Overblog Follow this blog
Administration Create my blog
Cisco & Cisco Network Hardware News and Technology

Posts with #cisco & cisco network tag

Nine Switch Commands Every Cisco Network Engineer Needs to Know

October 30 2015 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

It’s no doubt that a Cisco network engineers needs experience with a wide variety of commands used with network technology. And at the Cisco Certified Network Associate (CCNA) level, Cisco has indicated a number of commands that should be known initially for Cisco network switches.

In this article it covers these commands, explaining what the Cisco Network Engineer do and how they alter the behavior and/or use of a Cisco switch.

Some terms you need read with examples

#1: hostname hostname

One of the most basic network commands, hostname configures the hostname used for a device. This hostname identifies the device to other locally connected devices for protocols such as the Cisco Discovery Protocol (CDP), which helps in the identification of devices attached directly to the network. Although it is not case-sensitive, the hostname must follow certain rules: It must begin with a letter and end in a letter or digit, and interior characters must be letters, digits, or hyphens (-).

#2: ip default-gateway gateway

The ip default-gateway command configures the default gateway for a switch when IP routing is not enabled (with the ip routing global configuration command), which is typical when lower-level Layer 2 switches are being configured. The easiest way to determine whether IP routing has been enabled is to run the show ip route command. When IP routing has not been enabled, the output will look similar to the following example:

SW1#show ip route

Default gateway is 10.10.10.1

Host               Gateway           Last Use    Total Uses  Interface

ICMP redirect cache is empty

SW1#

When IP routing is enabled, the output looks similar to the output displayed on a router:

SW1#show ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

       + - replicated route, % - next hop override

Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C        10.10.10.0/24 is directly connected, Vlan1

L        10.10.10.10/32 is directly connected, Vlan1

SW1#

NOTE: The configuration entered with the ip default-gateway command has no effect when IP routing is enabled.

#3: username username {password | secret} password

The username command configures a username and associates a password with it. Using the password or secret version of this command is a matter of security:

  • The password version of this command will do one of two things with the configured password:
    • Place the password into the configuration in plaintext (if the service password-encryption command is not enabled).
    • Put the password through a Cisco-proprietary encryption algorithm before placing it into the configuration. (Note that this encryption is easily reversed.)
  • The secret version of this command will create an MD5 hash with the configured password and then place it into the configuration. This reconfigured password is much harder to crack than the encrypted version created with the password version of this command.

This username/password can be used for a number of different features, including Telnet and SSH.

#4: enable {password | secret} password

The enable command configures the password that will be used to access a switch's privileged configuration mode. Because all configuration of a Cisco IOS switch requires privileged configuration mode, keeping this password private is very important. As with the username command, this command has two options: password and secret. The differences between these two options are the same as those for the username command in the preceding section. The enable secret version of the command should be used in all production environments.

Console and Terminal Login Commands

Five commands are used to configure login via the control and virtual terminal (VTY) lines of a switch:

  • password
  • login
  • exec-timeout
  • service password-encryption
  • copy running-config startup-config

The following sections describe these individual commands.

Password password

When entered in line-configuration mode (console or terminal), the password command is used to configure the password that will be used to access a switch from that specific line, depending on the line mode (console or terminal). However, the password configured with this command is used only if the login command is used (which is the default).

Login [local]

The login command is used to enable password checking on an interface. If this command is used without any parameters, the system will check the password entered with the login against the one entered with the password command discussed in the preceding section. If used with the local parameter, both username and password will be prompted, and the entries will then be checked against the local username database that was created with theusername command discussed previously.

Exec-timeout minutes [seconds]

The exec-timeout command is used to configure the amount of time that can pass before a device considers the connection idle and disconnects. By default, timeout is set to 10 minutes. This timeout can be disabled with the no exec-timeout command. (This command is a shortcut and actually enters the exec-timeout 0 0 command into the configuration.)

Service password-encryption

The service password-encryption command is used to enable the encryption of configured passwords on a device. The passwords referenced with this command are the ones configured with a command's password parameter, such as username password and enablepassword. The passwords encrypted with this command are not highly encrypted and can be broken relatively easily. By and large this command is deprecated, as most network engineers will use the secret version of the appropriate commands; however, even weak protection is better than nothing.

Copy running-config startup-config

The copy running-config startup-config command (popularly shortened to copy run start) is one of the most fundamental commands learned by new Cisco network engineers. It copies the active configuration (running-config) on a device to non-volatile memory (NVRAM)(startup-config), which maintains a configuration across a reload. Without this command, a configuration can be lost when a device is reloaded or powered off. The copy command can also be extended to save configuration and IOS images to and from a local device, as well as to and from different locations on the local device.

Network engineers must learn many Cisco OS commands in the process of becoming a CCNA (and beyond), and understanding these basic management commands is where the process starts. Without the knowledge of how to access devices, the complex commands are useless. You must understand when learning these concepts that they are intended to be stacked on top of each other. Lack of knowledge of a few base concepts undermines learning other, more advanced concepts that build on top of those basics.

The Reference Article from http://www.ciscopress.com/articles/article.asp?p=2420612

Read more

Cisco’s IoT Part-Cisco Mobile IP Gateway 2450

September 25 2015 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network, #Cisco Technology - IT News

The MIG-2450 is a gateway specifically designed for transportation solutions in environments such as buses, trains and planes.

The MIG-2450 is a gateway specifically designed for transportation solutions in environments such as buses, trains and planes.

Now, Cisco is focusing on the Internet of Things and delivering more than a dozen new IoT-focused products and a handful of services for channel partners. IoT can do many things for industries.

The IoT is transforming the mass transportation industry. With smart, connected devices, transit companies can monitor hundreds of details about vehicles, tracks, environmental conditions, and much more. IoT technology can also help businesses deliver the value-add services passengers are beginning to expect, such as onboard Wi-Fi.

The challenge for today’s transportation companies is to find secure, efficient ways to put this IoT technology to work. Connecting devices and endpoints across a complex, wide-ranging transportation network can take a lot of time and resources.

Cisco designed the Cisco Mobile IP Gateway 2450 to help simplify these tasks.

The MIG-2450 is a mobile connectivity gateway that delivers high availability communications between central offices, trackside operators, and transit vehicles by integrating GPS, Ethernet, Wi-Fi, and mobile broadband modems.

The MIG-2450 helps you comply with safety and interoperability regulations. It also gives you a way to collect and analyze data without the need for yet another piece of hardware to fit onboard a vehicle. And its modular design provides powerful connectivity for the services and applications that enhance the transportation experience for passengers and workers alike.

Benefits

Automate and improve communication between the back office and transit vehicles.

Boost efficiency and simplify decision making with visibility into vehicles, workers, and security system statuses.

• Enhance the user experience with new, value-added Wi-Fi services for passengers.

• Improve safety for passengers and employees with telematics, driver performance monitoring, and systems analytics applications.

• Reduce operational costs by automating systems management and streamlining PTC compliance for safety and speed enforcement.

Built for a Wide Range of Use Cases

The Cisco Mobile IP Gateway 2450 helps make your transportation operations more efficient, cleaner, and safer. And less costly to run.

With this critical component in your network infrastructure, you can:

• Provide high-performance passenger Wi-Fi

• Implement and manage onboard information systems

• Make transportation safer with wireless surveillance

• Comply more easily with safety and speed regulations

• Remotely monitor and manage mobile assets

• Monitor driver and vehicle performance in real time

• Run systems analytics applications

Offering Options for the Way You Do Business

The MIG-2450 delivers the following features:

• Hardened, scalable industrial system with a compact form factor, wide operating temperature range, fanless operation, and compliance with AAR Standard S-9401 and EN-50155

• Centralized management to allow operators to remotely monitor, control, and perform diagnostics

• Support for up to 4 Type-1 or 10 Type-2 interface cards for extensible connectivity

• Robust connectivity with support for quality of service (QoS), dynamic roaming, multilink load balancing and failover, and link monitoring

• Durable security through Internet Protocol Security (IPsec), Secure Shell (SSH), AES encryption, and datagram transport layer security (DTLS)

Info from http://www.cisco.com/c/dam/en/us/products/collateral/se/internet-of-things/at-a-glance-c45-735028.pdf

More new IoT-related products announced from Cisco (15 in total) include:

  • IE5000 purpose-built switch designed for manufacturing and cities.
  • IW3702 wireless access point for mass transit systems and city-wide wi-fi deployments.
  • IR 809 and IR 829 series of industrial routers with wi-fi and 4G/LTE connectivity for transportation organizations.
  • 4G/LTE modules for CGR 1000 for utility companies, 5921 Embedded Services Routers for industrial networking in remote locations.
  • 360° 5MP & 720p IP cameras for situational awareness. They're also outfitted with audio and digital sensors.
  • Physical security analytics applications that connect to the IP cameras.
  • Fog computing data services for the creation of policies that can monitor and then take action on data that flows through an IoT environment.
  • IoT Field Network Director for monitoring and customizing IoT network infrastructure.
  • Fog Director for centrally management apps that run at the network's edge.

More Related

Cisco’s IoT Part-The Cisco 829 Industrial Integrated Services Routers

What Does the New Cisco IoT System Can Do for You?

Read more

GRE tunnel vs. IPsec tunnel

August 14 2015 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

In the article How to Configure a GRE Tunnel?” we talked about what tunneling is and how to configure a GRE Tunnel…In this article we continue to say something about the GRE tunnel and IPsec tunnel—what are the differences?

Encapsulating a packet for secure transportation on the network can be done using either GRE or IPsec protocols. This tip explains under what circumstances each protocol works best.

Generic Routing Encapsulation (GRE), defined by RFC 2784, is a simple IP packet encapsulation protocol. GRE is used when IP packets need to be sent from one network to another, without being parsed or treated like IP packets by any intervening routers.

For example, in Mobile IP, a mobile node registers with a Home Agent. When the mobile node roams to a new network, it registers with a Foreign Agent there. Whenever IP packets addressed to the mobile node are received by the Home Agent, they can be relayed over a GRE tunnel to the Foreign Agent for delivery. It does not matter how the Home Agent and Foreign Agent communicate with each other -- hops in between just pass along the GRE packet. Only the GRE tunnel endpoints -- the two Agents -- actually route the encapsulated IP packet.

The IP Security (IPsec) Encapsulating Security Payload (ESP), defined by RFC 2406, also encapsulates IP packets. However, it does so for a different reason: To secure the encapsulated payload using encryption. IPsec ESP is used when IP packets need to be exchanged between two systems while being protected against eavesdropping or modification along the way.

For example, in a site-to-site VPN, a source host in network "A" transmits an IP packet. When that packet reaches the edge of network "A" it hits a VPN gateway. VPN gateway "A" encrypts the private IP packet and relays it over an ESP tunnel to a peer VPN gateway at the edge of network "B." VPN gateway "B" then decrypts the packet and delivers it to the destination host. Like GRE, it doesn't really matter how the two VPN gateways communicate with each other -- hops in between just pass along the ESP packet. But unlike GRE, someone at those hops could not possibly look at or change the encapsulated IP packet, even if they wanted to. That's because cryptographic algorithms have been applied to scramble the IP packet and detect any modification or replay.

Use GRE where IP tunneling without privacy is required -- it's simpler and thus faster. But, use IPsec ESP where IP tunneling and data privacy are required -- it provides security features that are not even attempted by GRE.

So,

  • IPsec stands for Internet Protocol Security while GRE stands for Generic Routing Encapsulation.
  • IPsec is the primary protocol of the Internet while GRE is not.
  • GRE can carry other routed protocols as well as IP packets in an IP network while IPSec cannot.
  • IPsec offers more security than GRE does because of its authentication feature.

More Related Topics

Tips & Examples: Configuring a GRE Tunnel

Read more

Cisco TrustSec Software-Security Solution

July 13 2015 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

Cisco TrustSec Support

Cisco TrustSec Support

Simplify Access Control without Network Redesign

What’s the Cisco TrustSec Software? What benefits will you get from this Security Solution? You should read some tips about this. Nowadays, we know that business demand for cloud services, mobility, and the Internet of Things (IoT) has created exponential network growth and complexity. It has introduced risk, too. Each new user, device, and data connection represents a potential attack entry point. So your attack surface is expanding. How to deal with these? Now you can control the situation with Cisco TrustSec. Embedded in your existing Cisco network infrastructure, the TrustSec security solution simplifies the provisioning and management of network access control. It uses software-defined segmentation to classify network traffic and enforce policies for more flexible access controls. Traffic classification is based on endpoint identity, not IP address, enabling policy change without network redesign.

TrustSec is powered by the Cisco Identity Services Engine. The centralized policy management platform gathers advanced contextual data about who and what is accessing your network. It then uses security group tags to define roles and access rights and pushes the associated policy to your TrustSec-enabled network devices, such as switches, routers, and security equipment.

You get better visibility through richer contextual information, are better able to detect threats, and accelerate remediation. So you can reduce the impact and costs associated with a potential breach.

What are the Main Benefits You can Get?

Quickly isolate and contain threats using technology already in your network.

Limit the impact of data breaches by dynamically segmenting your network.

Centrally apply and enforce granular and consistent policies across wired, wireless, and remote-access users and devices.

Reduce operational expenses by defining firewall and access control rules based on asset or application context.

Easily provide dynamic campus segmentation to enforce security policies in quickly changing environments without provisioning and maintaining access control lists.

Cater to changing workforces and business relationships by defining security groups based on business roles, not IP addresses.

How It Works

Traditional network segmentation approaches use IP-address-based access control lists (ACLs), VLAN segmentation, and firewall policies that require extensive manual maintenance. Cisco TrustSec simplifies the effort by dynamically grouping machines into objects, called security groups, and provisioning security policies between those objects.

The interaction of systems is determined by the security-group-based policies, eliminating the need for VLAN or address-based policy provisioning. TrustSec is available in virtual and physical switches and treats virtual and physical workloads across the campus and data center consistently.

“Effective network segmentation... reduces the extent to which an adversary can move across the network.”

US Department of Homeland Security

United States Computer Emergency Readiness Team

…More…http://www.cisco.com/c/en/us/solutions/enterprise-networks/trustsec/index.html

Read more

Cisco Catalyst 6500 Series VSS 1440

September 9 2014 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

VSS is network system virtualization technology that pools multiple Cisco Catalyst 6500 Series Switches into one virtual switch, increasing operational efficiency, boosting nonstop communications, and scaling system bandwidth capacity to 1.4 Tbps. Switches would operate as a single logical virtual switch called a virtual switching system 1440 (VSS1440). VSS formed by two Cisco Catalyst 6500 Series Switches with the Virtual Switching Supervisor 720-10GE

In a VSS, the data plane and switch fabric with capacity of 720 Gbps of supervisor engine in each chassis are active at the same time on both chassis, combining for an active 1400-Gbps switching capacity per VSS. Only one of the virtual switch members has the active control plane. Both chassis are kept in sync with the inter-chassis Stateful Switchover (SSO) mechanism along with Nonstop Forwarding (NSF) to provide nonstop communication even in the event of failure of one of the member supervisor engines or chassis. 

 

The Cisco Catalyst 6500 Series Virtual Switching System (VSS) 1440 allows for the merging of two physical Cisco Catalyst 6500 Series Switches together into a single, logically managed entity. The following figure graphically represents this concept where you can manage two Cisco Catalyst 6509 chassis as a single, 18-slot chassis after enabling Cisco Virtual Switching System.

Virtual-Switching-System-1440.jpg

The Cisco Catalyst 6500 Virtual Switching System (VSS) 1440 takes the flagship Catalyst 6500 platform to the next level with network system virtualization.

Virtual Switching System 1440 Redundancy State

Virtual-Switching-System-1440-Redundancy-State.jpg

Creating a VSS 1440

The key enabler of a VSS 1440 is the Virtual Switching Supervisor 720-10G. Any two Cisco Catalyst 6500 Series Switches with this supervisor engine can be pooled together into a VSS 1440*. The two switches are connected with 10 GbE links called Virtual Switch Links (VSLs). Once a VSS 1440 is created it acts as a single virtual Catalyst switch delivering the following benefits:

Operational Manageability

  • Two Catalyst 6500s share a single point of management, single gateway IP address, and single routing instance
  • Eliminates the dependence on First Hop Redundancy Protocols (FHRP) and Spanning Tree Protocol

 

Non-Stop Communications

  • Delivers deterministic, sub-200 millisecond layer 2 link recovery through inter-chassis stateful failovers and the predictable resilience of Etherchannel

 

Scales to 1.4 Tbps

  • Scales system bandwidth capacity to 1.4 Tbps by activating all available bandwidth across redundant Catalyst 6500 switches
  • Up to 132 ports of 10 GbE per system

 

What are the benefits of using VSS?

VSS offers superior benefits compared to traditional Layer 2/Layer 3 network design. VSS increases operational efficiency by simplifying the network, reducing switch management overhead by at least 50 percent. Single point of management, IP address, and routing instance,Single configuration file and node to manage and you won’t have to configure two switches with identical policies and other config. It eliminates the requirement for HSRP, VRRP or GLBP and you have to use just one IP address instead of three used with any FHRP.

Multi chassis Ether Channel (MEC) is a Layer 2 multipathing technology that creates simplified loop-free topologies, eliminating the dependency on Spanning Tree Protocol, which can still be activated to protect strictly against any user misconfiguration and with X2-10GB-ER 10 Gigabit Ethernet optics, the switches can be located up to 40 km apart.

Inter-chassis stateful failover results in no disruption to applications that rely on network state information (for example, forwarding table info, NetFlow, Network Address Translation [NAT], authentication, and authorization). VSS eliminates L2/L3 protocol reconvergence if a virtual switch member fails, resulting in deterministic subsecond virtual switch recovery.

By activating all available Layer 2 bandwidth across redundant Cisco Catalyst 6500 Series Switches with automatic, even load sharing. Link load sharing is optimized because it is based on more granular information, such as L2/L3/L4 parameters, unlike virtual LAN (VLAN)-based load balancing in Spanning Tree Protocol configuration.

 

More video about VSS

https://www.youtube.com/watch?v=RVwnXMVeKNs 

VSS on the 4500

https://www.youtube.com/watch?v=KUecqX1OIww

 

More Related

A Sample VSS Configuration for 2x Cisco Cat6500 with Supervisor 720

VSS on Cisco 4500/4500X Switches

Cisco 4500 VSS Requirement-Software, Hardware and Licensing

VSS Configuration on Cisco 6500

Read more

Cisco UCS 6324 Fabric Interconnect Review

August 11 2014 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

At the end of July, Cisco has quietly announced a new addition to the UCS family–a mini Fabric Interconnect, called the UCS 6324 Fabric Interconnect, which unlike the ones before it plugs directly into the UCS 5108 chassis. With connectivity for up to 15 servers (8 blade servers and up to 7 direct-connect rack servers), the Cisco 6324 is geared toward small environments.

“The 6324 FI is out! What amazing hardware! This is a whole UCS in a 5108 Chassis. Now what I wonder is if this is just code? Being able to take a single chassis and install proper code and have a stand-alone UCS would be GREAT. This will be “Cool” if it is a special chassis, but a GAME CHANGER if any chassis will do with code only (and maybe certain models of IOM’s that might be on hand anyhow).” Some Cisco fans said like that.

Appear’s a new IOM is needed to make this work in a 5108 Chassis.

Cisco-Fabric-Interconnect-6324.jpg

Cisco introduces Cisco UCS 6324 Fabric Interconnect like that.

The Cisco UCS 6324 Fabric Interconnect is a 10 Gigabit Ethernet, FCoE, and Fibre Channel switch offering up to 500-Gbps throughput and up to four unified ports and one scalability port.

The Cisco UCS 6324 Fabric Interconnect extends the Cisco UCS architecture into environments with requirements for smaller domains. Providing the same unified server and networking capabilities as in the full-scale Cisco UCS solution, the Cisco UCS 6324 Fabric Interconnect embeds the connectivity within the Cisco UCS 5108 Blade Server Chassis to provide a smaller domain of up to 15 servers (8 blade servers and up to 7 direct-connect rack servers).

 

CISCO 6324 FI Overview

Cisco-UCS-6324FI.jpg

Each 6324 FI module contains:

  • 16 x 10GbE internal ports (2 per 1/2 width slot)
  • 4 x 10Gb SFP+ external uplink ports
  • 1 x 40Gb QSFP+ scalability port
  • 1 x 10/100/1000 Mbps Management port for out-of-band management

The 4 external uplink ports can be configured as 1/10 Gigabit Ethernet or 2/4/8-Gbps Fibre Channel ports.  The scalability port is designed to allow for connectivity to up to 4 x UCS rack servers with a post-release feature of also allowing a 2nd UCS 5108 chassis to interconnect.

The 6324 FI provides Layer 2 forwarding with support for:

  • VLAN trunks
  • IEEE 802.1Q VLAN encapsulation
  • Support for up to 512 VLANs and 32 virtual SANs (VSANs) per interconnect
  • Jumbo frames on all ports (up to 9216 bytes)
  • Link Aggregation Control Protocol (LACP): IEEE 802.3ad
  • Internet Group Management Protocol (IGMP) Versions 1, 2, and 3 snooping
  • Advanced EtherChannel hashing based on Layer 2, 3, and 4 information
  • Pause frames (IEEE 802.3x)
  • Layer 2 IEEE 802.1p (class of service [CoS])

 

It is also rumored that UPDATED–based on the information from UCSGuru (below) a new an updated UCS 5108 blade chassis will be coming out soon which will allow for heartbeat and cluster connectivity between the UCS 6324 FI modules inside a chassis as well as support for “dual voltage” power supplies. Is that real? We are looking forward to it.

More Related

Cisco Quietly Unveiled UCS 6324 for Small Businesses

Cisco UCS E-Series Blade Servers for Cisco 2900&3900 Series

Cisco Buying Tips: Cisco UCS Server

10 Tips You Should Know about Cisco UCS

Cisco Unified Computing System: UCS Components

Basic Tech Tips for Configuring UCS with VMware vSphere

Read more

Cisco Universal PoE, Unleash the Power of Your Network

March 26 2014 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

The IEEE 802.3 Power over Ethernet (PoE) standard sets the maximum power that can be sourced by data terminal equipment (DTE) at 30W. This power is sourced over two pairs out of the four twisted pairs of conductors in a Class D, or better, cabling as specified in ISO/IEC 11801:1995.

Cisco-Universal-PoE.jpg

Cisco Universal Power over Ethernet (UPOE) is a Cisco proprietary technology that extends the IEEE 802.3 PoE standard to provide the capability to source up to 60W of power over standard Ethernet cabling infrastructure (Class D or better).

 Cisco-UPOE.jpg

Why Should I Care About Cisco UPOE?

Power over Ethernet has long been hailed as the single most critical innovation that has revolutionized and expedited the adoption of IP telephony in the enterprise market segment. The power rating for electronic products is trending down through advances in semiconductor technology, and the cost of power itself is trending up. UPOE extends the benefits offered by PoE technology to a much wider range of devices due to the higher power envelope.

Some of the key primary benefits of UPOE are:

Cisco UPOE offers high availability for power and guarantees uninterrupted services; a requirement for critical applications (e911).

Cisco UPOE lowers OpEx by providing network resiliency at lower cost by consolidating backup power into the wiring closet.

Cisco UPOE enables faster deployment of new campus access networking infrastructures by eliminating the need for a power outlet for every endpoint.

Cisco UPOE, in combination with Cisco EnergyWise, helps meet corporate sustainability mandates while lowering energy costs.

What Applications and End Devices Does Cisco UPOE Enable?

Cisco UPOE simplifies network infrastructures, extends high availability for power (PoE resiliency), and delivers lower total cost of ownership for connected environments such as virtual desktop infrastructure (VDI), financial trading floor, enterprise workspace, conference rooms, hospitality guest suites, and retail. Partnerships with industry leaders and in-house development together have resulted in a variety of end devices that are compatible with Cisco UPOE. A few notable end devices are:

Samsung integrated display VDI zero clients

LG Electronic Monitor using UPOE Power Splitter

BT, IPC and SpeakerBus IP Turrets

Cisco Catalyst compact switches

Personal Cisco TelePresence systems

Building management and physical security device

 

What Primary Verticals Does UPOE Address?

UPOE and the associated partner ecosystem (Cisco Developer Network) provide solutions for the following verticals:

Enterprise workspace

Financial trading floor

Hospitality

Retail

Enterprise facilities management

 

What Is the Effect of Cisco UPOE on Heat Dissipated Within the Cabling Infrastructure?

Cisco UPOE is an efficient mechanism for power delivery since it uses all the four twisted pairs of conductors within the Ethernet cabling to deliver power (as opposed to two twisted pairs used by PoE+). This effectively reduces the channel losses by half for the same power delivered over UPOE vs. PoE+. Moreover, the recommendation published by cabling standards — ISO/IEC and TIA/TR-42 as part of formal liaison communiqué with IEEE 802.3 — indicate that UPOE can be supported over the same standard cabling infrastructures that conform to PoE+ requirements.

 

On Which Switching Platform Is Cisco UPOE Being Introduced?

Cisco UPOE is being introduced on the Cisco Catalyst 4500E Series Switches, the most widely deployed modular access switching platform in the industry. The platform has time and again demonstrated leadership in this space, specifically with PoE+, where the Cisco Catalyst 4500 was the first enterprise-class switch to deliver PoE+ compliant switches, two years to the introduction of the IEEE PoE+ standard. UPOE is being introduced on the Cisco Catalyst 4500E platform in the form a new E-Series line card, WS-X4748-UPOE+E, that is compatible with Supervisor Engine 8-E, 7-E, 7L-E and beyond. Cisco UPOE is backward compatible with both PoE (IEEE 802.3af) as well as PoE+ (IEEE 802.3at).

 

What Is the UPOE Scalability on a Cisco Catalyst 4500E System?

Each WS-X4748-UPOE+E line card has a total available power budget of 1440W that can be allocated to the 48 front panel ports with a maximum of 60W per port. This provides the capability to power a maximum of 24 ports simultaneously at 60W. With five such line cards on a single system, the maximum number of ports that can simultaneously source 60W is 116. Moreover, each port also supports LLDP-based dynamic power negotiation capability that permits the end device to communicate the exact power requirement to the switch, which in turn enables smart budgeting of power to maximize the total number of UPOE devices that can be powered on a single line card.

How Is Power Budgeted to Individual Ports?

In addition to extending the power envelope defined by the IEEE 802.3 standard, UPOE also extends the LLDP-PoE dynamic power negotiation protocol defined by IEEE 802.3 to facilitate mutual identification and dynamic budgeting of power to individual ports. Additionally, UPOE also provides the users the capability to statically configure port power budget to enable devices that do not support the LLDP-PoE extensions for UPOE support.

How Does UPOE Tie in with Cisco’s Overall Enterprise Campus Access Strategy?

With the introduction of the Supervisor Engine 8-E, 7-E and 7L-E, the Cisco Catalyst 4500E has become Cisco’s leading modular campus access platform. The platform not only offers unprecedented switching bandwidth with line-rate switching to all user access ports and 10G uplinks but also has been the first platform to deliver next-generation services such as sub second ISSU, Flexible Netflow, Cisco TrustSec security, Wireshark as a hosted application, and medianet innovations. High availability and lower TCO continue to be the underlying goals for the platform. Cisco UPOE extends high availability for power while minimizing both CapEx and OpEx involved with power delivery.

 More Cisco Network Topics:

Cisco Catalyst 4500 Series Line Cards Overview

Need Cisco Inline Power, POE or the New POE+?

FAQ: Power over Ethernet (PoE) Power Requirements

Read more

Cisco Access Control Lists (ACLs)

February 13 2014 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

Access control lists (ACLs) can be used for two purposes on Cisco devices: to filter traffic and to identify traffic.

Cisco provides basic traffic filtering capabilities with access control lists (also referred to as access lists). Access lists can be configured for all routed network protocols (IP, AppleTalk, and so on) to filter the packets of those protocols as the packets pass through a router.

You can configure access lists at your router to control access to a network: access lists can prevent certain traffic from entering or exiting a network.

Access lists filter network traffic by controlling whether routed packets are forwarded or blocked at the router's interfaces. Your router examines each packet to determine whether to forward or drop the packet, on the basis of the criteria you specified within the access lists.

Access list criteria could be the source address of the traffic, the destination address of the traffic, the upper-layer protocol, or other information.

Note that sophisticated users can sometimes successfully evade or fool basic access lists because no authentication is required.

Why do you need to configure Cisco ACLs? For example, you can use access lists to restrict contents of routing updates or to provide traffic flow control. One of the most important reasons to configure access lists is to provide security for your network.

You should use access lists to provide a basic level of security for accessing your network. If you do not configure access lists on your router, all packets passing through the router could be allowed onto all parts of your network.

Access lists can allow one host to access a part of your network and prevent another host from accessing the same area. In the follow-up figure, host A is allowed to access the Human Resources network, and host B is prevented from accessing the Human Resources network.

Using-Traffic-Filters-to-Prevent-Traffic-from-Being-Routed-.jpg

You can also use access lists to decide which types of traffic are forwarded or blocked at the router interfaces. For example, you can permit e-mail traffic to be routed, but at the same time block all Telnet traffic.

Access lists should be used in "firewall" routers, which are often positioned between your internal network and an external network such as the Internet. You can also use access lists on a router positioned between two parts of your network, to control traffic entering or exiting a specific part of your internal network.

To provide the security benefits of access lists, you should at a minimum configure access lists on border routers—routers situated at the edges of your networks. This provides a basic buffer from the outside network, or from a less controlled area of your own network into a more sensitive area of your network.

On these routers, you should configure access lists for each network protocol configured on the router interfaces. You can configure access lists so that inbound traffic or outbound traffic or both are filtered on an interface.

Access lists must be defined on a per-protocol basis. In other words, you should define access lists for every protocol enabled on an interface if you want to control traffic flow for that protocol.

Full Guide of Cisco Access Lists from http://www.cisco.com/en/US/docs/ios/12_2/security/configuration/guide/scfacls.html

More Related Cisco ACLs Topics:

Cisco ACL In and Out Questions

Read more

Cisco Business Edition 6000 General Qs

November 26 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

Cisco Business Edition 6000 (BE 6000) is a packaged solution optimized for medium-sized business requirements. It is a combination of Cisco Unified Communications applications on the Cisco Unified Computing System (Cisco UCS) that offers midsize customers’ business agility and reduced TCO through server consolidation, operational efficiency and scalability, improved business continuity, and greater investment leverage.

Cisco BE 6000 consists of the following foundational elements:

• Cisco UCS C220 M3 Rack-Mount Server

• Cisco UC Virtualization Hypervisor

• Cisco Licensing

• Cisco Unified Communications Manager

• Cisco Instant Messaging and Presence with the Cisco Jabber messaging integration platform

• Cisco Unity Connection

• Cisco Prime Collaboration Provisioning

You can optionally install the following applications to the BE 6000 solution:

• Advance Video with Cisco TelePresence conferencing application

• Cisco Unified Contact Center Express

• Cisco Emergency Responder

• Cisco Paging Server

• Cisco Unified Provisioning Manger (older option of management application)

• Cisco Unified Attendant Console (not preloaded; needs to be purchased separately)

In addition, Cisco BE 6000 integrates with cloud-based Cisco WebEx Software-as-a-Service offerings including WebEx Connect IM and Presence, as well as WebEx Web Conferencing.

Cisco BE 6000 comes with two hardware options of Cisco UCS 220 M3 Server:

1. The Medium Density server supports a maximum of five virtual machines (four collaboration applications and one management application) - support for a maximum of 1200 devices.

2. The High Density server supports a maximum of nine virtual machines (eight collaboration applications and one management application) - support for a maximum of 2500 devices.

Note: Both options support a maximum 0f 1000 users.

What is the difference between Cisco Business Edition 6000 and generic unified communications applications on Cisco UCS ("UC on UCS")? The table will show you the Differences between Cisco BE 6000 and Deployments with Unified Communications Applications on Cisco UCS

Differences-Between-Cisco-BE-6000-and-Deployments-with-Unif.jpg

Maximum Capacities of Cisco BE 6000

Attribute

Capacity

Maximum number of users

1000 users

Maximum number of mailboxes and voicemail ports

1000 mailboxes and 24 voicemail ports per server

Message storage

Approximately 72,944 G.711 codec minutes

Number of contact center agents

100 agents and 10 supervisors

Number of presence users

1000 presence users

Number of devices supported

Medium Density server: 1200

High Density server: 2500

Maximum number of co-resident applications per server

Medium Density server: Five applications (4 collaboration + 1 management)

High Density server: Nine applications (8 collaboration + 1 management)

Busy-hour call attempts

5000

About Deployment Model-Cisco Business Edition 6000

Cisco BE 6000 supports fully featured redundancy for both LAN and WAN environments. You can deploy a redundant server for Cisco Unified Communications Manager, Cisco Unity Connection, Cisco Unified Presence, and Cisco Unified Contact Center Express applications in a remote location over your WAN.

The Cisco BE 6000 Medium Density server supports up to five co-resident applications. However, the Cisco Virtualization Hypervisor software with license comes standard with Cisco BE 6000, and is entitled for two CPU sockets and 16 GB of virtual memory to deploy additional applications. Following are configuration scenario examples:

Scenario 1: Fully redundant configuration

• Cisco BE6000 Medium Density server 1: Cisco Unified Communications Manager, Cisco Unity Connection, Cisco Unified Presence, Cisco Unified Contact Center Express, and Cisco Unified Provisioning Manager (primary)

• Cisco BE6000 Medium Density server 2: Cisco Unified Communications Manager, Cisco Unity Connection, Cisco Unified Presence, and Cisco Unified Contact Center Express (secondary)

• Cisco BE6000 Medium Density server 3: Cisco Unified Attendant Console

Scenario 2: Redundancy for Cisco Unified Communications Manager with Cisco Unified Contact Center Express only

• Cisco BE6000 Medium Density server 1: Cisco Unified Communications Manager, Cisco Unity Connection, Cisco Unified Presence, Cisco Unified Contact Center Express, and Cisco Unified Provisioning Manager (primary)

• Cisco BE6000 Medium Density server 2: Cisco Unified Communications Manager, Cisco Unified Attendant Console, and Cisco Unified Contact Center Express (secondary)

Scenario 3: Cloud-based IM and presence

• Cisco BE6000 Medium Density server 1: Cisco Unified Communications Manager, Cisco Unity Connection, Cisco Unified Contact Center Express, Cisco Unified Attendant Console, and Cisco Unified Provisioning Manager (primary)

• Cisco BE6000 Medium Density server 2: Cisco Unified Communications Manager, Cisco Unity Connection, and Cisco Unified Contact Center Express (secondary)

Optional Cisco Virtualization Foundation Edition is entitled for two CPU sockets and 32 GB of virtual memory and enables the VMware vCenter compatibility feature.

Cisco Business Edition 6000 supports more than two nodes in the cluster. You can deploy Cisco BE 6000 with more than three nodes in the cluster as long as the user count does not exceed 1000 users.

Is Cisco Prime Collaboration Provisioning bundled with Business Edition 6000 different from the enterprise version of Cisco Prime Collaboration Provisioning? I have been using Cisco Unified Provisioning Manager Business Edition to manage Business Edition 6000. How do I migrate to the new management application Cisco Prime Collaboration Provisioning? Can I install Cisco Business Edition 6000 on a different specifications-based Cisco UCS Server or on a third-party server? Can I install any third-party application server on Cisco Business Edition 6000 hardware? Etc. More Qs about Cisco BE6000 and its licensing options you can read the full page Cisco Business Edition 6000 Q&A

More Cisco BE6000 REVIEWS:

Cisco BE6000 (Business Edition 6000) Solution

Read more

Common Issues with ASA 8.6 Version

November 14 2013 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco & Cisco Network

In this article it describes the issue faced by a user on ASA 8.6.

Here the Problem is:

User is using ASA 5525 with 8.6 versions, and he is trying to ping through different interfaces, however he is not able to do that. The test results are mentioned below:

     Can PING between the outside interface and the next hop (same subnet)

     Cannot PING between the inside interface and the next hop (same subnet)

     Cannot PING between the DMZ interface and the next hop (same subnet)

Please see below configuration for firewall for reference.

interface GigabitEthernet0/0

speed 100

duplex full

nameif outside

security-level 0

ip address 16.x.x.x 255.255.255.248

interface GigabitEthernet0/1

no nameif

security-level 0

no ip address

!

interface GigabitEthernet0/1.16

vlan 16

nameif inside

security-level 100

ip address 17.x.x.x 255.255.255.0

interface GigabitEthernet0/3

no nameif

security-level 0

no ip address

!

interface GigabitEthernet0/3.69

vlan 69

nameif dmz

security-level 50

ip address 18.x.x.x 255.255.255.0

access-list o_inside extended permit icmp any any

access-list o_inside extended permit icmp any any echo

access-list o_inside extended permit icmp 17.x.x.x (Inside interface) 255.255.0.0 18.x.x.x (DMZ interface) 255.255.255.0 

access-list o_inside extended permit icmp 17.x.x.x (Inside interface) 255.255.0.0 18.x.x.x (DMZ interface) 255.255.255.0

 

access-list o_dmz extended permit icmp any any

access-list outside extended permit icmp any any

access-list outside extended permit icmp any any echo-reply

icmp permit any outside

icmp permit any dmz

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

 

route inside 17.x.0.0 (Whole inside interface subnet) 255.255.0.0 17.x.x.x (Internal Network) 1

route dmz 17.x.x.0 (Internal) 255.255.255.0 18.x.x.x (DMZ Nework) 1

route outside 18.x.x.0 (DMZ) 255.255.255.0 16.x.x.x (Outside Network) 1

User wants to know what should be added to achive the above mentioned result.

 

Solution:

ASA should by default without any configurations accept ICMP on its interface.

Check the output of "show arp" and see if you can see the IP address (and the MAC address) of the host/router you are trying to ping.

 

The 4 "static" configurations above are pretty basic but 2 of them are Static Identity NAT configurations that you probably won’t need in the new software

The below 2 configurations probably won’t need any corresponding configuration in the new ASA/software since the traffic should go through wihtout NAT configurations.

static (dmz,inside) 192.168.1.85 192.168.1.85 netmask 255.255.255.255

static (inside,dmz) 172.16.0.0 172.16.0.0 netmask 255.255.0.0

 

The below Static NAT configurations you can easily convert using Auto NAT / Network Object NAT. Use "object" names that describe the setup better, use generic "object" names.

static (dmz,outside) 200.190.70.87 192.168.1.56 netmask 255.255.255.255

static (dmz,outside) 200.190.70.85 192.168.1.85 netmask 255.255.255.255

object network STATIC-1

host 192.168.1.56

nat (dmz,outside) static 200.190.70.87

 

object network STATIC-2

host 192.168.1.85

nat (dmz,outside) static 200.190.70.85

 

The best way to find possible problems with the ASA configurations is to use the "packet-tracer" command. This would tell you if some traffic is getting blocked by ACL or if the traffic is failing because of NAT

 

For a connection coming from behind "outside" you can use this format of the command

packet-tracer input outside tcp <source ip> 12345 <server nat ip> <destination port>

To test anything else you naturally just switch the "input <interface name>" to the one where the traffic is sourced from. You will naturally also have to check whether you need to use "tcp" or "udp" and also select a source/destination IP/port.

 

Taking the output of the following commands should help you to troubleshoot possible problems

 

You could take "packet-tracer" command output of both of the above mentioned cases. For example testing connectivity from "outside" to the "dmz" server. And the previous problem with testing connection from "inside" to "dmz" server.

 

If you are doing Dynamic PAT from "inside" to "dmz" then you should remove the above "static" commands that refer to "(inside,dmz)" then user wouldnt be able to connect from "dmz" to those "inside" IP addresses (of those static commands). This is the main reason why Dynamic PAT is not encouraged between local interfaces. It causes complexity for the NAT configurations when user have to add extra NAT configurations to override the possible problems caused by the Dynamic PAT

 

For the "management" interface you probably need any new NAT configuration.

 

The Dynamic PAT from "inside" to "dmz" means that you would need some Static Identity NAT configuration mentioned above also in the new software otherwise the ASA would drop the connection attempts.

nat (inside,dmz) after-auto source dynamic inside-pat-source dmz-pat-global

 

More Related Cisco ASA Topics:

Cisco Released Cisco ASA Software 9.0

Cisco ASA 8.4 vs. Typical NAT/PAT Configuration

Read more
<< < 1 2 3 4 5 6 7 > >>