Thursday, December 31, 2009

Cisco VSS configuration

I just finished standing up a Cisco VSS 1440 configuration for a client and thought I would put down a few notes about getting the system up and configured (with a script) plus some basic commands that are useful to know. Also, there are some quick notes on how to set up detecting a dual active configuration.

A basic configuration requires that both 6500 series chassis have the Sup720-10G and currently VSS will only support X67xx series line cards with some additional service modules like the FWSM, ACE and NAM. Seems that VSS really prefers line cards with the PFC 3C also.

You have to prep the two chassis so they are able to connect and function as a VSS pair. To do this they must be running SSO and NSF prior to pairing plus have the port-channel built out for the Virtual Switch Link (VSL.)

So, the bit of script to do that on each chassis is:
!
redundancy
mode sso
exit
!
router ospf {process id}
nsf
exit
!

Next is to build out the virtual switch domain, it should be unique to the VSS pair:
!
switch virtual domain {domain # between 1-255}
switch {1 or 2 - designated switch number for that chassis}
exit
!

The VSL should run across a port-channel of ten gig:
! - switch 1
interface port-channel 1
switch virtual link 1
no shut
!
! - switch 2
interface port-channel2
switch virtual link 2
no shut
!
! - next set up the ten gig ports - putting in the ten gig port on the sup720-10G in slot 5 plus a port from a x6708-10G in slot 6
! - switch 1
interface ten5/4
channel-group 1 mode on
no shut
! - add a second port
interface ten6/1
channel-group 1 mode on
no shut
!
! - switch 2
interface ten5/4
channel-group 2 mode on
no shut
! - add a second port
interface ten6/1
channel-group 2 mode on
no shut
!

Cisco recommends you set the Policy Feature Card (PFC) operating mode to 3C - this is assuming all your linecards have 3C PFC's in them - not always the case but here is how to do it:
!
platform hardware vsl pfc mode pfc3c
!

Now you finally get to issue commands that convert the existing chassis to a VSS ready configurations. Basically, by putting in the next command it uses the information that you gave it (which switch it is) plus knowledge of the existing port configuration to generate a new configuration file that will work when paired with the other unit. It effectively pre-pends its switch number to the slot/port numbers. For example, in switch 1, slot 5, port 4 - ten gig the current configuration refers to that port as simply tengigabitethernet5/4 but in the new configuration it will be tengigabitethernet1/5/4. After it does this a reload is required to get the configuration and pairing to work as expected. The command is:
!
switch convert mode virtual
!

The first time the VSL comes up and pairs you need to put in a command telling the primary switch to pull configuration information over from the secondary. You do that with the following command:
!
switch accept mode virtual
!

That should be it, you should have a working configuration. The first time I did this it was very confusing because using the traditional command sets for checking port-channels or modules or power status worked - they just didn't display what I thought they would. There are specific commands for a VSS and once you figure them out the whole configuration makes a lot more sense.

Some specific VSS common commands to use are:
!
show switch virtual link
show switch virtual link port-channel
show switch virtual link port
!
show switch role
!
! - commands that are modified for VSS so you can see information per switch chassis:
show mod switch 1
show mod switch 2
show power switch 1
show power switch 2
!

Of special note, if you look at the port-channel configuration for the VSL using traditional commands it will show it as down/down. At first this was very confusing for me until I realized that the port-channel had been effectively virtualized and controlled by the VSS process and you had to look at the status of the virtual link to determine what was happening. It also makes sense as you would never set up a port-channel to and from the same switch so the switch should NOT bring the link up in that logical context so having it only visible via the virtual link commands makes a lot of sense.

I think they should do some special reserved or locking commands for the port-channels you do set up for the virtual link because someone who is NOT familiar with VSS could easy think there are unused port-channels and potentially try and clean them out of the configuration, that could be bad. Hey, sometimes people don't read the descriptions on interfaces as much as you would like them too!

The next item to set up is Dual-Active Detection which is how the switches detect that both chassis think they are the active system and how to avoid this situation and detect it quickly to tell one of the switches to stop acting as the active system. I think the quickest way to set this up is with Fast Hello using a Layer 2 Ethernet link between the two chassis but you also have PagP and BFD options. You can optionally use all of the methods to help detect a Dual-Active condition.

To set up the Fast Hellow Dual-Active Detection simply pick two Ethernet ports on each chassis and do:
!
switch virtual domain {domain ID}
dual-active detection
exit
interface {type}{switch id/module/port}
switchport
dual-active hello
no shut
!

- Correction (01/18/10) - thanks Jay:
The correct syntax should be:
!
interface {type}{switch id/module/port}
no switchport
no ip address
dual-active fast-hello
!

To see if it is working do:
show switch virtual dual-active summary
show switch virtual dual-active fast-hello

That should get you started on the Cisco VSS bandwagon quickly, send me a note if you see problems, this was based on 12.2(33)SXH code so earlier code might have different commands.

- Correction (01/18/10) - thanks Jay:
The code release should be 12.2(33)SXI - I am running s72033-advipservicesk9_wan-mz.122-33.SXI3.bin and the configuration works.
- Ed

Monday, December 28, 2009

So, what advatages are there to having a Cisco VSS configuration?

I've been in several discussions with clients who are trying to understand the benefit of Cisco VSS vs a Nexus 7k approach for new data center deployments. Cisco has some excellent information out there on differences between the two platforms but if you haven't been on the lookout to upgrade your network infrastructure you might have missed the discussion.

I think both the Cisco VSS and Nexus solutions address many of the frustrations that people who are building larger data centers with virtualization are looking for. Specifically, a way to get redundancy and high availability plus very large bandwidth into their server farms while not building out a massive layer 3 network which can cause limitations for virtualization solutions. One of the advantages for companies that are not doing virtualization (perhaps their applications require all the cpu and memory of the host server) is that the architecture works equally well for them.

Cisco has build some specific solutions around virtualization plus data center, this is their recent announcement of the UCS products. I am not going to bother discussing that in this post and if you want to know more about that I suggest reading Colin McNamara's blog - he covers it really well so no reason to repeat it here.

So why would you pick a Cisco VSS solution vs a Cisco Nexus solution. There isn't an obvious answer at first blush.

Here would be the short list of why VSS first. They would be:
1. Having staff who understand and are familiar with the Cisco 6500 series and support a lot of them already.
2. The requirement for having service modules in the solution, something VSS supports but Nexus does not.
3. Moving from an existing investment in 6500's with Sup720-10G's to a high available, redundant solution split across multiple chassis - gear reuse.
4. Want tight fault tolerance solutions with other Catalyst switching platforms.
5. Able to provide Multichassis EtherChannel (MEC) to downstream or upstream devices.

Here would be the short list of why Nexus first. They would be:
1. Running into throughput and performance problems with a 6500 solution at core or distribution. Especially due to service modules impacting performance.
2. Would like to move to having independent point devices for services like firewalling, load balancing, network analysis and wireless. Perhaps you like a different vendors load balancer or firewall product that run at much higher throughputs.
3. Moving to very high density 1 and 10G server solutions that can grow and scale for investment protection.
4. Moving to the next generation platform where Cisco will be investing research and dollars into.
5. Able to provide Multichassis EtherChannel (MEC) to downstream or upstream devices.

So, if you are building out a data center soon that will require a 5-7 year lifespan then I really suggest moving to the Nexus platform now. Cisco is making the pricing just as attractive as the 6500 series but you gain all the advantages of moving to the next generation of platform.

If your time horizon is shorter for changing out your data center network equipment then the Cisco 6500 VSS solution is a great transition product which allows the re-use of your 6500 chassis and investment in supervisors (if you have Sup720-10G's already) and service modules.

The reality is that you will likely have both within your data center if you are making reuse of service modules. You can then run those service modules in 6500 series with 10Gig to a core Nexus plaform with the 6500's running VSS MEC to the Nexus 7000's running vPC MEC.

Both solution will work to your downstream server farms for MEC and the VSS has been upgraded to support 512 Port-Channels in a single chassis, more than enough considering many servers are getting 4 x 1Gig ports or more channeled together to the network.
- Ed

Tuesday, December 22, 2009

Cisco IP SLA

There was an interesting request on the Silicon Valley Cisco User Group mailing list the other day regarding how to get a Cisco switch to do a continuous ping, similar to how you do ping -t via the windows command line.

The idea I mentioned was using Cisco IP SLA's to do the same function and simply watch the statistics of the SLA to determine if things are working as expected. I had just set this up to keep an IPSec tunnel up and tested for a client so it seemed timely.

In addition to that, you can use this to watch IPSec tunnels or other links and change routing behavior based on the tunnel status using the track command.

A bit of code to get you started:
! - define an SLA
ip sla 1
icmp-echo {IP to ping} source-ip {IP to source traffic from}
timeout 1000
!
! - set up a schedule for the SLA to run - this will run forever
ip sla schedule 1 life forever start-time now
!
! - set up a track and make it's status dependent on the SLA
track 1 ip sla 1
!

To see the statistics simply do:
show ip sla statistics 1

That is it, simple but effective. Great tool to use if you are doing site to site tunnels with a firewall that is not participating in routing, it allows you to route around tunnels being down so you can have a semi-dynamic failover.
- Ed

Monday, December 21, 2009

Remote network console hardware options

There are a lot of good options available today in the remote network console management devices. I think the following are some pretty common manufactures out there and some brief thoughts on each, the opinions are my own so do your own homework!
On the high end is Uplogix who has tailored solutions for remote Cisco automated management and recovery plus remote console management. They have an excellent solution that is great for enterprise customers who need the sort of features and support that their product provides. As a result they have a tendency to be a more expensive solution but you get what you pay for in this case.

On the flexible and cool side is Opengear who have some of the most cost effective remote console management devices out there and they are also running open source code. They allow you to script and do lots of other nice things due to their openness. A great option for labs or if you have time to invest to write the scripts to automate things. So you can do much of what Uplogix is doing but you have to create it on your own. Their advanced console unit even includes storage space to store IOS images and configurations files.

There is also APC which has nice integration with their PDU solutions. They have been around a long time but their console management is only a portion of a much bigger solution so I don't think it gets as much attention as the likes of Opengear or others.

Avocent purchased Cyclades several years ago and Cyclades has been in use in data centers for years and years. Avocent has kept the Cyclades product line and has done a good job maintaining it. It is a getting a bit long in the tooth now but it is still an excellent console management device.

To round it out, Raritan, to be honest I haven't used them much and don't see them deployed very often as console management. I see them a lot for remote KVM. I am sure their solution is a workable one I just don't have any experience with it.
- Ed

Saturday, December 19, 2009

Henry M. Gunn High School makes US News top 100 school list

Seems my HS is still making the US News and World Report top 100 school list. Proud to see they are still keeping high standards even in the face of all the recent suicide issues, state cutbacks, etc. I hope it can weather through and continue to do well.
Go Titans!
- Ed

Friday, December 18, 2009

Cisco DMVPN - useful commands

Once you have a Cisco dmvpn deployment up and running there are some useful commands that you should know to figure out what is going on. Primarily these are no different then the routing and vpn command sets you already know and use. Commands like:
show ip interface brief
show ip eigrp neighbor
show crypto isakmp sa
show crypto ipsec sa
show ip route

The dmvpn specific commands would be:
show dmvpn {detail}
sh ip nhrp {brief}

If you have multiple dmvpn tunnel configuration on the router (the spoke is connected to two different dmvpn hubs) then:
show dmvpn interface tunnel {number}
is a useful command to know what peers and routes are coming from which dynamic tunnel.

I think one of the toughest things with dmvpn compared to a static ipsec/gre/eigrp configuration is that you don't have a specific logical tunnel for each remote router that is connecting. This can cause two problems, it is tough to know what sites are having issues and it is hard to get specific bw parameters out of the router without watching crypto maps. With a static ipsec/gre/eigrp configuration you can graph the tunnel interface and know how much traffic that tunnel is consuming at any given moment. With dmvpn this is a much tougher thing to do as the tunnel are transit and only up when they are needed between spoke locations. The only constant is the tunnel between the spoke and the hub/hubs.

To be honest, the thing I love the most about dmvpn is the fact that it behaves from a routing perspective very much like a fullmesh mpls deployment which are very common today. So a dmvpn solution is an excellent mpls backup solution that leverages local Internet access connections while not requiring odd routing tricks to make the sites behave correctly. For voice deployments with remote offices or soho sites it is an excellent solution and gives the remote site all the characteristics and advantages of a fullmesh site but with the cost effective bw of high speed Internet access available today.
- Ed

Thursday, December 17, 2009

Cisco DMVPN sample spoke script

Now that you have the hub script lets set up a spoke. This configuration will get the remote site up and connected to the hub via ipsec/gre/eigrp so you can actually see your routing neighbor peers with commands like:
show ip eigrp neighbor

!#####
! - DMVPN Spoke script - sample 2811 router running 12.2.x ios code
!
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname {router hostname}
!
logging count
logging message-counter syslog
logging buffered 4096
!
no aaa new-model
clock timezone PST -8
clock summer-time PDT recurring
!
no ip source-route
!
ip cef
!
no ip domain lookup
ip domain name {example.com}
no ipv6 cef
!
username {name} privilege 15 secret {some super secret password}
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key {some long preshared key} address 0.0.0.0 0.0.0.0
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
!
crypto ipsec transform-set {some string like companyname-tset} esp-aes esp-sha-hmac
!
crypto ipsec profile {some string like companyname-prof}
set transform-set {same string like companyname-tset}
!
interface Loopback0
ip address {loopback IP} 255.255.255.255
no shut
!
interface Tunnel0
description - DMVPN Tunnel Interface - Spoke configuration
bandwidth {set to the same as the internet bw - like 1544}
ip address 10.100.100.2 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication {some string - has to match on the spokes}
ip nhrp map multicast {Public IP of Hub}
ip nhrp map 10.100.100.1 {Public IP of Hub}
ip nhrp network-id {some id - match it to the eigrp AS}
ip nhrp holdtime 300
ip nhrp nhs 10.100.100.1
ip virtual-reassembly
ip tcp adjust-mss 1360
no ip mroute-cache
load-interval 60
delay 400
keepalive 5 4
tunnel source FastEthernet0/1
tunnel mode gre multipoint
tunnel key {some number - needs to match the hub}
tunnel protection ipsec profile {same string like companyname-prof}
no shut
!
interface FastEthernet0/0
description ***Internal LAN connection to switching core***
ip address {LAN IP} 255.255.255.0
no ip redirects
ip virtual-reassembly
duplex auto
speed auto
no shut
!
interface FastEthernet0/1
description ***External Internet connection to outside switch***
ip address {Public IP of Spoke} {Subnet of Public IP}
ip access-group inet in
no ip redirects
ip virtual-reassembly
duplex auto
speed auto
no shut
!
router eigrp {eigrp AS number}
redistribute connected route-map redistribute-connected-rm
network 10.100.100.0 0.0.0.255
network {LAN IP} 0.0.0.255
no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 {DG of Public IP}
no ip http server
no ip http secure-server
!
ip access-list standard redistribute-connected
permit {Lookback IP}
!
ip access-list standard vty_access
! - permit remote IP's
permit {public ip} {inverse public subnet} log
! - permit internal IP's
permit 10.0.0.0 0.255.255.255 log
!
ip access-list extended inet
remark Access list for Internet interface - permits DMVPN
permit udp any host {public IP of spoke} eq non500-isakmp
permit udp any host {public IP of spoke} eq isakmp
permit esp any host {public IP of spoke}
permit ahp any host {public IP of spoke}
permit gre any host {public IP of spoke}
! allow ssh to the public interface
permit tcp {remote public ip} {inverse public subnet} host {public IP of spoke} eq 22
! allow icmp if you want
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable
deny ip any any
!
snmp-server community {some string} RO
snmp-server location {some location}
snmp-server contact {some contact and number}
!
route-map redistribute-connected-rm permit 10
match ip address redistribute-connected
!
banner login ^

--------------------------------------------------------------------------


{Some Company Name}

{some threatening statement telling people to go away}

{some statement claiming everything is being logged}


----------------------------------------------------------------------------
^
!
alias exec st sh ip int brief
!
line con 0
login local
line aux 0
line vty 0 4
access-class vty_access in
exec-timeout 10 0
login local
transport input ssh
line vty 5 15
access-class vty_access in
exec-timeout 10 0
login local
transport input ssh
!
ntp server {public NTP server IP}
end
!
!#####

As with the previous hub script this doesn't have any CBAC or Zone Based firewalling in the script for the same rational. This is also using preshared keys and the router has to do an enrollment process to do certificates which I will cover in a later post. As before,
this is provided as is, it isn't perfect but should get you started in getting something up and running with minimal effort.
- Ed

Wednesday, December 16, 2009

Cisco DMVPN sample hub script

I've done enough dmvpn turn ups now that having some scripts is really useful. The first one is for the hub configuration. I have left it with an eigrp routing protocol configuration but it isn't that different to use ospf and it will give you something to look up and figure out. I'll post a separate entry for the spoke configuration next.

!#####
! - DMVPN Hub script - sample 2821/51 or 3825/45 routers running 12.2.x ios code
!
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname {router hostname}
!
logging count
logging message-counter syslog
logging buffered 4096
!
no aaa new-model
clock timezone PST -8
clock summer-time PDT recurring
!
no ip source-route
!
ip cef
!
no ip domain lookup
ip domain name {example.com}
no ipv6 cef
!
username {name} privilege 15 secret {some super secret password}
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
crypto isakmp key {some long preshared key} address 0.0.0.0 0.0.0.0
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 10
!
crypto ipsec transform-set {some string like companyname-tset} esp-aes esp-sha-hmac
!
crypto ipsec profile {some string like companyname-prof}
set transform-set {same string like companyname-tset}
!
interface Loopback0
ip address {loopback IP} 255.255.255.255
no shut
!
interface Tunnel0
description - DMVPN Tunnel Interface - Hub configuration
bandwidth {set to the same as the internet bw - like 1544}
ip address 10.100.100.1 255.255.255.0
no ip redirects
ip mtu 1400
ip nhrp authentication {some string - has to match on the spokes}
ip nhrp map multicast dynamic
ip nhrp network-id {some id - match it to the eigrp AS}
ip nhrp holdtime 300
ip virtual-reassembly
ip tcp adjust-mss 1360
no ip split-horizon eigrp {eigrp AS number}
no ip mroute-cache
load-interval 60
delay 400
keepalive 5 4
tunnel source GigabitEthernet0/1
tunnel mode gre multipoint
tunnel key {some number - needs to match the hub}
tunnel protection ipsec profile {same string like companyname-prof}
no shut
!
interface GigabitEthernet0/0
description ***Internal LAN connection to switching core***
ip address {LAN IP} 255.255.255.0
no ip redirects
! - sample summary route statement
! ip summary-address eigrp 10.10.0.0 255.255.0.0 5
duplex auto
speed auto
no shut
!
interface GigabitEthernet0/1
description ***External Internet connection to outside switch***
ip address {Public IP of Hub} {Subnet of Public IP}
ip access-group inet in
no ip redirects
duplex auto
speed auto
no shut
!
router eigrp {eigrp AS number}
redistribute connected route-map redistribute-connected-rm
network 10.100.100.0 0.0.0.255
network {LAN IP} 0.0.0.255
no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 {DG of Public IP}
no ip http server
no ip http secure-server
!
ip access-list standard redistribute-connected
permit {Lookback IP}
!
ip access-list standard vty_access
! - permit remote IP's
permit {public ip} {inverse public subnet} log
! - permit internal IP's
permit 10.0.0.0 0.255.255.255 log
!
ip access-list extended inet
remark Access list for Internet interface - permits DMVPN
permit udp any host {public IP of hub} eq non500-isakmp
permit udp any host {public IP of hub} eq isakmp
permit esp any host {public IP of hub}
permit ahp any host {public IP of hub}
permit gre any host {public IP of hub}
! allow ssh to the public interface
permit tcp {remote public ip} {inverse public subnet} host {public IP of hub} eq 22
! allow icmp if you want
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable
deny ip any any
!
snmp-server community {some string} RO
snmp-server location {some location}
snmp-server contact {some contact and number}
!
route-map redistribute-connected-rm permit 10
match ip address redistribute-connected
!
banner login ^

--------------------------------------------------------------------------


{Some Company Name}

{some threatening statement telling people to go away}

{some statement claiming everything is being logged}


----------------------------------------------------------------------------
^
!
alias exec st sh ip int brief
!
line con 0
login local
line aux 0
login local
line vty 0 4
access-class vty_access in
exec-timeout 10 0
login local
transport input ssh
line vty 5 15
access-class vty_access in
exec-timeout 10 0
login local
transport input ssh
!
ntp server {public NTP server IP}
end
!
!#####

The script doesn't have any CBAC or Zone Based Firewalling configured on it - honestly that is easier to set up after you have the dmvpn up and working. This is for a preshared key configuration which is the easiest to get up and running but is nowhere near as secure as certificate based dmvpn deployments. Just setting up the certificate server on the router deserves its own post so I will wait on that one. This is provided as is, it isn't perfect but should get you started in getting something up and running with minimal effort.
- Ed

Tuesday, December 15, 2009

Network Troubleshooting - some thoughts

After doing several late night and weekend cutover and integration projects I realized that much of my network troubleshooting ability is not based on a specific checklist of items (though I am going to build one) but on disciplines that I learned while in engineering school.

Specifically, much of my time is spent gathering known variables, quickly writing up what the problem statement and conditions are and then forming a hypothesis that I can work off of to solve the problem at hand. Often, keeping the scope of the problems small and discrete helps, utilizing the engineering principle of KISS (Keep It Simple Stupid) minimize the impact of feeling overwhelmed by an issue. This is especially true when you are in a stressful situation due to limited time or the inability to rollback a solution - both are to be avoid at all cost but often in the world of consulting they are why you are brought into a project in the first place. I guess that goes with the territory.

There are lots of great resources out there that define the principles of engineering so I won't bother with links to those. I have found that the major process I use is not so different from the design principles you use to design and deploy networks. Cisco has a whole methodoly build around this and those that have suffered through their study materials know the PPDIOO mantra.

I think I prefer the more classic engineering school outline, something like:
Identify and understand the problem
Gather information
Generate several solutions
Choose the best of those solutions (KISS)
Prototype the solution
Deploy the solution
Redesign/Retest
Report on results

Each problem you face can be broken down and solved with this method, the difference between those who do network troubleshooting well and those who do not seems to be in the ability to quickly gather and analysis a situation, pick the best solution and then rapidly deploy and tweek the solution. This often comes with age and experience but I am amazed at how many colleagues I have watched over the years who do not follow any of these principles while troubleshooting problems. I primarily have noticed the lack of the engineering principle trait in those who did not go through formal engineer school or a technical trade. I have found that those with a military background adhere to a similar principle though slightly adjusted to the function the military provides. They seem to function well in solving these sort of technical problems also so clearly there is a reason I meet some many former military in the networking field.

Another funny item I have noticed over the years is the fact that no matter how much planning and scripting you do it is the small things that seem to get you. I am not entirely sure why this is, perhaps they are easily overlooked while planning and deploying. Regardless, to catch them the KISS principle is remarkably useful in ferreting out those small problems.

I by no means claim that my engineering degree makes me a better troubleshooter than some of my peers who do not have one, I have meet some amazing people in this field and clearly some people simply have the native instinct and problem solving skills needed to outperform others.
- Ed

Sunday, December 13, 2009

Shrew Soft - 2.1.5 vpn client released

From my previous posts about 64-bit vpn clients there is a good addition to the list of options outside of Cisco for Windows 7 64-bit OS and that is Shrew Soft who just released an update to their client which supports Windows 7. The best part is the fact you can import Cisco PCF files. I've had good success when using it will Cisco ASA and PIX vpn configurations and some mixed results with Cisco VPN 3000 concentrator.
The current version is 2.1.5 but the 2.1.4 release worked on my Windows 7 64-bit client also. I have several clients also using it and they have not had any issues either. Hats off to the folks at Shrew Soft - appreciate having a working 64-bit IPsec client that is easy to use for Windows 7.
- Ed

Saturday, November 28, 2009

Cisco AnyConnect Client

For those that are still using the older AnyConnect Client there are several reasons to upgrade to the newer 2.4.0202 release or at a minimum the 2.3.2016 release. The 2.3.2016 fixed some issues with passcode vs password prompts within the Client windows when logging in. If you are using RSA SecurID I would recommend moving to 2.3.2016 or 2.4.0202 to avoid the sort of confusion the older client presents for end users.

The release notes for AnyConnect 2.4.0202 are here. Note that this version officially supports Microsoft Windows 7 32 and 64 bit and Apple OS X 10.6 and 10.6.1 both 32 and 64 bit.

One of the more interesting features they added was the Trusted Network Detection (TND) which in essence allows the AnyConnect client to determine when it is already on a trusted network and disconnect from the VPN or if it is NOT on a trusted network to initiate the VPN connection. I think this feature might need a bit of time before it works out all the kinks but it looks promising. I see it as an attempt by Cisco to address the unique abilities of Microsoft's DirectAccess feature without having to engineer anything new.
- Ed

Cisco ASA ASDM update

Cisco has had ASA 8.2.1(11) code out for about 2 months. I have several customers running it now because it addressed a lot of problems with the 8.2.1 code release that came out in May (the release notes are here - login may be required.) I recommend running it, it has been stable.

There is also a new ASDM version 6.2.3 that just came out in the beginning of Nov. I think 6.2.1 has been a good stable version so far with no major problems that I have encountered however I can never find a lot of release notes for the ASDM software for some odd reason. I haven't installed 6.2.3 yet on a production ASA deployment so no formal thoughts about it yet.

I also thought Cisco was going to keep ASA code and ASDM code releases in lock step with each other so it would be easier to tell which release of ASDM code would go with which release of ASA code but I guess that only goes for the first minor number and not the sub of interim releases. A shame because it does make life easier for people who don't use and/or install the ASA products on a regular basis to figure out the code they should be running and what works together. If you need PSIRT images they are available here. Even if you are not on a current contract you can download and use these versions as they address major security vulnerabilities that Cisco considers important enough to give out the code to fix the issue. The most recent code release under that PSIRT is 8.2.1(3) which is pretty new (June of 2009.)

I have not noticed any specific Java issues with any of the newer ASDM releases, looks like Cisco is paying more attention to that problem and making sure ASDM just works instead of having to fiddle around with Java versions and such.

On a side note, 8.2 code on the 5510's can be a problem and Cisco is recommending a memory upgrade for the 5510 series so that it can run without major performance problems. There is no problem installing and running the code on the 5510's at all, it is just an issue of how much memory is consumed depending on how much stuff you are doing on the ASA. Something to keep in mind, I really prefer the 5520 model because of this reason plus all the interfaces on the 5520's are Gigabit with the exception of the Management interface (which just seems to be a cheap cost cutting measure) which is 10/100.
- Ed

Monday, November 23, 2009

Follow up items to NAC / 802.1x post

I realized I left out some important clarifications on my post about NAC and 802.x, so here they are in no particular order. I've includes some other random thoughts too, just to keep life interesting.

1. I did not do a Cisco NAC Appliance + 802.1x (Cisco NAC Framework) deployment configuration - which would likely address some of the items in the fourth point. I would still argue that for trusted hosts that are able to run virtual machines you can still have issues with the overall security deployment and you need that HR/Security policy and procedures.

2. I did not address VMware's View (VDI) or ACE platforms or Microsoft's Remote Desktop or Citrix's XenApp or XenDesktop since they are all inherently remote access methods. I have not had a chance to look into View's authentication method supports but I imagine for the thin client machines simple MAC based security would suffice along with ACL's if a large thin client deployment is done.

For ACE I would recommend building out the internal network with 802.1x with a default guestnet configuration and let machines boot and get Internet access and then launch the ACE desktop to connect via VPN, just like if they are out on the public Internet. I would use this same method for people running View on a desktop or laptop since they have an underlying OS. With both of these solutions I see limited value in attempting to do single sign on or an 802.1x supplicant in the native OS. Basically you are building a public access network where View is the only service available or in the case of ACE where they have to VPN back for resources just like if they were on the public Internet.

3. I did not address the function of most of the agents used in NAC solutions and what benefit you might get from them. For instance, Cisco's Trust Agent (CTA) can allow the end host to pass posture information to Cisco ACS and can work with Cisco Security Agent (CSA) to build a more comprehensive solution. Basically, CTA was the first NAC client agent (2004?) and allows for end hosts to work with with a AAA server to do both authentication but also posture validation.

CSA is different, it works independently on the end host and watches the behavior of the native OS and basically denies any activity that looks outside the normal behavior of that machine. It doesn't care what an application or service is trying to do, if it isn't something that has been previously defined as ok it blocks it. It can run as a centrally managed or standalone configuration. So, if you glue the two together you can get health posture/remediation + validation of machine and end user + very secure end host with reduced exploitable footprint.

4. Some IT professionals argue it is easier and cheaper to run a VMware View setup (or a Pano Logic configuration) and just blow away potential desktops that don't meet company standards or appear to have issues (security or otherwise). They argue it is cheaper and more cost effective to simply deploy a new desktop than to determine what is wrong. They often also say you do not need to incur the cost of deploying either NAC or 802.1x solutions since everything is resident back on a VMware ESX host. I think the cost argument for not wasting time trying to determine what has gone wrong on a desktop OS makes sense. I would still argue that you want some sort of endpoint security to keep foreign systems from accessing your View configuration or ESX host. Also, you will still need to audit your systems for security issues and while patching the OS might have gotten easier and even automated the exposure from guest hosts isn't any different.

5. I think it is sort of obvious right now but I didn't mention it specifically, there is no unified framework or management method for deploying this as a solution right now. What does this mean for IT Professionals who are running and maintaining this? It is possible to break NAC or 802.1x by doing a simple upgrade of your AAA service or radius solution if there is a bug. It is possible to lock everyone out of the network by mis-applying the wrong policy configuration (always have a backup reserved port with no 802.1x or NAC authentication on it!) and you have to manage this on all the network devices connected to your network.

6. To the best of my knowledge there is no way to automate deployment of new switches on the network and have them self provision with 802.1x. You can avoid trusting a new switch connection by using Cisco TrustSec but I have not seen a lot of activity in that area myself.

7. I think there might be something to the argument that deploying an all wireless (no public access switchports) might be more secure in some cases. You can't address the DOS problems with wireless spectrum so that is a negative but it is only a single unified solution for wireless. Everything else is back in the datacenter on a trusted well known port.

8. I think there is also something to be said for shops that deploy everything in a data center and require everyone to VPN in to access content. Then they simply build out public access networks at their office locations and don't worry about port security. As bandwidth has gotten cheaper and cheaper this solution seems viable. With Cisco's AnyConnect client being able to auto reconnect it makes this a more tolerable solution to end users since they don't have to reconnect via VPN if they disconnect by losing network connectivity.

9. I believe Microsoft's DirectAccess solution is a great way to extend a corporate network with trusted client machines and still get the same sort of policy management. The solution allows IT professionals to run basic 802.1x. For machines that don't run a supplicant it still provide them basic corporate services in a dynamic VPN configuration no different then if they were on the public Internet by having them fall back to guestnet access. In addition, they can run the Microsoft's NAP solution with DirectAccess and have all the posture and remediation work happen regardless of location. The best part is that 802.1x can be run and maintained by the network team and NAP by the server team and neither solution gets in the way of the other for the most part.

Ok, that is it for now, I am sure I'll think of something else and I know I've forgotten a point or two so I will post again when they resurface in my head.
- Ed

Thursday, November 19, 2009

802.1x and NAC - Some thoughts

I spend the better part of a week getting 802.1x up and working for both wired/wireless utilizing Cisco ACS, 6500 switch and wireless lan controller plus I also have been working on a separate Cisco NAC Appliance deployment. After spending this much time on getting things working I thought I would review what I consider the benefits and downfalls of the solutions.

First, regarding Cisco NAC Appliance - the product works and is relatively easy to set up but is only full featured as a layer 2 solution right now, imho. The client is way behind where it should be and the layer 3 out of band solution is extremely lacking in the functionality that it really should have and that clients expect. If Cisco is able to make some of the improvements that they are talking about for the NAC Profiler + 802.1x infrastructure + ACS combo then it might be worth the effort but the price is still extremely high. The plus side is the integration with third party anti-virus solutions is excellent so posture and remediation should be leveraged with the product as you don't get that with a pure 802.1x deployment.

Second, Cisco ACS as a product is too long in the tooth and needs to be retooled. For those of us who have been around awhile ACS was what you used for dial up access, AD authentication integration (TACACS/Radius) and policy management for network devices. They are attempting to utilizing it as a policy management and framework engine and the interface and layout of the device is so circa 2000 it can't accommodate today's policy engine requirements. For example, even understanding how to get certificates loaded onto the platform and how they are being used is almost impossible to figure out and the limited logging and debug output is frustrating. Plus the additional burden of it being different depending on which OS solution you chose to deploy adds even more frustration into the mix. Building out Network Access Profiles isn't particularly intuitive or fun on the product either and many of the management functions are not in places you would think they should be. Also, you have to restart the ACS server way too many times for even the smallest changes, that really needs to get fixed.

Third, 802.1x wired solution is not the security be all that some seem to think it is. There are challenges with getting the solution to work correctly with IP handsets from different manufactures and the additional challenge of all the devices out there that do NOT have a supplicant built in and never will. This list includes network items like: printers, scanners, ip cameras, badge readers, environmental sensors, out of band console management, remote power devices, hvac controllers, lighting system controllers, projectors, AV systems and the list goes on and on. That being said, for end client machines, regardless of OS, 802.1x does have broad support and setting up supplicants to work properly is relatively easy and painless. The configuration for the switchport on the 6500 is pretty straightforward, a simple configuration like the following is all that is needed for 12.2.33SXI or newer code:
!
interface GigabitEthernet1/1
description - Standard 802.1x switchport
switchport
switchport access vlan 666
switchport mode access
switchport voice vlan 20
! - the next 4 lines are optional
authentication event fail action authorize vlan 666
authentication event server dead action authorize vlan 666
authentication event no-response action authorize vlan 666
authentication event server alive action reinitialize
authentication port-control auto
dot1x pae authenticator
! - the next line just changes the default value
dot1x timeout supp-timeout 10
auto qos voip trust
spanning-tree portfast edge
no shutdown
!

Assuming you have a guestnet vlan 666 or some sort of equivalent limited vlan roll you can make some very interesting default behaviors for 802.1x when there are foreign clients that connect to your network with no 802.1x supplicant. I set up the additional options to allow the radius server to tell the switch what vlan to put the port on depending on the logon credentials. The extremely useful part of this is that you can use the same principle to assign wireless vlan assignments while using a single SSID. You can even do the same default privilege configuration where if they fail to authenticate they are put in the guestnet vlan.

Fourth, you need a combination of switchport security, 802.1x and a well documented physical access policy to insure compliance to make the whole thing work. The reality of the matter is that folks who are trusted (have valid logon credentials) and want to do something malicious still can. I have been able to get several virtual machine combinations to bypass 802.1x and NAC deployments allowing non-approved client OS's full access to the network. I have also been able to completely lock out legitimate client machines due to poor timeout combinations between the 802.1x supplicant and the OS IP address request timers and the switchport. Then there is the issue of timing for logouts and host machines where their switchport does not go down on reboots allowing alternate OS's to be booted and gain access and not violate MAC based security either. The example, if the already authenticated client machine in the correct vlan is hard powered off but the hosts NIC adapter does not go "down" (several well known manufactures workstations do this) and the machine boots into a new OS (knoppix for instance) and comes back up with no supplicant and does a simple dhcp request it will get an IP address on the authenticated network and have the same MAC address as the trusted authenticated OS. Clearly not as secure as everyone thinks.

Fifth item is regarding wireless and the EAP authentication methods. In some ways the EAP methods for wired port aren't as much a concern. The end workstation has a direct (and likely unshared) connection to the switch that it is doing authentication. Wireless is a different situation where everyone is on the same share bandwidth spectrum and anyone can watch the traffic passing by on the "wire." Selection of the correct EAP method seems easy at first. Most folks seem to think that EAP-TLS is the best option since it requires certificates and you can combine it with end user credentials giving the combination of something you have (a certificate) and something you know (username and password). Getting EAP-TLS actually deployed and all the hosts and supplicants recognizing the certificate chains properly can be a much bigger project than people think. Especially because most of the folks who manage the certificate services are not in the networking group. In addition, there may be two sets of certificate services in use, public ones for websites, sslvpn termination and other public facing services and internal corporate certificate services (often Windows domain based.) Determining which one to use and how to load the trusted certificate authority on the device is a challenge.

Sixth, there may be some vendors that are worth looking at if you are serious about getting 802.1x up and running. The only vendor who had a great switchport authentication solution was Consentry Networks but they went the way of the dodo back in August of 2009. Since I consider Cisco ACS + Cisco switches to be a sub optimal solution (for now) given the complex scenarios a 802.1x wired/wireless deployment might require it looks like Avenda Systems might have the right solution. Their interface seems much better and the company founders came out of Cisco and Microsoft. Their solution addresses the right market and has the right bells and whistles at what appears to be the right price point too. I'll be trying it out some more in our lab and will do a post later with my thoughts about it.

Seventh, nothing seems to replace good IDS/IPS solutions for catching activity that seems out of place and alerting on it. In addition, Netflow/Sflow is really useful in understanding your network behavior and traffic patterns and really should be leveraged to understand when something is happening on your network that looks odd.

Finally, nothing replaces good HR/security policies and procedures. It isn't possible to do some of the exploits if your company really is careful about who has physical access to devices and actually follows controls for guests and contractors. Sounds silly but your employees are still your biggest strength and weakness in security. Training and rewarding behavior you want as a company goes a long way towards dealing with security concerns.
- Ed

Monday, October 26, 2009

Thawte retiring Web of Trust (WOT)

I got my notification titled "Thawte Personal E-mail Certificates and Web of Trust are being discontinued " with the following rational for the event, "Over the past several years, security compliance requirements have become more restrictive, while the technology infrastructure necessary to meet these requirements has expanded greatly. Despite our strong desire to continue providing the Thawte Personal E-mail Certificate and Web of Trust services, the ever-expanding standards and technology requirements will outpace our ability to maintain these services at the high level of quality we require. As a result, Thawte Personal E-Mail Certificates and the Web of Trust will be discontinued on November 16, 2009 and will no longer be available after that date.

Deciding to conclude these services was a difficult decision for us to bear, specifically because of the relationships that we've built with Notaries, such as yourself."

I guess I am not surprised that this is happening but it is still a bit of a bummer. I've been a Thawte notary for a lot of years (almost 10?) and it has been a great way to have a low cost validated and signed e-mail x.509 certificate for free mail services. I guess with most enterprises finally allowing this within their infrastructure the need isn't as great. I still say the majority of e-mail I send and receive is NOT signed but old habits die hard, e-mail is still more like sending postcards to each other than any sort of private correspondence from a security level.

I guess I will have to find a new resource for x.509 certs, I'll post up what I end up using.
- Ed

Thursday, October 22, 2009

Microsoft Windows 7 Launch

Today is it, Windows 7 is out. As a Microsoft MVP I've been testing Windows 7 for a long time and I have been using it as my primary OS for several months. I think Microsoft has escaped the Vista demons and has a great OS to go to market with. I predict even folks who run Apple hardware and OSX will end up buying Windows 7 to run as a VM or in bootcamp and XP will start disappearing quickly from the landscape.

So to all my friends who work at Microsoft, congratulations, it is a big deal. I also am excited about Server 2008 R2 because of the some of the cool "better together" features that IT Pros will get with both products.
- Ed

Tuesday, October 20, 2009

Why Cisco isn't doing what is right for the customer with VPN client

I work for a Cisco partner so I get lots of updates on product releases, roadmaps and all the business "justifications" of why they do what they do and how to explain that to customers. I also happen to be a Microsoft MVP and I have switched to using Windows 7 64-bit on a fulltime basis (though I can still boot into my Ubuntu install too if needed.) As someone who uses VPN alot, primarily to do remote support for clients it is incredibly frustrating to NOT have a Cisco supported 64-bit IPSec client for Windows Vista or 7.

The reason I bring this up is Cisco just sent out an announcement titled "Cisco VPN Client v5.0.6 (Windows 7 32-bit support) is now available!" - are you kidding me? That is it?

Cisco, you are hurting your install base of clients, you are NOT doing what is right for them. The statement at the end of the announcement says it all. " 64-bit support is under consideration, but is not yet EC'ed for an upcoming release. This support is available in the Cisco AnyConnect VPN Client today (SSL/DTLS). " Translation - we want you to by a new Cisco solution that works with AnyConnect, if you don't have it we will force you to migrate by not developing a 64-bit IPSec client or integrating that functionality into the AnyConnect client that does support 64-bit.

I do not understand this thinking. What about all the Routers, PIX and VPN Concentrator that are deployed that will not get replaced that do NOT support AnyConnect. Now clients are going to purchase new machines with Windows 7 64-bit and have NO capabilities to VPN back into their network with a Cisco solution (at least not without buying a new Cisco product.) The first thing to pop into my head would be is there a free VPN alternative so I don't have to do this upgrade? Alternately, there are other 3rd party IPSec clients that are supported on Windows 7 like NCP and TheGreenBow but honestly, why should an existing Cisco client have to pay for a new software client when they had one that was working!

I honestly have had more pushback about this one item in meetings than anything else lately. Cisco has corrected the cost difference between IPSec and SSL VPN for the ASA - it is time to correct this also.
- Ed

Tuesday, October 06, 2009

Some IPv6 information link updates

I am doing some work for a client getting their public IPv4 blocks from ARIN so I thought I would share some useful IPv6 links they have now up at the ARIN site since I was looking around anyway.

ARIN now as an IPv6 Wiki page that has some good content and an IPv6 Information Page which has additional links that might interest someone who is getting started with IPv6.
I still really recommend that folks check out Hurricane Electric's excellent free IPv6 tunnel broker services. For those that want to start playing with IPv6 this is an awesome resource.

Check out the ARIN Number Resource Policy Manual regarding IPv6, some interesting stuff is in there regarding the goals of IP address space management. Its worth a quick read, especially if you are securing IPv6 address space for a client or your own company. If you don't have IPv6 on your roadmap yet as something to address I think the year 2010 will be when you really need to add it to your list of items.

If you want some fast training on IPv6 but there are some e-learning sites like 6diss.org and there are some excellent white papers at Microsoft and at Cisco also.
- Ed

Monday, October 05, 2009

Why Microsoft should buy LifeSize and Shoretel

Cisco just announced their intent to aquire Tandberg last week. This cemented the number one and two players in enterprise video conferencing systems effectively. Cisco's Telepresence is still insanely expensive for even the most aggressive SMB's and I would argue even many Enterprise customers. Tandberg has an excellent solution and meets the mid tier space well but isn't know for being super in the design and user interface arena. The remaining vendors with any traction are Polycom and LifeSize.

So where does this this leave Microsoft in the OCS and Unified Communications area for larger scale video teleconferencing and telepresence solutions? Microsoft has a good solution for single laptop integration and a moderately acceptable solution with the RoundTable product. But I must admit, having that RoundTable device spinning around and having it stick up in the middle of the conference room table is incredibly annoying and distracting, two things you don't want in a meeting.

I think Microsoft is missing a critical piece in the larger scale voice and video market space and I think they could easily scale up their Unified Communications platform with some strategic purchases. I think Microsoft should buy Shoretel for their voice capabilities and LifeSize for their video conferencing and telepresence solutions. It would instantly make them a much bigger player in both markets and cement Shoretel's ability to sell into larger enterprise shops while allowing LifeSize to capitalize their growth at a much faster rate.

To gain a foothold in the voice market that leverages their OCS platform a purchase of Shoretel would allow them to meet the needs of companies that require handset deployments (call centers, corporate and sales offices, help lines, etc.) but still support many of the OCS features they require while allowing more standards integrations. Plus, given the platform that the Shoretel solution is built on their is a high probability of doing a lot more integration work.

To gain a foothold in the video conferencing space picking up LifeSize (vs Polycom) would be a huge win. LifeSize has a better product portfolio (no question on that one), has a good partnership with Shoretel and does not have the valuation baggage that Polycom has currently. Even though Polycom is a Microsoft partner and is now building the RoundTable devices for Microsoft (which I think long term Microsoft should drop) LifeSize is a better match and more likely an easier acquisition given their size. They could also easily integrate the solution with their existing OCS solution and come up with something truly scalable and able to be packaged and sold for every sized company they sell too, that alone would be a huge differentiators.

Are their potential pitfalls in this? Sure, it could spoil Microsoft's ecosystem of voice partners - but given that Nortel is no longer a factor and Mitel/Intertel don't have enough value to justify a purchase they aren't a factor either. Altigen is much too small and can't even properly support QoS so Microsoft does not have to worry about them, they will continue to work with Microsoft no matter what they do. Avaya, Siemens and Toshiba and at the low end Panasonic are the other vendors who are left for the most part. All of them have to play nice with Microsoft as Cisco is crushing them in the voice space and they do not have a Unified Communications solution that anyone is really willing to buy.

Then again, Microsoft has always been a build it in software sort of company, I just think trying to address the video conferencing market without a good hardware solution is folly and given their options I think Shoretel and LifeSize are their best shots at catching up.
- Ed

Monday, September 28, 2009

Windows 7 - Microphone control - where is it?

It has been driving me nuts for several days trying to figure out how to control when the microphone is on or off on my Lenovo T60 laptop with Windows 7 RC (I am assuming the RTM is the same.) I have been listening to a lot of online training materials the last few days and the mic has been on the whole time with no obvious way to turn it off. I finally took the time to figure it out.
You have to mouse click on the speaker icon in the task bar, then click on the speaker icon at the top of the volume adjustment graphic that pops up. That will open a new window titled Speaker Properties, you pick the Levels tab and under that is Microphone. You can adjust the level of the microphone but more importantly there is the option to mute it (you click on the speaker - yes I know, it doesn't make any sense.)
Why the microphone mute option is buried here I have no idea, you can get to the same window by right clicking the speaker icon in the taskbar and selecting Open Volume Mixer then doing the same click on the speaker but this is just as un-intuitive as what I outlined before.
Given how many folks are doing multimedia stuff today (video/screencasts/podcasts) you would think the microphone would finally get some respect and its own icon set? Guess not.
- Ed

Updated post for the RTM on this is at:
http://www.howfunky.com/2010/02/update-windows-7-microphone-control.html

Wednesday, September 02, 2009

PacITPros BranchCache presentation posted

The presentation I gave on BranchCache has been posted up on the PacITPros website here and the MS slide deck content is here. There were some questions about Active Directory requirements and I will post some clarifications requirements on that shortly. VMworld is still going on and there are a lot of options happening in the Cloud area that IT Pros should be keeping an eye on as they start to virtualize their environments and are looking for DR/BC options.
- Ed

Monday, August 31, 2009

Microsoft released Hyper-V Server 2008 R2 in time for VMworld

Seems Microsoft wants to leverage some buzz at VMworld and released Hyper-V Server 2008 R2 which is supporting a bunch of new features. You can check out their blog to see more info, the highlights are:
Up to 8 processors per physical server
Up to 64 logical processors
Up to 1 TB of physical memory
Live migration
High availability

It is good that VMware has some competition to push it to continue to innovate and drive new and exciting things to market. Plus never, ever count Microsoft out, they still get a whole additional version number before folks consider their product "ready" to use, which means they will get lots of attention pretty soon.
- Ed

Thursday, August 27, 2009

VMworld 2009 - San Francisco next week

VMware's VMworld 2009 is next week in downtown San Francisco and I picked up an Expo pass (Solutions Exchange) to be able to drop in for a day to see all the exciting stuff happening in the virtualization world.
It looks like Cisco is going to have a huge showing at the event this year. There is a lot of buzz around UCS, Nexus 7000, 5000, 2000 and 1000v and the new Data Center 3.0 architecture. If you want to get your toes wet on some of the happenings with Cisco's involvement you should check out Colin McNamara's blog, he has been doing some great posts about all the happenings with UCS. Colin is also on twitter.
- Ed

Microsoft BranchCache - why it matters

I will be presenting at the next www.PacITPros.org meeting on Microsoft's Better Together story for Windows Server 2008 R2 and Windows 7. I am going to specifically focus on a new feature in the product(s) called BranchCache. BranchCache is a very interesting approach on Microsoft's part to leverage a client/server OS to perform file caching and pre-positioning functions that traditionally has been approached in the network via appliance solutions.

While BranchCache does not address WAN acceleration and optimization, which many of the network appliance solutions target, it does take care of the file caching portion. For many smaller businesses that is the bulk of traffic in either their VPN or WAN networks. The fact that this is an included feature of the OS just shows how (IMHO) Microsoft is pushing more and more services into software and eliminating the need of special network devices.

I think this just demonstrates the fundamental difference in a company like Cisco who is pushing more services and functions into the network and "cloud" compared to a company like Microsoft who is enabling their operating system to perform and optimize on its own. To be honest, I have no idea who is going to win this one.

I think the challenge will be for Microsoft to play better in an inhomogeneous OS environment, it might mean giving away some of its designs and models and perhaps some code to erode away at positions that clearly favor intelligence in the network. Microsoft is all about software and Cisco is all about network - this I believe is the long term battle that most IT professionals are overlooking today.
- Ed

Wednesday, July 15, 2009

DirectAccess and Forefront UAG plus IPv6

For those who are watching the happenings in Microsoft's DirectAccess solution the most interesting news as of late is from the Forefront Unified Access Gateway product group. They announced at the end of last month the availability of a UAG DirectAccess solution.
I participated in one of the Microsoft MVP LiveMeeting session on it and I think the most compelling part of using UAG for DirectAccess is the easy of provisioning the solution. They have a nice wizard driven deployment set up which I think will make getting DirectAccess up and going much easier. The nice part is that they handle setting up the NAT-PT (NAT64) and other transition tunneling needed to get the solution up and working.
I downloaded the beta and will be trying it out next week at our office. We just finished rolling out native IPv6, IPv6 routing and even got IPv6 working over Cisco DMVPN. We have Windows Server 2008, Windows 7, Ubuntu 8.10 and 9.04 all working on IPv6 and we even have our Cisco Communication Manager and IP handsets working on IPv6 now.
With the addition of the UAG DirectAccess we will have a complete solution that also integrates Microsoft OCS and MOC with our Cisco Unified Communications infrastructure. Pretty cool stuff.
- Ed

Friday, July 10, 2009

Cisco TSS - Soft Skills are key to success

This morning we had a Cisco Technology Solution Specialist (TSS) WebEx meeting going over things related to the TSS program. It seems that Cisco want to put all the TSS folks through two sets of training. Apparently we need to work on "Soft Skills" - which seems to imply that they want engineers out selling and closing deals at a higher volume in the current marketplace.

The economy is dictating this I think and it seems that presentation, quoting and closing are the most important skills for an engineer right now (outside of the engineering part.) Being able to engage and move through those three items without the need for account managers to be involved is becoming more important. This also allows for more feet on the street selling. AM's being pure hunters and SE's presenting solutions, quoting and often closing the deals.

Given how technical a sale for networking, storage, unified communications and security are this makes a lot of sense so I am looking forward to the training.
I wonder if Microsoft is making similar investments in their elite partner engineering sales force?
- Ed

Wednesday, July 01, 2009

Ed Horley is a Microsoft MVP still

Well, I am happy to report that I still have my Microsoft MVP status. Many thanks to my MVP Lead Jake Grey and all the other wonderful Microsoft MVP staff who make the whole program possible. I deeply appreciate the award and recognition that Microsoft has shown to me.
I am hoping to hear that some of my other colleagues might be getting some good news and that others will be returning too.
- Ed

Monday, June 29, 2009

Some other blogs to follow

There are a few other blogs that are worth follow out there, here are some new ones I am starting to watch:
Colin McNamara - good content on Cisco UCS, Virtualization, CCxE topics
Jennelle Crothers - some good stuff on Windows and general IT Pro issues, plus she is really cool.
colovirt - good info on network infrastructure and storage

- Ed

Cisco Live! (Networkers) in SF this week

Cisco annual conference is in San Francisco this week. I'll be darting over to attend a Partner event Tuesday evening. In the past I have attended Cisco Networkers but my schedule hasn't allowed me much time to attend.
I might try to make it in to see the expo floor later this week.
On a related note, Cisco announced their newest certification at Live! - Cisco Certified Architect - requires a review board and is above CCIE/CCDE level. Yet another level of BS for the industry IMHO. I am wonder why anyone will bother going to college anymore to earn an Engineering degree at all! LOL
Anyway, check out the announcement here.
- Ed

Wednesday, June 17, 2009

My MVP Video interview at TechEd 2009

I attended Microsoft TechEd for the first time ever this year. It was down in Los Angeles and while there I was interviewed by the Microsoft MVP Team. Here is the video. They also have video interviews with Daniel Nerenberg, a bunch of the video's will be released shortly and the list of them can be found here.
Many thanks to Emily Freet and to my MVP Lead Jake Grey for having me stick around to do that.
- Ed

Wednesday, May 20, 2009

New Microsoft DirectAccess content

Joe Davies has a new Cable Guy article up about DirectAccess that folks should read. In addition, there is a new Step by Step Guide for a DirectAccess lab (which looks a lot like Joe wrote it - but I haven't confirmed that yet)
I've been slow getting my DirectAccess deployment going at work, seems other items keep getting in the way but I hope to get more done this week and have something to share with everyone.
- Ed

Friday, May 15, 2009

Microsoft DirectAccess - some brief thoughts

I think out of anything coming out of the Microsoft Server 2008 R2 and Windows 7 releases the feature I am most excited about is DirectAccess (anyone remember DirectConnect?) Microsoft has some excellent content starting to build up at http://www.microsoft.com/directaccess which gives an overview of how DirectAccess works and how it can be utilized so I won't repeat that here.
I have had the chance due to both my Microsoft MVP status and Springboard STEP status to have access to some deployment guides that are not generally available. After reviewing these and after playing with gear I have some opinions on what Microsoft should be recommending to IT Pros to do as initial trials of DirectAccess.
In a nutshell, I believe that people should set up an initial native IPv6 deployment with a tunnel broker (use Hurricane Electric) and get native IPv6 addresses working in their environment. In addition, I would minimize the deployment model to utilize proxy services or a NAT-PT device for resources on the network that are available via DA. This model comes pretty close to many VPN deployments today but does not have the pain involved with doing a functional overlay technology like ISATAP.
So, what do I mean by proxy services in this case? Well, for those deploying DA, I would set up a new Server 2008 R2 machine to front end file servers that are still running Server 2003 or older by utilizing SharePoint, that same server or an additional one could potentially do Exchange OWA or front end services depending on what Exchange environment you are on. I would utilizes a NAT-PT for specific line of business applications but I would narrow the selected application list initially to reduce troubleshooting on the NAT-PT device. There are options for NAT-PT devices, Cisco can do it in software on their routers and there is the Forefront UAG from Microsoft.
Most importantly, I would set expectations that there are a lot of moving parts with DirectAccess to get a deployment done correctly. You need to have PKI with a public CRL, IPv6, Windows Server 2008 R2 and Windows 7 just as minimum requirements, that doesn't say anything about the networking technologies you have to learn.
DirectAccess has the potential to bring about some of the most exciting changes in how people will work in the future on Windows but it will take a lot of planning and testing to get it all right.
I'll post more thought shortly.
- Ed

Microsoft TechEd 2009 - Los Angeles

This was my first time attending TechEd and I had a wonderful time catching up with Stephen Rose, Joe Davies, Emily Freet, Jake Gray, Devrim Iyigun and lots of others with Microsoft. It was also nice seeing Betsy Weber with TechSmith, she is always entertaining. Got introduced to and a chance to chat with Rhonda Layfield (thanks Stephen!) regarding IPv6.
I also meet several other Microsoft MVP's at the event working the Springboard booth who are also STEP members. It was nice hearing about all the different things folks are working on.
I have to say I was surprised about how much interest Microsoft is getting in DirectAccess. I have some opinions on deployment guidance I would give to folks looking to implement DA and I shared those with the DA folks at TechEd. Let's just say I am not a fan of ISATAP and I am pushing for small Native IPv6 deployments with NAT-PT devices as the way to start. Guess I will find out shortly if my ideas are sticking at all!
- Ed

Monday, May 04, 2009

PacITPros - Microsoft Server Feedback event tomorrow evening

Tomorrow evening PacITPros will be hosting their regular monthly meeting however this one is very special.

Quick quote from the announcement:
"The Windows Server product and planning groups are joining us on May 5th to meet face-to-face with PacITPros members and capture valuable feedback related to your future IT business priorities. Your input will help establish the foundational feedback that will drive planning activities for Windows Server going forward."

The best part is all you have to do is RSVP on http://www.pacitpros.org and you can participate. So if you are in the San Francisco Bay Area you really should sign up to attend, this is a very rare and unique opportunity. We've even had internal Microsoft employees sign up to be able to give their feedback to this group.
- Ed

Tuesday, April 21, 2009

Microsoft Springboard on Windows 7

I've been lucky enough to be added as part of the Microsoft Springboard Series Technical Expert Panel or STEP program for Windows 7. I've been developing IPv6 content for people participating in the Springboard series to present to their local IT Pro User groups. Check out the Springboard series, Stephen Rose has been doing a great job getting all this content together, its a huge effort.

After the IPv6 content I will likely move on to a quick guide for Direct Access. Direct Access requires Windows Server 2008R2 and remember that Server 2008R2 is 64bit only.

I also just finished chatting with Charley Wen with Microsoft on all things related to QoS within Windows. It will be interesting seeing what solutions Microsoft comes up with for Server and Hyper-V that account for QoS and virtual switch infrastructure.

I am also betting that the RC for Windows7 and Server2008R2 will be out next week. I need to get stuff built out and I would like to use the RC's if possible.
- Ed

Thursday, March 05, 2009

howfunky.com blog hits 4 years

March 13th 2005 was my first post - has it really been that long? I said howfunky.com was going to deal with technical stuff, primarily around:
DNS and specifically Reverse DNS issues.
Cisco routing, switching and content delivery
Sender Policy Framework (SPF)
Microsoft Network Optimization

For the most part I've been pretty on topic - SPF has changed - but I still am concerned with how email sender authorization can be done better. I still am watch DNS and rDNS items - but I will likely be adding DNSSec to the list now. I have been covering Cisco routing, switching and content delivery but have been adding unified communications and storage to the mix. And I am always interested in what Microsoft is up to in the networking space.

The only net new item has been Virtualization as a topic I think.
- Ed

Microsoft 2009 MVP Summit - thoughts

I wasn't sure if I was going to attend the Microsoft MVP Summit this year. After the MVP program decided to remove the Windows Server - Networking category I didn't think I had much reason to attend and honestly was expecting to not be renewed because of the category going away.
I am now very happy I changed my mind and I attended. It seems that my new category of Enterprise Security felt that it was important to add networking sessions back to the mix.
A ton of folks from the MS Networking Team showed up! From Sandeep Singhal, Sean Siler, Dave Thaler, Ravi Rao, Tyler Barton, Devrim Asli Iyigun, Mahesh Prakriya, to Joseph Davies - thanks to you all for taking the time and effort to listen to my feedback and opinion about networking and what Microsoft is doing right and wrong.
So, without violating my NDA what was I most excited about from the event? Honestly, it is things that were already on my radar (NDA or not) - specifically Direct Access, Branch Cache and IPv6. I think any Enterprise that is running AD and has a large mobile workforce will adopt Direct Access just to make remote support of that mobile workforce easier, there is literally nothing the end user has to do at all (well, you have to turn the computer on and have some sort of Internet connection) to make it work and the initial scaling numbers I have heard put it on par with a typical traditional VPN deployment. Just as many Enterprises have adopted rpc over http/s for Outlook to Exchange the next natural step is to adopt a paradigm that allows ALL corporate applications the same flexibility and access that Outlook and Exchange currently have today - that solution is Direct Access.
Microsoft is pushing more advanced services into both Windows Server 2008R2 and Windows 7 - Branch Cache is one of these services and one that makes a lot of sense for folks to use (big and small IT shops will win with this one - and it is free to turn it on - how cool is that). It does not replace WAN accelerations devices (though with the changes in Windows Vista / Windows 7 / Server 2008 networking you could argue you might not need the acceleration part) but specifically targets the caching of file content. Given the cost point and relative easy of deployment I think it will have a good adoption rate.
Finally, IPv6 - there are several solutions in both Windows 7 and Windows Server 2008R2 that just won't work without IPv6. There is no getting around it and you need to start learning it - period. In Windows 7 there is HomeGroup and for Windows Server 2008R2 if you want Direct Access you will need to get up to speed on IPv6. There are more subtle IPv6 items but those two alone should make folks stand up and notice.
- Ed

Wednesday, February 18, 2009

Windows 7 - cool new tool for IT Pros

I am finally getting around to posting about a cool new tool in Windows 7, it's called Problem Step Recorder. Just pull up a command window and type psr or execute it from the run option on the start menu.
It will not replace a remote desktop solution for help desk support people but I can see this as being very useful for remote works who can't get a system working properly or can't describe what the problem is accurately - which is about 70% of the problem in most cases.
I am also completely set to head up to Redmond for the Microsoft MVP Summit. Looking forward to hearing all about Direct Access, changes in the Advanced Firewall in Windows 7 and other cool networking changes.
- Ed

Wednesday, February 11, 2009

Microsoft MVP Summit

I finally got around to booking the Summit, Hotel and Airfare. I am trying to get into the sessions for Networking items but I am not holding my breath at all. I might have to find them while I am actually there. Looking forward to March 1-4 to enjoy some quality Microsoft technical time.
- Ed

Sunday, February 01, 2009

Cisco Nexus 2000 Series is orderable

The Nexus 2000 is now orderable so Cisco DC vision is just about complete. When the Nexus 1000v is final than Cisco's vision for the data center will be a full leap ahead of everyone else in the industry. They will have a full product line that can bridge the gap between today's data center needs and support what your data center will look like for several years to come.
The remarkable thing is that Cisco pulled this off in 1 yr. The release of the Nexus 7000 was just over 1 yr ago and while definately early out of the gate it is remarkable the amount of engineering and resources that have gone into building out this new data center vision. Cisco is back in their element - everyone else better look out because the 800 gorrilla is on a rampage!
- Ed

Windows 7 experience - or lack of

I downloaded Windows 7 beta when it was made available to Microsoft MVP's. I need to still get it loaded up and working since the two times I tried to load it as a VM it failed horribly. I've gotten to play with some colleagues Windows 7 machines and I must admit they have gotten it working much faster then Vista. I think we will see Microsoft roll out Windows 7 by June or July, they got so little traction with Vista it just makes sense to get 7 out the door asap and then rollout a fast release patch after that.

Thursday, January 01, 2009

EFF 18th Birthday celebration

I got an invite from the Electronic Frontier Foundation regarding their 18th birthday. It is hard to imagine a world in tech without the EFF, if you follow the news at all you know they are doing all sorts of things to push back on the erosion of rights in the digital age.
They are a worthy group, so consider them in your annual giving for donations.
- Ed