Overblog Follow this blog
Administration Create my blog
Cisco & Cisco Network Hardware News and Technology

Posts with #cisco switches - cisco firewall tag

Cisco Club: Cisco Catalyst & Cisco Catalyst Switches

December 6 2011 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

Catalyst is the brand name for a variety of network switches sold by Cisco Systems. While commonly associated with Ethernet switches, a number of different interfaces have been available throughout the history of the brand. Cisco acquired several different companies and rebranded their products as different versions of the Catalyst product line. The original Catalyst 5000 and 6000 series were based on products originally developed by Crescendo Communications. The 1700, 1900, and 2800 -series Catalysts came from Grand Junction Networks, and the Catalyst 3000 came from Kalpana in 1994.

 

In addition, Cisco increasingly offers routers with switching capabilities, and indeed Cisco's 7600 router line and 6500 switch line have interchangeable parts. Even Cisco's smaller routers, including their newest "ISR" series, can have switch modules installed in them - basically making Cisco's smaller switches fully integrated devices.

 

Operating Systems

In most cases, the technology for the Catalyst Switch was developed separately from Cisco's router technology. The Catalyst switches originally ran software called CatOS rather than the more widely known Cisco IOS software used by routers. However, this has changed as the product lines have merged closer together. In some cases, particularly in the modular chassis switches, a configuration called 'Hybrid' has emerged - this is where the layer 2 functions are configured using CatOS, and the layer 3 elements are configured using IOS. 'Native IOS' can also be found with newer software versions that have eliminated CatOS entirely in favor of IOS, even on hardware that originally required CatOS.

 

The latest version of IOS for the Catalyst 6500 series is 12.2(33)SXI which enables In-Service Software Upgrade (ISSU) via IOS Software Modularity.

 

Some newer Catalyst switch models (with recent versions of the Cisco IOS) also allow configuration via web-based graphical interface module which is hosted on a HTTP server located on the switch. The IOS config-mode command 'ip http-server' will enable this style of configuration. In series 12.x IOS, 'ip http-server' is always on as a factory default. The Catalyst 3750-series of switches is an example of a Cisco Catalyst switch that allows this style of GUI configuration via HTTP.

 

Some newer models of Catalyst switches (called Catalyst Express) no longer allow access to IOS or CatOS at all - these switches can only be configured by using a Graphical User Interface (GUI).

 

CatOS

CatOS (Catalyst Operating System) is the discontinued operating system for many of the Catalyst brand of legacy network switches. It was originally called "XDI" by the switching company Crescendo Communications, Inc. Cisco renamed it to CatOS when they acquired Crescendo in late 1993.

 

CatOS ran on switches such as 1200, 4000, 4500, 5000, 5500, 6000, 6500 series. CatOS can still run on some of Cisco's modular switches, "hybrid" mode. In hybrid mode, the NMP (switch processor) runs CatOS and the route processor runs Cisco IOS.

 

Interfaces

As Catalyst devices are primarily Ethernet switches, all modern Catalyst models have Ethernet interfaces, ranging from 10 Mbit/s to 10 Gbit/s depending on the model. Some models can accommodate Asynchronous Transfer Mode interfaces which can be used to bridge Ethernet traffic across wide area networks. Other models can support T1, E1, and ISDN PRI interfaces to provide connections to the PSTN. Legacy models supported a variety of interfaces, such as token ring, FDDI, and 100BaseVG, but are no longer sold by Cisco Systems.

 

Most models have basic layer 2 functions and are capable of switching Ethernet frames between ports. Commonly found additional features are VLANs, trunking (Cisco proprietary ISL or IEEE 802.1Q) and QoS or CoS. The switches, whether IOS or CatOS, are fully manageable.

 

Many Catalysts that run IOS are also capable of functioning as a router, making them layer 3 devices; when coupled with TCP and UDP filtering, these switches are capable of layer 2-4 operation. Depending on the exact software image, a Catalyst that runs IOS may be able to tackle large-scale enterprise routing tasks, using router technologies like OSPF or BGP.

 

Most chassis-based Catalyst models have the concept of field-replaceable "supervisor" cards. These work by separating the line cards, chassis, and processing engine (mirroring most Cisco router designs). The chassis provides power and a high-speed backplane, the line cards provide interfaces to the network, and the processing engine moves packets, participates in routing protocols, etc. This gives several advantages:

  • If a failure occurs, only the failed component needs to be replaced (typically a line card or supervisor). This means faster turnaround than having to uncable, unbolt, pull out, replace, re-bolt, and re-cable an entire switch, which may be as large as a quarter-rack, weigh over 150 pounds, and service over 500 cables.
  • A redundant supervisor engine may be installed to rapidly recover from supervisor failures. This is subject to restrictions (as some switches don't support redundant supervisors), but typically results in restoration times under 90 seconds.
  • A supervisor engine may be upgraded after purchase, increasing performance and adding features without losing any investment in the rest of the switch.

 

Additionally, most high-end switches off-load processing away from the supervisors, allowing line cards to switch traffic directly between ports on the same card without using any processing power or even touching the backplane. Naturally, this can't be done for all traffic, but basic layer-2 switching can usually be handled exclusively by the line card, and in many cases also more complex operations can be handled as well.

 

Management

Cisco switches are very popular for a number of reasons, including advanced customization and manageability. The switches can be configured using a serial console or a telnet session (or ssh if the correct OS is loaded along with the ssh keys generated). SNMP allows monitoring of many states, and measurement of traffic flows. Many devices can also run an HTTP server, but this is often disabled because of the security problems it creates - either because it's not encrypted, or because of the relatively frequent security vulnerabilities in the Cisco http daemon itself. Some Cisco switches focused on smaller organizations forego a command line interface and offer ONLY a web/html interface for configuration and management.

 

Configuration of the switch is done in plain text and is thus easy to audit - no special tools are required to generate a useful configuration. For sites with more than a few devices it is useful to set up a TFTP server for storing the configuration files and any IOS images for updating. Complex configurations are best created using a text editor (using a site standard template), putting the file on the TFTP server and copying it to the Cisco device. However, it can be noted that a TFTP server can present security problems.

 

Stackwise

Cisco StackWise is a technology offered by Cisco Systems that allows for up to nine Catalyst switch---3750 series switches to operate as though they were one 32-Gbit/s switch. This allows for greater resiliency, and performance.

 

One switch from the stack will act as the master switch. The master switch will maintain the stack and allow you to configure and monitor the whole stack as though one via a single console.

 

If one switch fails the remaining switches will continue to operate by looping back any information that would normally traverse the failed switch, effectively bypassing it. If the master switch fails, the next switch in the stack will automatically take over as master. This feature means greater redundancy, as one switch's failure will not bring about a failure of the entire stack.

As each switch contains the entire configuration for the stack one of the benefits of this technology is the ability to replace a down switch (any including master) with a new un-programmed switch. The stack will configure the new switch on the fly and allow for minimal downtime

 

StackWise effectively replaced the GigaStack found on lower-price models such as Catalyst 35xx and 29xx series.

 

Recently, there is a new variation of the technology, known as Cisco Stackwise Plus, offering 64Gbit/s nonblocking switching fabric speed.

 

Master Selection

The master switch of a stack is determined in the following order.

  1. User specified.
  2. The switch with the most advanced IOS, i.e. Advanced IP Services IPv6 (AIPv6), then Enhanced Multilayer Software Image (EMI) and then Standard Multilayer Software Image (SMI).
  3. Programmed switch. A configured switch will preside over a switch with just the defaults.
  4. Uptime. The switch that has been running the longest.
  5. MAC address. The switch with the lowest MAC address.

 

Models/Types of Cisco Catalyst Switches

Like most Cisco product lines, the Catalyst Switch series evolves fairly rapidly. There are two general types of Catalyst switches: fixed configuration models/ fixed-configuration switch that are usually one or two rack units in size, with 12 to 80 ports; and modular switches/ chassis-based switch in which virtually every component, from the CPU card to power supplies to switch cards, are individually installed in a chassis.

  • As of 2011, the most popular fixed configuration switches are the WS-C2960, the WS-C3560 and WS-C3750 series at the high end, an entry level managed "express" series - with models beginning WS-CE (configurable by web interface only, no command line interface), the "ME" metroline series of switches, and a new "Small Business" series coming from Cisco's acquisition of Linksys. In addition, there are many excellent legacy switches suitable for most business and service provider needs no longer offered directly through Cisco (WS-C2950, WS-C3550 for example). Cisco fixed configuration switches come with a bewildering assortment of features (10/100 ports versus 10/100/1000 ports, some with power over Ethernet, some with varying types of gigabit and 10gig uplink ports, some with standard or enhanced software, varying power supplies) and it is difficult to tell what features a switch has (aside from the number of ports) from a visual inspection, and similar-appearing switches can have dramatically different features.

 

Cisco Model Names & Switch Features

In general, switch names start with WS-C, followed by the model line (2960). A letter at the end of this number signifies a special feature, followed by the number of ports (usually 24 or 48) and additional nomenclature indicating other features.

 

Cisco modular switches are much larger and are entirely configurable, beginning with a chassis, power supplies, the choice of supervisory engines (CPU mainboards), and switch modules. Among Cisco's modular series are:

  • The Cisco Catalyst 6500 Series is a chassis-based switch family. This series can support interfaces up to 10 Gigabit Ethernet in speed and redundant Supervisor modules.
  • The Cisco Catalyst 5500 Series and Cisco Catalyst 5000 Series is a chassis-based switch family. The Cisco Catalyst 5000 Series is acquired from another company. This entire series has now reached end-of-sale.
  • The Cisco Catalyst 4900 series is a fixed-configuration switch. Uplink interfaces are either SFP ports or 10 gigabit Ethernet, with 48 copper ports of 10/100/1000 Ethernet.
  • The Cisco Catalyst 4500 Series is a mid-range modular chassis based Switch manufactured by Cisco System.
  • The Cisco Catalyst 3000 and 3100 series switches are switches for use in blade-enclosures: the Catalyst 3032 is a Layer2 switch and the Catalyst 3130x and 3130G are blade-switches for the Dell M1000e enclosure.
  • The 1000 switch family is considered an edge device, having many functionalities that can be built as the device is very modular.

Cisco-Catalyst.jpg

To sum up, the Cisco Catalyst range is designed to meet the needs of a wide range of customers—from small to medium businesses, right up to large enterprise networks and service providers. Cisco Catalyst switches provide high performance, scalability, manageability, and many other intelligent features that ensure their success to date.

 

Read more

Firewall, Overview and Features You Should Know

November 29 2011 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

Generally, a Firewall protects your computer from intrusion (scanning or attack) by hackers or script kiddies while it is connected to the Internet. A firewall examines electronic data coming in to, or out of, a computer (or network - computers joined together by wires or wireless connection) and compares it to rules it has been given. If that data matches the rules which say it is OK, it will let the data pass. If it doesn't, it blocks the data. To be simple, just think of a Firewall as a piece of software (or hardware for those with more computers) that keeps the bad guys out and let the good ones in. It stops hackers and script kiddies from gaining access to your computer and the information on it.

Hardware-firewall.jpg

 

There are many people who still use the internet without thinking twice about protecting themselves when online. Most of these people are home or small business users who never give it a second thought, or just don't understand enough about the risks to worry. Using the internet without a firewall can be explained quite easily - You wouldn't leave your house or office unlocked, or with the windows and doors wide open so that anyone can walk in and look around, or even steal your items, but using the internet isn't much different than that. If you are online without a firewall you are leaving it wide open to attack, and intruders and thieves could view or steal your information.

 

So for people who use the internet, no matter it is a home, or an enterprise, a firewall is an essential hardware or software to help to protect your privacy and data on your computer by stopping hackers from gaining control of your system.

 

A firewall also prevents confidential information on your system from being sent without your permission. This could be your passwords, bank details and other personal information.

 

About Personal Firewall & Hardware Firewall

A Personal Firewall (also known as a desktop firewall, or Software firewall) is installed on each computer that is connected to the internet and monitors (and blocks, where necessary) internet traffic. It is used to help protect a single Internet-connected computer from intruders. Personal firewall protection is useful for users with "always-on" connections such as DSL, cable modem or dial-up connections.

 

Hardware firewall's can be purchased as a stand-alone product but more recently hardware firewall's are typically found in broadband routers, and should be considered an important part of your system and network set-up, especially for anyone on a broadband connection. Hardware firewalls can be effective with little or no configuration, and they can protect every machine on a local network. Most hardware firewalls will have a minimum of four network ports to connect other computers, but for larger networks, business networking firewall solutions are available.

 

Software and Hardware Firewall

The differences between a software and hardware firewall are vast, and the best protection for your computer and network is to use both, as each offers different but much-needed security features and benefits. Updating your firewall and your operating system is essential to maintaining optimal protection, as is testing your firewall to ensure it is connected and working correctly.

 

Notes

Intro of Most Popular CISCO Firewall Hardware: About Cisco ASA 5500 Series

Designed as a core component of the Cisco Self-Defending Network, the Cisco ASA 5500 Series provides proactive threat defense that stops attacks before they spread through the network, controls network activity and application traffic, and delivers flexibleVPN connectivity. The result is a powerful multifunction network security appliance family that provides the security breadth and depth for protecting home office, branch office, small and medium-sized business, and enterprise networks while reducing the overall deployment and operations costs and complexities associated with providing this new level of security.

 

Read more

Cisco and the Consumerization of IT

November 23 2011 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

Cisco is at the forefront of embracing the consumerization of IT - here's how.

Cisco and the Consumerization of IT

 

It’s painfully obvious that the consumerization of IT isn’t going away. You hear it in the news, from manufacturers, and the loudest voice of all – your end-users.

 

Most likely, helpdesk requests about configuring, updating or using consumer devices has eked their way into your top 10 most common calls list. (A personal favorite, though not a top 10: “How do I get that bird game on here?”)

 

Beyond the onslaught of “How do I set up my work email account on my iPhone?” requests, there are major implications to the consumerization of IT in the workplace – above all, security. Do you have a plan in place for when a senior executive’s iPad gets stolen, along with classified company information? Or when a sales rep connects their tablet to the network and unknowingly places bugs in the CRM?

 

Back in 2009, Chris Christiansen of IDC was interviewed for Cisco’s Fact or Fiction video series. Christiansen said that while consumer devices aren’t specifically designed for use in the workplace, most IT operations would eventually have to accommodate them. He went so far as to say that it could be a career limiting move to forbid consumer devices in the workplace completely – particularly if you’re dealing with a senior level executive.

 

In 2010, Cisco began pushing borderless security to enable enterprise IT to deal with the onslaught of consumer devices in the workplace and the security concerns that came with them.

 

That same year, Cisco also introduced the Cius tablet – which meant enterprise IT could not only have the security measures in place for dealing with consumer devices, but could also provide the devices themselves. (The verdict is still out on how well the Cius will satisfy both end-users and IT.)

 

And just a month ago, Cisco general manager Tom Gillis named virtualization as the solution to security issues brought on by the consumerization of IT.

 

Cisco appears to be one of the players at the forefront of dealing with the implications of consumer devices in the workplace. All along, Cisco has made a point to pronounce this shift as not only unavoidable, but something to embrace. (Perhaps Cisco realizes that like social media in the workplace, you’re better off creating a policy to accommodate consumer devices rather than deny their use completely.) How are they extending the digital olive branch?

 

They are starting on their own shores. Cisco has been pioneering consumerization in their network for years. In doing so they can speak from experience and bring solutions to market that make sense. Introducing AnyConnect into their security offering is one such solution. Having a client that can interface with Symbian OS-based Nokia dual-mode phones, Windows Mobile Operating System devices, Apple iPhones, Android phones, Apple iPads, Cisco Cius tablets, and Windows, Mac, and Linux desktops and laptops was vital to allowing a BYOD (bring you own device) policy at Cisco. So what is the solution?

 

Cisco’s AnyConnect allows its users to connect from anywhere, on any device. It’s also always on, meaning that you don’t have to continue to log in if you are disconnected. The session is automatically re-established. Not only that, but AnyConnect will establish a tunnel in the best way based on how you are connecting and from where. Trying to webconference in from a high latency location? The client will utilize protocols like Datagram Transport Layer Security (DTLS), which is designed to handle higher latency traffic. What about under the hood?

 

The AnyConnect client establishes a secure tunnel into the network through Cisco ASA 5500’s that work in tandem with Cisco IOS to handle authentication and access to Cisco’s network. In addition to authentication, the client checks that the device is registered and conforms to security standards. What if a device doesn’t measure up? It’s not allowed on the network. What about lost or stolen devices? Cisco IT can remotely terminate the VPN sessions and no longer allow the device on the network.

 

The only question now is; will other organizations follow suit, or continue to keep their heads buried in the sand?

 

Read more

Discussion From Cisco Fans: Does Cisco Have a Real Competitor?

November 8 2011 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

I know cisco is a pioneer in networking products. Do all enterprises use cisco products? Does Cisco have a real Competitor? Who are they? And how far?    ---Q FROM Cisco learning home

sanfrancisco.jpg

 

As we known, Cisco is the worldwide leader in networking that transforms how people connect, communicate and collaborate, which is the best choice for headquarter and all kinds of offices, industries and enterprises. Although Cisco doesn’t get a big applause from consumer market, it also shares a large market in networking solution and network hardware. Just like one Chinese saying: “Lose dead camel a ratio a horse greatly”, and so, does Cisco have a real competitor? And here we can read some points from Cisco fans and Cisco users:

 

“Define competitor. Yes, there are other companies who offer network equipment. Juniper, Extreme Networks, HP even has some gear out there as does Dell. However, when it comes down to full spectrum solutions, it's tough to beat Cisco. Juniper is working on building more market base though, and they have some features in JunOS that are arguably nicer than IOS. However, their slice of the market isn't as large as Cisco's is.”                               ---Travis

 

"However, when it comes down to full spectrum solutions, it's tough to beat Cisco. Juniper is working on building more market base though, and they have some features in JunOS that are arguably nicer than IOS. However, their slice of the market isn't as large as Cisco's is. Would it be easy work with devices from other vendors? Being a cisco professional do we have to learn the corresponding OS? Also, because we learnt cisco IOS, of-course we will recommend cisco devices. Which is a plus for cisco?”                                 ---KARTHICK KUMARAGURU

 

“I am certified in Cisco products and practices. Through various jobs I have worked on Cisco, F5, Packeteer, Citrix, Riverbed, Juniper and Avaya equipment. Most enterprise networks will find a network appliance from another vendor on it in some form or fashion, if not several. The larger the scale of the deployment, I've noticed, the more specialized equipment you deploy, due to economy of scale.”                  ---Daniel

 

“The competitors that come to win my business are usually Allied Telysen, HP & Foundry, who just recently got bought out by someone... I don't remember who. Dell used to, but they have just become a Cisco reseller themselves so that will be interesting. I looked at Dell switches a few years ago and they stunk!

We were a HP shop at one point in time and decided to move to cisco, just for sheer performance. One thing I really like about Cisco switches is the switching in hardware, not in software approach. There is a noticeable performance difference. I also have some networks that have HP gear and I am trunking vlans across a mixed HP and Cisco environment.

The thing that keeps me using Cisco gear is.... Features! Every time a vendor gives their spill, I ask if they have certain features that I am currently using. If the answer is no, then they have just answered their own question.”                                            ---Jared  

 

“Quick question, my company just deployed Riverbed....in your experience, how does Riverbed match up to Cisco's WAN acceleration products? Jared, we also use to have Dell switches....they were indeed horrible.....not to say that ports don't go bad on Cisco switches, because obviously they do, BUT they always use to go bad on the Dell ones.” ---SKeemz

 

“Skeemz- I haven't used Cisco's WAN accerlation products much - but I am really impressed with Riverbed and their RIOS. It's a locked down Linux shell and it really gives you a lot of control and visibility within the device, especially with logging. They have some bright folks working over there and with their new partnership with HP - I think they are going to really have some interesting gear coming out soon. Riverbed has very granular control policies, their GUI is intuitive and quick, and their boxes are fairly stout, especially the bigger ones. I think their RAID rebuild function when a drive dies is a little questionable but overall I like their product. I've worked on more or less their entire enterprise product line and can't think of a box I wouldn't recommend to someone.”                         ---Micheal

 

Right, what Cisco fans said tell us that Cisco owns a good reputation, trust by its better networking solutions and powerful Cisco network equipment. Have you felt it?

 

Notes: If you need to know some info of Cisco’s main hardware types such as Cisco routers, Cisco switches, Cisco firewall, Cisco modules and cards, etc. you can visit a very popular leading Cisco supplier---router-switch.com to see more…

Read more

Cisco ASA Firewall, Protect your Server with a Dedicated Cisco firewall

November 7 2011 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

Gigenet utilizes Cisco's firewall services module (FWSM) to provide instant firewall activation and simple management through a secure web interface.

Cisco-ASA-5505-2.jpg

 

Cisco-ASA-5505-3.jpg

 

High Performance, High Scalability,
Low Latency

  • Gbps throughput per module
  • 100,000 connections per second
  • 1,000,000 concurrent connections
  • Single port or VLAN spanning
     

Best-In Class Features

  • Time-tested Cisco PIX operating system
  • PIX Device Manager GUI
  • Transparent Layer(2) Firewalls
  • Rich stateful inspection for web, VOIP
    and multimedia

 

The Cisco firewall services module is designed to recognize and filter the following types of traffic:

  • Core services: HTTP, FTP, ESMTP, DNS, ICMP, TCP, UDP
  • Voice over IP (VoIP) / Unified Communication services: SIP, SCCP, H.323, RTSP, TAPI/JTAP, GTP
  • Application/operating system services: LDAP/ILS, SunRPC, XDMCP, TFTP

 

More about Cisco ASA 5500 Series Adaptive Security Appliances

ASA Models

There are six main models in the ASA range, from the basic 5505 branch office model up to the 5580 datacenter versions; a full comparison is available on the Cisco website here: Cisco ASA 5500 Series Adaptive Security Appliances

 

Although this article will concentrate on the 5505 and 5510 models the basic feature set is in fact fairly consistent across the range, the main differences being in the maximum traffic throughput handled by each model and the number/type of interfaces.

 

At the most basic level the ASA is a transparent or routed firewall/NAT device, this means it is designed to sit between your LAN and the Internet; one interface (normally known as "outside") will be connected to your Internet access device and one or more interfaces (e.g. "inside" and "DMZ") will connect to your internal networks. This enables the ASA to inspect and control all traffic passing between your network and the Internet, exactly what it does with that traffic is the clever bit.

 

Cisco-asa-5510.jpgASA 5510  

The ASA5510 is intended to be a single device solution to your Internet security requirements and with its 300Mbps throughput and 9,000 firewall connections per second capacity will be suitable for most office deployments. The key features will be covered in more detail later but in brief these are; firewall/NAT, SSL/IPsec VPN, content security and intrusion prevention. It has five 10/100Mbps ports, by default these provide one outside (Internet) interface, one management and three internal network interfaces but they are fully reconfigurable and also support vLANing for further network subdivision if required. Functionality can be upgraded via a Security Services Module port which provides support for additional Content Security and Intrusion Prevention features.

 

ASA 5505  Cisco-ASA-5505-Series.jpg

The ASA5505 is intended for small or branch office and teleworker deployments, often in conjunction with a 5510 or higher model at the head office to which it will establish a secure VPN, whilst providing full security for other Internet traffic. The device has 8 10/100Mbps Ethernet ports, including 2 with Power over Ethernet support suitable for PoE devices such as IP phones or cameras, so it can be used as single unit solution for the smaller office. Key differences compared to the 5510 are the reduced support for VPN connections (only 10 but upgradeable to 25 with license), only 3 vLANs (25 with Security Plus license)  and only a slot for the optional Security Services Card so there is no option for the advanced Content Security services.

 

Key Features

Firewall

All ASA models include a fully featured policy based firewall and routing engine which allows you complete control of which traffic you allow in and out of your network. Layer 2/3 firewalling allows you to specify which hosts are allowed access through the ASA and also to perform Network Address Translation to map internal hosts to public IP addresses. Layer 7 firewall goes several steps further and also allows you to define access policies based on application and protocol type, providing extremely granular control over Internet access and protection against advanced types of network attack. Unlike many competitor's firewalls the ASA's policy and interface based approach to access control gives you complete control over traffic leaving your network as well as incoming, for example allowing you to restrict Instant Messaging use to only your approved client application. Deep packet inspection goes beyond simply analysing the protocol and port of the attempted connection to discover the application behind it making it virtually impossible for users to circumvent company IT policies.

 

SSL & IPsec VPN

Even the ASA 5505 includes full support for IPsec and SSL VPN endpoints, providing highly encrypted tunnels for office to office and remote user to office connections. The basic license for all ASAs allows IPsec VPN connections up to the maximum supported on each model but only includes two SSL VPN licenses, to allow for testing before deployment. The 5505 will support up to 25 simultaneous VPN connections, whilst the 5510 supports a maximum of 250 - these can be any combination of IPsec or SSL, and site to site or remote client types.

 

IPsec VPNs are commonly deployed between Cisco VPN devices for site to site connections, or initiated by client software on the remote worker's computer. Included with all ASA license bundles is the Cisco AnyConnect VPN client, with versions available for all major operating systems; Windows 2000 up to Windows 7, Mac OS X (10.4/5), Linux Intel kernel 2.6.x and even Windows Mobile 5.0/6.0/6.1 . Cisco AnyConnect provides several improvements over the basic IPsec functionality built into those operating systems, key features are:

  • DTLS protocol support to help minimize latency for applications such as VoIP
  • Support for SSL tunneling to ensure connectivity even through restrictive proxies and firewalls (if web browsing is possible then so is a VPN connection)
  • Advanced encryption and wide range of authentication protocols, including two factor smartcard/token based
  • Flexible IP tunneling for consistent user experience with features such as connection retention, ensuring the mobile user retains connectivity through disconnections, reboots and standby/hibernation.

 

Tips:

Cisco ASA Firewalls: 5505, 5510, 5520, 5540, 5580, the full Cisco PIX Firewall family, FWSM, CSM, Cisco VPN Routers etc.

Cisco VPN: VPN 3000 Series Concentrators, VPN blades, Site-to-Site VPN, Remote Access VPN, Cisco SSL VPN etc.

Cisco IPS: 4200 series, IDSM-2 blade, Cisco IOS IPS, Shunning, IPS Manager, IDM, AIP-SSM, HIPS (CSA) etc.

Cisco MARS: MARS 20, MARS 50, MARS 100, integration with IPS and CSA, reports, queries, local / global set ups etc.

Identity Management: Cisco ACS, RADIUS, TACACS+, 802.1x, LDAP, OTP, RSA, certificates, biometrics etc.

Router & Switch Security: Access-Lists, VLAN maps, TCP Intercept, Lock-and-Key, Anti Spoofing, CBAC, IOS Firewall etc.

Network Admission Control (NAC): In-band, out-of-band, clean access client, ACS integration, 3rd. party integration etc.

 

 

Read more

How to Configure a Cisco Switch?

November 2 2011 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

Generally speaking, the Cisco switches are the best in the market. Versatile, reliable, flexible and powerful, the Cisco switch product line (such as the 2960, Cisco 3560, Cisco 3750, 4500, 6500, etc.) offer unparalleled performance and features.

 

Cisco-switchess---3750S.jpgAlthough a Cisco switch is a much simpler network device compared with other devices (e.g. routers and firewalls), many people have difficulties in configuring a Cisco Catalyst Switch. Unlike other lower class switch vendors (which are plug-and-play), the Cisco switch needs some initial basic configuration in order to enable management, security and some other important features.

 

How to configure a Cisco switch from scratch? Basic steps help you finish the Cisco switch configuration.

 

STEP1: Connect to the device via console

Use a terminal emulation software such as PuTTY and connect to the console of the switch. You will get the initial command prompt “Switch>

Type “enable” and hit enter. You will get into privileged mode (“Switch#”) 

Now, get into Global Configuration Mode:

Switch# configure terminal
Switch(config)#

 

STEP2: Set up a hostname for the particular switch to distinguish it in the network

Switch(config)# hostname access-switch1
access-switch1(config)#

 

STEP3: Configure an administration password (enable secret password)

access-switch1(config)# enable secret somestrongpass

 

STEP4: Configure a password for Telnet access

access-switch1(config)# line vty 0 15
access-switch1(config-line)# password strongtelnetpass
access-switch1(config-line)# login
access-switch1(config-line)# exit
access-switch1(config)#

 

STEP5: Define which IP addresses are allowed to access the switch via Telnet

access-switch1(config)# ip access-list standard TELNET-ACCESS
access-switch1(config-std-nacl)# permit 10.1.1.100
access-switch1(config-std-nacl)# permit 10.1.1.101
access-switch1(config-std-nacl)# exit

 

!Apply the access list to Telnet VTY Lines
access-switch1(config)# line vty 0 15
access-switch1(config-line)# access-class TELNET-ACCESS in
access-switch1(config-line)# exit
access-switch1(config)#

 

STEP6: Assign IP address to the switch for management

!Management IP is assigned to Vlan 1 by default
access-switch1(config)# interface vlan 1
access-switch1(config-if)# ip address 10.1.1.200 255.255.255.0
access-switch1(config-if)# exit
access-switch1(config)#

 

STEP7: Assign default gateway to the switch

access-switch1(config)# ip default-gateway 10.1.1.254

 

STEP8: Disable unneeded ports on the switch

! This step is optional but enhances security
! Assume that we have a 48-port switch and we don’t need ports 25 to 48

access-switch1(config)# interface range fe 0/25-48
access-switch1(config-if-range)# shutdown
access-switch1(config-if-range)# exit
access-switch1(config)#

 

STEP9: Save the configuration

access-switch1(config)# wr

 

The above are some steps that can be followed for basic set-up of Cisco switches. Of course there are more things you can configure (such as SNMP servers, NTP, AAA etc) but those depend on the requirements of each particular network.

Read more

Guide: Cisco Memory Helps You Stretch IT Budget

November 1 2011 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

For a company, to plan for future growth is always difficult. Whether yours is a small, medium-sized business, a large, or a global enterprise, many growth challenges remain the same. When it comes to your computer network, for example, you may feel like you need a crystal ball to determine how to prepare for your company’s future needs while not spending money needlessly. Often, the question boils down to whether to buy new Cisco hardware or to upgrade your existing equipment with, say, additional Cisco memory.Cisco-Memory.jpg

 

Although no single solution fits every enterprise, more often than not it makes financial sense to maximize the efficiency of your current network through upgrades, rather than to purchase completely new systems. Buying a new system is not only a huge financial commitment, but it also typically results in system downtime, debugging, and retraining. Generally speaking, you can accomplish your goals through upgrading your existing network while minimizing downtime and stretching your IT budget.

 

Even the best in-house IT departments aren’t always on the leading edge when it comes to system upgrades. That’s why it’s a good idea – and a sound investment – to consult with experts who can assist you in determining the current capacity of your equipment. If they have a thorough understanding of memory compatibility and knowledge of Cisco hardware topography, they can then look at your growth targets and make recommendations to achieve network goals in a way that is both cost-efficient and time-efficient.

 

There are a number of ways to increase network efficiency without purchasing new equipment. For example, a gigabit interface converter (GBIC) is a cornerstone of high-speed networking. GBIC modules are both economical and easy to install, and can quickly upgrade a network. Essentially, installing GBICs means that you don’t have to replace entire boards, and can give you the option of upgrading one, several, or all system modules.

 

Similarly, a small form-factor pluggable (SFP) module is a type of transceiver that can be easily upgraded without having to turn off the network. With speeds of up to five gigabits per second, GLC SFPs are a robust network growth solution.

 

When it comes to selecting a partner to help you analyze your network needs, make sure to choose a company that is both experienced and reliable. For example, the company should be a leading provider of Cisco-approved memory and third-party memory, and should have a client roster that includes Fortune 500 companies, educational institutions, and governmental departments and agencies.

 

You should also look for a company that has Cisco memory in stock, and that the memory they provide is application tested, shipped quickly, and is accompanied by a lifetime warranty, for example, router-switch.com, hadware.com, usedcisco.com, they are all leading Cisco suppliers who have a very professional team to solve your Cisco problems. Moreover, the company should have an advance replacement policy, so you can be assured that your network will never be down due to problems with memory.

 

Remember that, when it comes to your company’s growth, spending money on new equipment isn’t necessarily the wisest choice. Maximizing your existing system just may free up the resources you need to overtake your competition.

 

Read more

How to Set Port Security on a Cisco Catalyst Switch?

October 28 2011 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

If you want to ensure that only a certain device—for example, a server—is plugged into a particular switch port, you can configure the MAC address of the server as a static entry associated with the switch port.Cisco-switches.jpg

 

Configure port security

Configuring the Port Security feature is relatively easy. In its simplest form, port security requires going to an already enabled switch port and entering the port-security Interface Mode command. Here’s an example:

Switch# config t

 

Switch(config)# int fa0/22

 

Switch(config-if)# switchport port-security ?

 

aging Port-security aging commands

mac-address Secure mac address

maximum Max secure addresses

violation Security violation mode

 

Switch(config-if)# switchport port-security

 

Switch(config-if)#^Z

 

By entering the most basic command to configure port security, we accepted the default settings of only allowing one MAC address, determining that MAC address from the first device that communicates on this switch port, and shutting down that switch port if another MAC address attempts to communicate via the port. But you don’t have to accept the defaults.

 

You can also configure port security on a range of ports. Here’s an example:

Switch)# config t

 

Switch(config)# int range fastEthernet 0/1 - 12

 

Switch(config-if)# switchport port-security

 

However, you need to be very careful with this option if you enter this command on an uplink port that goes to more than one device. As soon as the second device sends a packet, the entire port will shut down.

 

View the status of port security

 

Once you’ve configured port security and the Ethernet device on that port has sent traffic, the switch will record the MAC address and secure the port using that address. To find out the status of port security on the switch.

 

Switch# show port-security address

 

Disabling Port Security in Cisco Switch/Cisco Catalyst Switch

 

Now we will see an example how to disable port security in cisco security.We have configured fa0/22 for port security now if you want to disable port security follow these steps

Switch# config t

 

Switch(config)# int fa0/22

 

Switch(config-if)# no switchport port-security

 

Switch(config-if)# end

Read more

Guide to Set an IP through a Console Connection on a Cisco 2960 Switch

October 25 2011 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

Cisco Catalyst 2960 switch supports the assignment of IP addresses on all network interfaces. Adding an IP address to the Cisco Catalyst 2960 configuration is a necessary step to enable remote administration of the switch from any location on the network (which is preferred over the alternative administration method that requires physical connection to the serial console port on the switch). Configuring an IP address on the Cisco Catalyst 2960 using a serial console connection is a straightforward process that is the same for all interfaces on the switch.

 

Things you’ll need as follows:

a. Cisco Catalyst serial console cable

b. Windows XP computer with 9 pin serial port

c. Privileged exec password for the Cisco Catalyst 2960 switch

d. IP address and subnet mask for the switch

 

How to Set an IP through a Console Connection on a Cisco 2960 Switch

1. Run a Cisco serial console cable from the Cisco Catalyst 2960 serial console port to the to the serial port on a Windows XP computer.

 

2. Open the "Hyperterminal" program by selecting the "Start" button and click "Run" and type "hypertrm" in the "Run" box that appears, and then press the "Enter" key.

 

3. Type "Cisco 2960" in the "HyperTerminal" window "Name:" field that appears and press the "Enter" button.

 

4. Select the "Connect using:" drop down box and then in the menu that appears click the "Com port" that connects the Windows XP computer to the Cisco 2960 and press the "Enter" key.

 

5. Click the "Bits per second:" drop-down option and select the "9600" setting in the menu. Then click the "Flow Control" drop-down option and select "None" in the menu and press the "Enter" key.

 

6. Touch the "Enter" key a few times and the Cisco command prompt will display. Type "enable" and press the "Enter" key and then type the password and press "Enter" again if requested.

 

7. Type "config terminal" and tap the "Enter" key. Then type "interface Vlan1" and tap the "Enter" key and the command prompt will move into "Interface Configuration Mode".

 

8. Enter "ip address x.x.x.x y.y.y.y", substituting the "x.x.x.x y.y.y.y" with the assigned IP address and subnet mask for the switch and tap the "Enter" key. Then type "exit" and tap the "Enter" key to leave "Interface Configuration Mode" then type "ip default-gateway g.g.g.g", substituting "g.g.g.g" with the gateway IP address for the network and tap the "Enter" key.

 

9. Type "end" and tap the "Enter" key and then type "copy running-config startup-config" and tap the "Enter" key. Type "exit" and tap the "Enter" key.

Read more

Guide to Set an IP through a Console Connection on a Cisco 2960 Switch

October 21 2011 , Written by Cisco & Cisco Router, Network Switch Published on #Cisco Switches - Cisco Firewall

WS_C2960G_8TC.jpg

Cisco Catalyst 2960 switch supports the assignment of IP addresses on all network interfaces. Adding an IP address to the Cisco Catalyst 2960 configuration is a necessary step to enable remote administration of the switch from any location on the network (which is preferred over the alternative administration method that requires physical connection to the serial console port on the switch). Configuring an IP address on the Cisco Catalyst 2960 using a serial console connection is a straightforward process that is the same for all interfaces on the switch.2960-8TT.jpg

 

Things you’ll need as follows:

a. Cisco Catalyst serial console cable

b. Windows XP computer with 9 pin serial port

c. Privileged exec password for the Cisco Catalyst 2960 switch

d. IP address and subnet mask for the switch

 

How to Set an IP through a Console Connection on a Cisco 2960 Switch

1. Run a Cisco serial console cable from the Cisco Catalyst 2960 serial console port to the to the serial port on a Windows XP computer.

 

2. Open the "Hyperterminal" program by selecting the "Start" button and click "Run" and type "hypertrm" in the "Run" box that appears, and then press the "Enter" key.

 

3. Type Cisco"Cisco 2960" in the "HyperTerminal" window "Name:" field that appears and press the "Enter" button.

 

4. Select the "Connect using:" drop down box and then in the menu that appears click the "Com port" that connects the Windows XP computer to the Cisco 2960 and press the "Enter" key.

 

5. Click the "Bits per second:" drop-down option and select the "9600" setting in the menu. Then click the "Flow Control" drop-down option and select "None" in the menu and press the "Enter" key.

 

6. Touch the "Enter" key a few times and the Cisco command prompt will display. Type "enable" and press the "Enter" key and then type the password and press "Enter" again if requested.

 

7. Type "config terminal" and tap the "Enter" key. Then type "interface Vlan1" and tap the "Enter" key and the command prompt will move into "Interface Configuration Mode".

 

8. Enter "ip address x.x.x.x y.y.y.y", substituting the "x.x.x.x y.y.y.y" with the assigned IP address and subnet mask for the switch and tap the "Enter" key. Then type "exit" and tap the "Enter" key to leave "Interface Configuration Mode" then type "ip default-gateway g.g.g.g", substituting "g.g.g.g" with the gateway IP address for the network and tap the "Enter" key.

 

9. Type "end" and tap the "Enter" key and then type "copy running-config startup-config" and tap the "Enter" key. Type "exit" and tap the "Enter" key.

 

Read more
<< < 10 11 12 > >>