focused next-generation firewall (NGFW). You get the confidence of the most-deployed stateful firewall combined with application control, next-generation intrusion prevention system (NGIPS), and advanced malware protection (AMP).

Discussion: Management of ASA with Firepower Services

There are a few questions about the Management of ASA with Firepower Services. Let’s look at the discussion from Cisco Communities

1. An ASA with Firepower Services requires a Firesight management device (physical or virtual) - Correct?

Yes, that’s correct.

2. Is there a High Availability option for a physical Firesight management?

Read about this in the bottom of Table 2 on this page:

http://www.cisco.com/c/en/us/products/collateral/security/firesight-management-center/datasheet-c78-732251.html

3. Does the Firesight management also manage the ASA's firewall rules?

--Not yet. Cisco is developing Firepower Threat Defence that does excately that.

4. I ask because I believe there was mention that a rule could have a specific IPS policy assigned to it. This is correct in the terms on Firepower Access Control Rules. Not ASA firewall rules.

5. If this is true I would believe that the use of CLI or ASDM on the ASA would no longer be usable - Correct?

The new Threat Defence system will be managed from Firepower Management Center. Not CLI nor ASDM.

6. When changes are made on the Firesight management station are they applied immediately to the ASA, like managing via CLI or is there another step to applying he changes?

No. You will have to deploy the new policy to the Firepower sensor first.

7. When change are applied what if anything happens to existing connections?

- I actually am not sure about this. I have never seen any connections being dropped when applying policy. Cisco has made a note about this in their manual: Firepower Management Center Configuration Guide, Version 6.0 - Policy Management [Cisco FireSIGHT Management Center] -…

  • When you enable Inspect traffic during policy apply:
    • Certain configurations can require the Snort process to restart.
    • When the configurations you deploy do not require a Snort restart, the system initially uses the currently deployed access control policy to inspect traffic, and switches during deployment to the access control policy you are deploying.
  • When you disable Inspect traffic during policy apply, the Snort process always restarts when you deploy.
  • How a Snort restart affects traffic depends on the interface configuration and the platform.

Original Discussion from https://communities.cisco.com/thread/59509

More Related…

What are the Considerations While Buying a Cisco Next-Generation Firewall?

NGFW-Cisco ASA with FirePOWER Services

Cisco ASA 5500-X Series’ New Features & Main Model Comparison

How to Enable the Wireless Access Point (ASA 5506W-X)?

How to Deploy the ASA 5508-X or ASA 5516-X in Your Network?

Cisco ASA 5506-X with Version 9.4.1–Policy Based Routing

ASA 5508-X and ASA 5516-X Overview

ASA 5506-X/SecurityPlus, 5506W-X & 5506H-X, Cisco ASA with FirePOWER Services, What’s New Here?

Read more

Configuring the ASA as CA Server

January 18 2016 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall, #Cisco & Cisco Network

ASDM -> Configuration -> Remote Access VPN -> Certificate Management - Local Certificate Authority

ASDM -> Configuration -> Remote Access VPN -> Certificate Management - Local Certificate Authority

Do you know how to configure the ASA as CA Server? You know the Cisco ASA can act as a Certificate Authority server an issue certificates to the VPN clients or other network devices.

The Cisco ASA only provides browser-based certificate enrollment.

Before to proceed with the configuration, make sure the time on your ASA is correct (Show clock) or use a NTP server to synchronize the time across your network devices.

We cannot specify the CA server name, because you can only have one instance of Local CA server running at the same time.

Under the Crypto ca server mode, we have multiple options explained as follows:

CA Server configuration commands:

  • CDP-URL: Specifies the certificate revocation list distribution point to be included in the certificates issued by the CA.
  • Database: Specifies a path or location for the local CA database. The default location is flash memory.
  • Enrollment-retrieval: Specifies the time in hours that an enrolled user can retrieve a PKCS12 enrollment file.
  • Issuer-name: Indicates that rule entry is applied to the issuer DN of the IPSec peer certificate.
  • Keysize: Configure the size of keypair to generate for certificate enrollments for the local CA server.
  • Lifetime CA-certificate: Specify the lifetime for the CA certificate.
  • Lifetime certificate: Specify the lifetime for the user certificate.
  • Lifetime CRL: Specify the lifetime for the CRL.
  • OTP expiration: Specify the lifetime for the OTP expiration.
  • Publish-CRL: Make the CRL available for download via HTTP on the specified interface.
  • Renewal-reminder: Specify the time prior the CA certificate expiration, the ASA will notify the users via email.
  • SMTP from address: Specify the email from which the notification will be sent to deliver the OTP password and enrollment invitations.
  • SMTP subject: Customize the email subject.
  • Subject-name-default: Specify an optional SUBJECT-NAME DN.

Basic ASA configuration as CA server

ASDM -> Configuration -> Remote Access VPN -> Certificate Management - Local Certificate Authority

...

Equivalent CLI configuration.

ASA(config)# Crypto ca server

ASA(config-ca-server)# lifetime ca-certificate 100 ASA(config-ca-server)# lifetime certificate 30 ASA(config-ca-server)# smtp from-address admin@cisco.com ASA(config-ca-server)# smtp subject Certificate enrollment ASA(config-ca-server)# keysize 2048 ASA(config-ca-server)# cdp-url http://cisco/+CSCOCA+/asa_ca.crl ASA(config-ca-server)# subject-name-default CN=BoB , O=Cisco, C= US ASA(config-ca-server)# no shutdown

Once the CA server has been enabled , we cannot do any modification to the configuration unless we shutdown the server.

Show and debugs commands:

  • Debug crypto ca server
  • Show crypto ca server
  • Show crypto ca server cert-db

More information http://www.cisco.com/c/en/us/td/docs/security/asa/asa81/config/guide/config/cert_cfg.html

Original Guide From https://supportforums.cisco.com/document/12597006/how-configure-asa-ca-server

More Cisco and Network Guide

ASA Routed vs. Transparent

Cisco ACLs In and Out on Cisco ASA

Cisco ASA Failover, Failover Modes & ASA Failover Configuration

Cisco ASA IPS Module Configuration

Cisco Security Advisory: Multiple Vulnerabilities in Cisco ASA Software

Cisco ASA SNMP Polling Via VPN Site-to-Site Tunnel

Read more

Cisco Mobility Express Solution for K-12

November 18 2015 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

Deploy and Manage Your School’s Wi-Fi Network in a Snap

Deploy and Manage Your School’s Wi-Fi Network in a Snap

What does the Cisco Mobility Express Solution can do for you? It sounds good that Cisco Mobility Express Solution can easily help you deploy a wireless network with all Cisco advanced wireless innovations, using a simple, over-the-air configuration interface.

Nowadays, at your school, students might be using digital textbooks. And you might be required to provide a tablet or laptop for every student. Network connections will probably be wireless for the flexibility to use devices from anywhere on campus. Faculty and administrative personnel, too, rely on wireless networking for internal communications that are part of their jobs.

If your IT staff is tiny or nonexistent, how can you deploy and manage the wireless network? Especially if there are multiple schools scattered throughout the district to cover?

Cisco Mobility Express Solution targets just such situations. Mobility Express is built into Cisco Aironet 1850 and 1830 Series Access Points, which support 802.11ac Wave 2. Wave 2 is the very latest Wi-Fi standard, supporting gigabit speeds and protecting your Wi-Fi access point investment into the future.

Benefits

  • Ideal for schools needing up to 25 Wi-Fi access points
  • Supports Cisco’s industry-leading features with no price premium
  • Non-IT personnel can set up the wireless network in less than 10 minutes
  • Three-step, wizard-based setup means no command lines to learn
  • Delivers 802.11ac Wave 2, the latest and fastest wireless LAN technology on the market
  • Bundles virtual WLAN controller management capabilities into the AP at no extra cost
  • Cisco Connected Mobile Experience (CMX) can be added to boost customer engagement and give you presence-based analytics

Be Prepared for Wave 2 Client Devices--New 802.11ac Wave 2 client devices will soon appear on your network as students, faculty, and staff upgrade their smartphones and tablets.

Installing a Wave 2 Wi-Fi access point prepares you to deliver the most robust performance possible to them from day one. Turn to Cisco, a leader in helping advance the 802.11ac specifications, to help you stay ahead of the growing Wi-Fi traffic volumes that the new devices will generate.

1, 2, 3, and You’re Up

Supported on the Cisco Aironet 1850 and 1830 Series Access Points, the Mobility Express Solution lets you deploy your wireless LAN in less than 10 minutes. You can simultaneosly configure multiple Aironet access points with industry best-practice settings already enabled by default. Follow just three steps to configure your network:

  1. Connect to an 1850 or 1830 access point using any wireless device
  2. Use the Cisco WLAN Express Setup Wizard to configure multiple access points simultaneously. Your wireless network can contain a mix of Cisco Aironet 1850, 1830, 1600, 2600, 3600, 1700, 2700 and 3700 Series Access Points. You just need an 1850 or 1830 for the control function.
  3. Access the management dashboard – available via a browser or a mobile app – to operate, monitor, and troubleshoot your network.

When you want to access your Mobility Express dashboard from your mobile device, use the Cisco Wireless app, available at the Google Play Store and Apple App Store.

Built-In Management

Using a virtual wireless LAN controller built right into the Cisco Aironet 1850 and 1830 access points, you can manage all your access points from a central console. You can easily manage up to 25 APs and 500 clients for each Mobility Express virtual controller you deploy. That means if you are a smaller venue, you can now deliver the same quality user experiences as large enterprises. There’s no price premium, and you don’t have to understand command-line interfaces.

There’s no longer the burden of having to manage autonomous APs one at a time, and no need to invest in a separate WLAN controller appliance for management.

To learn more about Cisco Mobility Express Solution, Cisco Aironet 1850 and 1830 Series Access Points, and 802.11ac Wave 2, visit: http://www.cisco.com/go/mobilityexpress.

Original from http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/mobility-express/at-a-glance-c45-734261.pdf

More Related…

Cisco Mobility Express Solution Release Notes

What’s the Cisco Mobility Express Solution and Can DO…

What a Cisco Mobility Express Bundle!

Read more

How to Verify Cisco Switch Network Status and Operational State?

October 30 2015 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

In the last article we talked the “Nine Switch Commands Every Cisco Network Engineer Needs to Know”. For Cisco or many other vendors, new commands are introduced at each progressive level of system verification. Do you know what commands you should use to verify a network switch’s status and operation? In this article we will look at five essential commands that are used to verify a network switch’s status and operation. They are:

  • ping
  • traceroute
  • telnet
  • ssh
  • show cdp neighbors

ping

Available on almost all operating system platforms, including Cisco IOS, the ping command is used to verify the reachability of a targeted device. It does this by sending an Internet Control Message Protocol (ICMP) echo message to the target; if the target receives the message (and is not configured to drop it), it responds to the initial sender with an ICMP echo-reply message. In a perfect world, with no firewalls, and all devices configured to respond to these messages, the ping command would work perfectly. However, many devices (or devices en route, like firewalls) are purposely configured to ignore ICMP echo messages automatically, in order to hide their existence and avoid being targeted by attackers. In these cases, engineers must decide whether the unsuccessful ping is a real problem or a purposeful part of a network’s design.

TIP: As a general rule, don’t worry about devices that are outside your organization’s control.

Cisco IOS also has an extended version of the ping command that allows for more complex command configurations. For example, an engineer has the ability to control the source IP used (which makes sense when being run from a router configured with multiple IP addresses), the size of the messages being sent, and the content of the messages, among other options.

traceroute

The traceroute command is typically used along with the ping command to further determine the reachability of a destination. traceroute works a bit differently from ping; instead of simply sending a message to the destination directly, it aims to find the path from the source to the target destination. It does this by using either ICMP echo messages on Windows or the User Datagram Protocol (UDP) probe messages on Linux and Cisco IOS. It figures out the path by taking advantage of the IP Time to Live (TTL) field.

It’s important to understand what the TTL field does. In normal circumstances, the TTL is used as a loop-prevention mechanism; it works by being set to a number which is then decremented at every respective IP “’hop.” If the TTL reaches a device and is decremented to 0, the packet is dropped and an ICMP “destination unreachable” message is sent back to the source device. When used by the traceroute command, the TTL finds each of the hops in the path between the source and the destination:

  1. Initially the source sends an ICMP or UDP message to the destination with a TTL of1.
  2. When the packet reaches the first hop, the TTL is decremented to 0; the device drops the packet and sends back an ICMP “destination unreachable” message.
  3. To find the second hop, the TTL is set to 2, for the third hop it’s set to 3, and so on; typically three packets are sent for each step toward the destination (three with a TTL set to 1, three with a TTL set to 2, and so on).
  4. These ICMP “destination unreachable” messages are received by the runningtraceroute command and interpreted into a readable output showing the path toward the destination.

As with the ping command, many organizations block the ICMP echo messages and some of the UDP messages; and the output should be read with this fact in mind.

The traceroute command on Cisco IOS is extended in the same way as the ping command variant that allows for extended command configurations. The options offered by traceroutemirror most of the options available in an extended ping.

telnet

The telnet command has been around for a long time, allowing users to manage devices via a command-line interface. Its very simple operation provides an unsecured Transmission Control Protocol (TCP) session between the source and destination. Characters entered on the source are immediately relayed to the destination, providing an experience on Cisco IOS (and Linux) that is the same as if the user were directly connected into the device locally.

CAUTION

A key term to take from this description is unsecured, the username and login information are sent between the source and destination in clear text.

The telnet command uses TCP port 23.

ssh

The ssh (secure shell) command works similarly to the telnet command but creates a secure communications channel between source and destination. This means that the username and password are not sent in clear text and are protected (at least to some level) from anyone listening in on the conversation.

The ssh command uses TCP port 22.

show cdp neighbors

The show cdp neighbors command is used on a Cisco IOS device to view neighboring devices discovered by the Cisco Discovery Protocol (CDP). CDP is a Cisco proprietary protocol used for Layer 2 discovery; it has the ability to discover all other supporting CDP devices on a shared segment. (It doesn’t work across Layer 3 devices.) The following example shows some typical output of this command:

R1#show cdp neighbors

Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge

                  S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,

                  D - Remote, C - CVTA, M - Two-port Mac Relay

Device ID        Local Intrfce     Holdtme    Capability  Platform  Port ID

R2               Fas 0/0            172              R    7206VXR   Fas 0/0

R1#

In this example, we learn that the remote device (R2) is connected via R1’s FastEthernet0/0 interface and is connected to R2’s FastEthernet0/0 interface, and R2 is a Cisco 7206VXR router. This information is very helpful when mapping out unfamiliar networks. It can also be used to help ensure that a device is connected to the correct remote device(s) on the correct interface; as engineers often must configure devices remotely, this command is useful when installing new equipment, to ensure that physical interfaces are connected to the appropriate networks.

Keep in mind that CDP is a proprietary protocol and will not work to discover most other non-Cisco devices; this command is enabled by default on Cisco devices. A standards-based alternative to CDP is the Link Layer Discovery Protocol (LLDP)—IEEE 802.1AB, which is supported by many other vendors, but is not enabled by default on Cisco devices.

Reference Article from http://www.ciscopress.com/articles/article.asp?p=2420613

More Related

Nine Switch Commands Every Cisco Network Engineer Needs to Know

Read more

Nine Switch Commands Every Cisco Network Engineer Needs to Know

October 30 2015 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

It’s no doubt that a Cisco network engineers needs experience with a wide variety of commands used with network technology. And at the Cisco Certified Network Associate (CCNA) level, Cisco has indicated a number of commands that should be known initially for Cisco network switches.

In this article it covers these commands, explaining what the Cisco Network Engineer do and how they alter the behavior and/or use of a Cisco switch.

Some terms you need read with examples

#1: hostname hostname

One of the most basic network commands, hostname configures the hostname used for a device. This hostname identifies the device to other locally connected devices for protocols such as the Cisco Discovery Protocol (CDP), which helps in the identification of devices attached directly to the network. Although it is not case-sensitive, the hostname must follow certain rules: It must begin with a letter and end in a letter or digit, and interior characters must be letters, digits, or hyphens (-).

#2: ip default-gateway gateway

The ip default-gateway command configures the default gateway for a switch when IP routing is not enabled (with the ip routing global configuration command), which is typical when lower-level Layer 2 switches are being configured. The easiest way to determine whether IP routing has been enabled is to run the show ip route command. When IP routing has not been enabled, the output will look similar to the following example:

SW1#show ip route

Default gateway is 10.10.10.1

Host               Gateway           Last Use    Total Uses  Interface

ICMP redirect cache is empty

SW1#

When IP routing is enabled, the output looks similar to the output displayed on a router:

SW1#show ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

       + - replicated route, % - next hop override

Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C        10.10.10.0/24 is directly connected, Vlan1

L        10.10.10.10/32 is directly connected, Vlan1

SW1#

NOTE: The configuration entered with the ip default-gateway command has no effect when IP routing is enabled.

#3: username username {password | secret} password

The username command configures a username and associates a password with it. Using the password or secret version of this command is a matter of security:

  • The password version of this command will do one of two things with the configured password:
    • Place the password into the configuration in plaintext (if the service password-encryption command is not enabled).
    • Put the password through a Cisco-proprietary encryption algorithm before placing it into the configuration. (Note that this encryption is easily reversed.)
  • The secret version of this command will create an MD5 hash with the configured password and then place it into the configuration. This reconfigured password is much harder to crack than the encrypted version created with the password version of this command.

This username/password can be used for a number of different features, including Telnet and SSH.

#4: enable {password | secret} password

The enable command configures the password that will be used to access a switch's privileged configuration mode. Because all configuration of a Cisco IOS switch requires privileged configuration mode, keeping this password private is very important. As with the username command, this command has two options: password and secret. The differences between these two options are the same as those for the username command in the preceding section. The enable secret version of the command should be used in all production environments.

Console and Terminal Login Commands

Five commands are used to configure login via the control and virtual terminal (VTY) lines of a switch:

  • password
  • login
  • exec-timeout
  • service password-encryption
  • copy running-config startup-config

The following sections describe these individual commands.

Password password

When entered in line-configuration mode (console or terminal), the password command is used to configure the password that will be used to access a switch from that specific line, depending on the line mode (console or terminal). However, the password configured with this command is used only if the login command is used (which is the default).

Login [local]

The login command is used to enable password checking on an interface. If this command is used without any parameters, the system will check the password entered with the login against the one entered with the password command discussed in the preceding section. If used with the local parameter, both username and password will be prompted, and the entries will then be checked against the local username database that was created with theusername command discussed previously.

Exec-timeout minutes [seconds]

The exec-timeout command is used to configure the amount of time that can pass before a device considers the connection idle and disconnects. By default, timeout is set to 10 minutes. This timeout can be disabled with the no exec-timeout command. (This command is a shortcut and actually enters the exec-timeout 0 0 command into the configuration.)

Service password-encryption

The service password-encryption command is used to enable the encryption of configured passwords on a device. The passwords referenced with this command are the ones configured with a command's password parameter, such as username password and enablepassword. The passwords encrypted with this command are not highly encrypted and can be broken relatively easily. By and large this command is deprecated, as most network engineers will use the secret version of the appropriate commands; however, even weak protection is better than nothing.

Copy running-config startup-config

The copy running-config startup-config command (popularly shortened to copy run start) is one of the most fundamental commands learned by new Cisco network engineers. It copies the active configuration (running-config) on a device to non-volatile memory (NVRAM)(startup-config), which maintains a configuration across a reload. Without this command, a configuration can be lost when a device is reloaded or powered off. The copy command can also be extended to save configuration and IOS images to and from a local device, as well as to and from different locations on the local device.

Network engineers must learn many Cisco OS commands in the process of becoming a CCNA (and beyond), and understanding these basic management commands is where the process starts. Without the knowledge of how to access devices, the complex commands are useless. You must understand when learning these concepts that they are intended to be stacked on top of each other. Lack of knowledge of a few base concepts undermines learning other, more advanced concepts that build on top of those basics.

The Reference Article from http://www.ciscopress.com/articles/article.asp?p=2420612

Read more

Cisco’s IoT Part-Cisco Mobile IP Gateway 2450

September 25 2015 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network, #Cisco Technology - IT News

The MIG-2450 is a gateway specifically designed for transportation solutions in environments such as buses, trains and planes.

The MIG-2450 is a gateway specifically designed for transportation solutions in environments such as buses, trains and planes.

Now, Cisco is focusing on the Internet of Things and delivering more than a dozen new IoT-focused products and a handful of services for channel partners. IoT can do many things for industries.

The IoT is transforming the mass transportation industry. With smart, connected devices, transit companies can monitor hundreds of details about vehicles, tracks, environmental conditions, and much more. IoT technology can also help businesses deliver the value-add services passengers are beginning to expect, such as onboard Wi-Fi.

The challenge for today’s transportation companies is to find secure, efficient ways to put this IoT technology to work. Connecting devices and endpoints across a complex, wide-ranging transportation network can take a lot of time and resources.

Cisco designed the Cisco Mobile IP Gateway 2450 to help simplify these tasks.

The MIG-2450 is a mobile connectivity gateway that delivers high availability communications between central offices, trackside operators, and transit vehicles by integrating GPS, Ethernet, Wi-Fi, and mobile broadband modems.

The MIG-2450 helps you comply with safety and interoperability regulations. It also gives you a way to collect and analyze data without the need for yet another piece of hardware to fit onboard a vehicle. And its modular design provides powerful connectivity for the services and applications that enhance the transportation experience for passengers and workers alike.

Benefits

Automate and improve communication between the back office and transit vehicles.

Boost efficiency and simplify decision making with visibility into vehicles, workers, and security system statuses.

• Enhance the user experience with new, value-added Wi-Fi services for passengers.

• Improve safety for passengers and employees with telematics, driver performance monitoring, and systems analytics applications.

• Reduce operational costs by automating systems management and streamlining PTC compliance for safety and speed enforcement.

Built for a Wide Range of Use Cases

The Cisco Mobile IP Gateway 2450 helps make your transportation operations more efficient, cleaner, and safer. And less costly to run.

With this critical component in your network infrastructure, you can:

• Provide high-performance passenger Wi-Fi

• Implement and manage onboard information systems

• Make transportation safer with wireless surveillance

• Comply more easily with safety and speed regulations

• Remotely monitor and manage mobile assets

• Monitor driver and vehicle performance in real time

• Run systems analytics applications

Offering Options for the Way You Do Business

The MIG-2450 delivers the following features:

• Hardened, scalable industrial system with a compact form factor, wide operating temperature range, fanless operation, and compliance with AAR Standard S-9401 and EN-50155

• Centralized management to allow operators to remotely monitor, control, and perform diagnostics

• Support for up to 4 Type-1 or 10 Type-2 interface cards for extensible connectivity

• Robust connectivity with support for quality of service (QoS), dynamic roaming, multilink load balancing and failover, and link monitoring

• Durable security through Internet Protocol Security (IPsec), Secure Shell (SSH), AES encryption, and datagram transport layer security (DTLS)

Info from http://www.cisco.com/c/dam/en/us/products/collateral/se/internet-of-things/at-a-glance-c45-735028.pdf

More new IoT-related products announced from Cisco (15 in total) include:

  • IE5000 purpose-built switch designed for manufacturing and cities.
  • IW3702 wireless access point for mass transit systems and city-wide wi-fi deployments.
  • IR 809 and IR 829 series of industrial routers with wi-fi and 4G/LTE connectivity for transportation organizations.
  • 4G/LTE modules for CGR 1000 for utility companies, 5921 Embedded Services Routers for industrial networking in remote locations.
  • 360° 5MP & 720p IP cameras for situational awareness. They're also outfitted with audio and digital sensors.
  • Physical security analytics applications that connect to the IP cameras.
  • Fog computing data services for the creation of policies that can monitor and then take action on data that flows through an IoT environment.
  • IoT Field Network Director for monitoring and customizing IoT network infrastructure.
  • Fog Director for centrally management apps that run at the network's edge.

More Related

Cisco’s IoT Part-The Cisco 829 Industrial Integrated Services Routers

What Does the New Cisco IoT System Can Do for You?

Read more

GRE tunnel vs. IPsec tunnel

August 14 2015 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

In the article How to Configure a GRE Tunnel?” we talked about what tunneling is and how to configure a GRE Tunnel…In this article we continue to say something about the GRE tunnel and IPsec tunnel—what are the differences?

Encapsulating a packet for secure transportation on the network can be done using either GRE or IPsec protocols. This tip explains under what circumstances each protocol works best.

Generic Routing Encapsulation (GRE), defined by RFC 2784, is a simple IP packet encapsulation protocol. GRE is used when IP packets need to be sent from one network to another, without being parsed or treated like IP packets by any intervening routers.

For example, in Mobile IP, a mobile node registers with a Home Agent. When the mobile node roams to a new network, it registers with a Foreign Agent there. Whenever IP packets addressed to the mobile node are received by the Home Agent, they can be relayed over a GRE tunnel to the Foreign Agent for delivery. It does not matter how the Home Agent and Foreign Agent communicate with each other -- hops in between just pass along the GRE packet. Only the GRE tunnel endpoints -- the two Agents -- actually route the encapsulated IP packet.

The IP Security (IPsec) Encapsulating Security Payload (ESP), defined by RFC 2406, also encapsulates IP packets. However, it does so for a different reason: To secure the encapsulated payload using encryption. IPsec ESP is used when IP packets need to be exchanged between two systems while being protected against eavesdropping or modification along the way.

For example, in a site-to-site VPN, a source host in network "A" transmits an IP packet. When that packet reaches the edge of network "A" it hits a VPN gateway. VPN gateway "A" encrypts the private IP packet and relays it over an ESP tunnel to a peer VPN gateway at the edge of network "B." VPN gateway "B" then decrypts the packet and delivers it to the destination host. Like GRE, it doesn't really matter how the two VPN gateways communicate with each other -- hops in between just pass along the ESP packet. But unlike GRE, someone at those hops could not possibly look at or change the encapsulated IP packet, even if they wanted to. That's because cryptographic algorithms have been applied to scramble the IP packet and detect any modification or replay.

Use GRE where IP tunneling without privacy is required -- it's simpler and thus faster. But, use IPsec ESP where IP tunneling and data privacy are required -- it provides security features that are not even attempted by GRE.

So,

  • IPsec stands for Internet Protocol Security while GRE stands for Generic Routing Encapsulation.
  • IPsec is the primary protocol of the Internet while GRE is not.
  • GRE can carry other routed protocols as well as IP packets in an IP network while IPSec cannot.
  • IPsec offers more security than GRE does because of its authentication feature.

More Related Topics

Tips & Examples: Configuring a GRE Tunnel

Read more

Cisco TrustSec Software-Security Solution

July 13 2015 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

Cisco TrustSec Support

Cisco TrustSec Support

Simplify Access Control without Network Redesign

What’s the Cisco TrustSec Software? What benefits will you get from this Security Solution? You should read some tips about this. Nowadays, we know that business demand for cloud services, mobility, and the Internet of Things (IoT) has created exponential network growth and complexity. It has introduced risk, too. Each new user, device, and data connection represents a potential attack entry point. So your attack surface is expanding. How to deal with these? Now you can control the situation with Cisco TrustSec. Embedded in your existing Cisco network infrastructure, the TrustSec security solution simplifies the provisioning and management of network access control. It uses software-defined segmentation to classify network traffic and enforce policies for more flexible access controls. Traffic classification is based on endpoint identity, not IP address, enabling policy change without network redesign.

TrustSec is powered by the Cisco Identity Services Engine. The centralized policy management platform gathers advanced contextual data about who and what is accessing your network. It then uses security group tags to define roles and access rights and pushes the associated policy to your TrustSec-enabled network devices, such as switches, routers, and security equipment.

You get better visibility through richer contextual information, are better able to detect threats, and accelerate remediation. So you can reduce the impact and costs associated with a potential breach.

What are the Main Benefits You can Get?

Quickly isolate and contain threats using technology already in your network.

Limit the impact of data breaches by dynamically segmenting your network.

Centrally apply and enforce granular and consistent policies across wired, wireless, and remote-access users and devices.

Reduce operational expenses by defining firewall and access control rules based on asset or application context.

Easily provide dynamic campus segmentation to enforce security policies in quickly changing environments without provisioning and maintaining access control lists.

Cater to changing workforces and business relationships by defining security groups based on business roles, not IP addresses.

How It Works

Traditional network segmentation approaches use IP-address-based access control lists (ACLs), VLAN segmentation, and firewall policies that require extensive manual maintenance. Cisco TrustSec simplifies the effort by dynamically grouping machines into objects, called security groups, and provisioning security policies between those objects.

The interaction of systems is determined by the security-group-based policies, eliminating the need for VLAN or address-based policy provisioning. TrustSec is available in virtual and physical switches and treats virtual and physical workloads across the campus and data center consistently.

“Effective network segmentation... reduces the extent to which an adversary can move across the network.”

US Department of Homeland Security

United States Computer Emergency Readiness Team

…More…http://www.cisco.com/c/en/us/solutions/enterprise-networks/trustsec/index.html

Read more

Cisco Catalyst 6500 Series VSS 1440

September 9 2014 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

VSS is network system virtualization technology that pools multiple Cisco Catalyst 6500 Series Switches into one virtual switch, increasing operational efficiency, boosting nonstop communications, and scaling system bandwidth capacity to 1.4 Tbps. Switches would operate as a single logical virtual switch called a virtual switching system 1440 (VSS1440). VSS formed by two Cisco Catalyst 6500 Series Switches with the Virtual Switching Supervisor 720-10GE

In a VSS, the data plane and switch fabric with capacity of 720 Gbps of supervisor engine in each chassis are active at the same time on both chassis, combining for an active 1400-Gbps switching capacity per VSS. Only one of the virtual switch members has the active control plane. Both chassis are kept in sync with the inter-chassis Stateful Switchover (SSO) mechanism along with Nonstop Forwarding (NSF) to provide nonstop communication even in the event of failure of one of the member supervisor engines or chassis. 

 

The Cisco Catalyst 6500 Series Virtual Switching System (VSS) 1440 allows for the merging of two physical Cisco Catalyst 6500 Series Switches together into a single, logically managed entity. The following figure graphically represents this concept where you can manage two Cisco Catalyst 6509 chassis as a single, 18-slot chassis after enabling Cisco Virtual Switching System.

Virtual-Switching-System-1440.jpg

The Cisco Catalyst 6500 Virtual Switching System (VSS) 1440 takes the flagship Catalyst 6500 platform to the next level with network system virtualization.

Virtual Switching System 1440 Redundancy State

Virtual-Switching-System-1440-Redundancy-State.jpg

Creating a VSS 1440

The key enabler of a VSS 1440 is the Virtual Switching Supervisor 720-10G. Any two Cisco Catalyst 6500 Series Switches with this supervisor engine can be pooled together into a VSS 1440*. The two switches are connected with 10 GbE links called Virtual Switch Links (VSLs). Once a VSS 1440 is created it acts as a single virtual Catalyst switch delivering the following benefits:

Operational Manageability

  • Two Catalyst 6500s share a single point of management, single gateway IP address, and single routing instance
  • Eliminates the dependence on First Hop Redundancy Protocols (FHRP) and Spanning Tree Protocol

 

Non-Stop Communications

  • Delivers deterministic, sub-200 millisecond layer 2 link recovery through inter-chassis stateful failovers and the predictable resilience of Etherchannel

 

Scales to 1.4 Tbps

  • Scales system bandwidth capacity to 1.4 Tbps by activating all available bandwidth across redundant Catalyst 6500 switches
  • Up to 132 ports of 10 GbE per system

 

What are the benefits of using VSS?

VSS offers superior benefits compared to traditional Layer 2/Layer 3 network design. VSS increases operational efficiency by simplifying the network, reducing switch management overhead by at least 50 percent. Single point of management, IP address, and routing instance,Single configuration file and node to manage and you won’t have to configure two switches with identical policies and other config. It eliminates the requirement for HSRP, VRRP or GLBP and you have to use just one IP address instead of three used with any FHRP.

Multi chassis Ether Channel (MEC) is a Layer 2 multipathing technology that creates simplified loop-free topologies, eliminating the dependency on Spanning Tree Protocol, which can still be activated to protect strictly against any user misconfiguration and with X2-10GB-ER 10 Gigabit Ethernet optics, the switches can be located up to 40 km apart.

Inter-chassis stateful failover results in no disruption to applications that rely on network state information (for example, forwarding table info, NetFlow, Network Address Translation [NAT], authentication, and authorization). VSS eliminates L2/L3 protocol reconvergence if a virtual switch member fails, resulting in deterministic subsecond virtual switch recovery.

By activating all available Layer 2 bandwidth across redundant Cisco Catalyst 6500 Series Switches with automatic, even load sharing. Link load sharing is optimized because it is based on more granular information, such as L2/L3/L4 parameters, unlike virtual LAN (VLAN)-based load balancing in Spanning Tree Protocol configuration.

 

More video about VSS

https://www.youtube.com/watch?v=RVwnXMVeKNs 

VSS on the 4500

https://www.youtube.com/watch?v=KUecqX1OIww

 

More Related

A Sample VSS Configuration for 2x Cisco Cat6500 with Supervisor 720

VSS on Cisco 4500/4500X Switches

Cisco 4500 VSS Requirement-Software, Hardware and Licensing

VSS Configuration on Cisco 6500

Read more

Cisco UCS 6324 Fabric Interconnect Review

August 11 2014 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

At the end of July, Cisco has quietly announced a new addition to the UCS family–a mini Fabric Interconnect, called the UCS 6324 Fabric Interconnect, which unlike the ones before it plugs directly into the UCS 5108 chassis. With connectivity for up to 15 servers (8 blade servers and up to 7 direct-connect rack servers), the Cisco 6324 is geared toward small environments.

“The 6324 FI is out! What amazing hardware! This is a whole UCS in a 5108 Chassis. Now what I wonder is if this is just code? Being able to take a single chassis and install proper code and have a stand-alone UCS would be GREAT. This will be “Cool” if it is a special chassis, but a GAME CHANGER if any chassis will do with code only (and maybe certain models of IOM’s that might be on hand anyhow).” Some Cisco fans said like that.

Appear’s a new IOM is needed to make this work in a 5108 Chassis.

Cisco-Fabric-Interconnect-6324.jpg

Cisco introduces Cisco UCS 6324 Fabric Interconnect like that.

The Cisco UCS 6324 Fabric Interconnect is a 10 Gigabit Ethernet, FCoE, and Fibre Channel switch offering up to 500-Gbps throughput and up to four unified ports and one scalability port.

The Cisco UCS 6324 Fabric Interconnect extends the Cisco UCS architecture into environments with requirements for smaller domains. Providing the same unified server and networking capabilities as in the full-scale Cisco UCS solution, the Cisco UCS 6324 Fabric Interconnect embeds the connectivity within the Cisco UCS 5108 Blade Server Chassis to provide a smaller domain of up to 15 servers (8 blade servers and up to 7 direct-connect rack servers).

 

CISCO 6324 FI Overview

Cisco-UCS-6324FI.jpg

Each 6324 FI module contains:

  • 16 x 10GbE internal ports (2 per 1/2 width slot)
  • 4 x 10Gb SFP+ external uplink ports
  • 1 x 40Gb QSFP+ scalability port
  • 1 x 10/100/1000 Mbps Management port for out-of-band management

The 4 external uplink ports can be configured as 1/10 Gigabit Ethernet or 2/4/8-Gbps Fibre Channel ports.  The scalability port is designed to allow for connectivity to up to 4 x UCS rack servers with a post-release feature of also allowing a 2nd UCS 5108 chassis to interconnect.

The 6324 FI provides Layer 2 forwarding with support for:

  • VLAN trunks
  • IEEE 802.1Q VLAN encapsulation
  • Support for up to 512 VLANs and 32 virtual SANs (VSANs) per interconnect
  • Jumbo frames on all ports (up to 9216 bytes)
  • Link Aggregation Control Protocol (LACP): IEEE 802.3ad
  • Internet Group Management Protocol (IGMP) Versions 1, 2, and 3 snooping
  • Advanced EtherChannel hashing based on Layer 2, 3, and 4 information
  • Pause frames (IEEE 802.3x)
  • Layer 2 IEEE 802.1p (class of service [CoS])

 

It is also rumored that UPDATED–based on the information from UCSGuru (below) a new an updated UCS 5108 blade chassis will be coming out soon which will allow for heartbeat and cluster connectivity between the UCS 6324 FI modules inside a chassis as well as support for “dual voltage” power supplies. Is that real? We are looking forward to it.

More Related

Cisco Quietly Unveiled UCS 6324 for Small Businesses

Cisco UCS E-Series Blade Servers for Cisco 2900&3900 Series

Cisco Buying Tips: Cisco UCS Server

10 Tips You Should Know about Cisco UCS

Cisco Unified Computing System: UCS Components

Basic Tech Tips for Configuring UCS with VMware vSphere

Read more
<< < 1 2 3 4 5 6 7 > >>