CISCO CES press conference details
 
Who:

• John Chambers, chairman and chief executive officer, Cisco
• Ned Hooper, senior vice president of corporate development, Cisco Consumer Business Group
• Dan Scheinman, senior vice president and general manager, Cisco Media Solutions Group
• Tony Bates, senior vice president and general manager, Cisco Service Provider Group

What: Chambers and other senior executives will discuss Cisco’s vision for connected consumer experiences and introduce several new products in support of this vision.

When: The Cisco press conference will take place on Wednesday, Jan. 7, from 1:00 to 1:45 p.m. PST.

Where: Press, analysts and bloggers at CES are invited to attend the press conference at the Venetian Hotel, Venetian Titian Room 2206. Appropriate credentials (e.g., badge or business card) will be required.
Press, analysts, bloggers and interested parties not in Las Vegas can attend via a live webcast at http://event.ciscowebseminars.com/clients/cisco/CES2009 (Registration is required to attend this event).

In this video, Ken Wirt, vice president of consumer marketing at Cisco, tell more about what Cisco has planned for consumers. 

More info: http://newsroom.cisco.com/dlls/2009/prod_010509.html

© Fabio for CiscoZine, 2009. | Permalink | No comment
Post tags: Video, Webcast

The result of this attack causes the switch to enter a state called failopen mode, in which all incoming packets are broadcast out on all ports (as with a hub), instead of just down the correct port as per normal operation. A malicious user could then use a packet sniffer running in promiscuous mode to capture sensitive data from other computers, which would not be accessible were the switch operating normally.

Cisco gives you an opportunity to set up protection against this attack with limiting and/or hardwiring some MAC addresses to a dedicated port.

Understand the MAC flooding attack
Suppose to have a switch with 3 PC: PC A, PC B and PC C; in normal situation, when PC A sends a packet to PC B, PC C does not view packet sent between PC A and PC B.

This because the 3 PC are connected to a switch and NOT to a hub.

Under MAC flooding attack, the switch behaviour is different. During the MAC flooding attack, the attacker (in this instance PC C) floods the switch with packets, each with different source MAC address.

If the Content Addressable Memory (the memory where the MAC addresses are stored) is full, the switch works like an hub; so, if the PC A sends a packet to PC B, the packet will be received to PC C too.

Protecting against MAC flooding attack
Cisco has implemented a feature, called switchport port-security, to protect against this type of attack. You can use the port security feature to restrict input to an interface by limiting and identifying MAC addresses of the stations allowed to access the port.

There are three types of secure MAC addresses:

• Static secure MAC addresses: These are manually configured by using the switchport port-security mac-address mac-address interface configuration command, stored in the address table, and added to the switch running configuration.
• Dynamic secure MAC addresses: These are dynamically learned, stored only in the address table, and removed when the switch restarts.
• Sticky secure MAC addresses: These can be dynamically learned or manually configured, stored in the address table, and added to the running configuration. If these addresses are saved in the configuration file, the interface does not need to dynamically relearn them when the switch restarts.

Remember: A secure port can have from 1 to 132 associated secure addresses. The total number of available secure addresses on the switch is 1024.

When the maximum number of secure MAC addresses have been added to the address table and a station whose MAC address is not in the address table attempts to access the interface a security violation occurs.

The switch can react to a security violation in three different ways:

• protect: When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. You are not notified that a security violation has occurred.
• restrict: When the number of secure MAC addresses reaches the limit allowed on the port, packets with unknown source addresses are dropped until you remove a sufficient number of secure MAC addresses or increase the number of maximum allowable addresses. In this mode, you are notified that a security violation has occurred. Specifically, an SNMP trap is sent, a syslog message is logged, and the violation counter increments.
• shutdown: In this mode, a port security violation causes the interface to immediately become error-disabled, and turns off the port LED. It also sends an SNMP trap, logs a syslog message, and increments the violation counter. When a secure port is in the error-disabled state, you can bring it out of this state by entering the errdisable recovery cause psecure-violation global configuration command, or you can manually re-enable it by entering the shutdown and no shutdown interface configuration commands. This is the default mode.

Example: Limit to ten MAC addresses, two of which are statics (aaaa.aaaa.aaaa, bbbb.bbbb.bbbb), on FastEthernet 0/1 port. The violation required is “restricted”.

Ciscozine# conf t
Ciscozine(config)# interface fastethernet0/1
Ciscozine(config-if)# switchport mode access
Ciscozine(config-if)# switchport port-security
Ciscozine(config-if)# switchport port-security maximum 10
Ciscozine(config-if)# switchport port-security violation restrict
Ciscozine(config-if)# switchport port-security mac-address aaaa.aaaa.aaaa
Ciscozine(config-if)# switchport port-security mac-address bbbb.bbbb.bbbb

switchport mode access: The port-security works only on access port,  so define it.
switchport port-security: Enable port security on the interface.
switchport port-security maximum 10: Sets the maximum number of secure MAC addresses for the interface to 10.
switchport port-security violation restrict: It defines to “restrict” the violation mode.
switchport port-security mac-address aaaa.aaaa.aaaa: Define the static MAC address; remember that if you configure fewer secure MAC addresses than the maximum, the remaining MAC addresses are dynamically learned.

Useful commands to displaying traffic control status and configuration are:

• show interfaces [interface-id] switchport: Displays the administrative and operational status of all switching (nonrouting) ports or the specified port, including port blocking and port protection settings.
• show port-security [interface interface-id]: Displays port security settings for the switch or for the specified interface, including the maximum allowed number of secure MAC addresses for each interface, the number of secure MAC addresses on the interface, the number of security violations that have occurred, and the violation mode.
• show port-security [interface interface-id] address: Displays all secure MAC addresses configured on all switch interfaces or on a specified interface with aging information for each address.

Remember: you can enable port security on a interface only if the port is not configured as one of these:

• Trunk ports: If you try to enable port security on a trunk port, an error message appears, and port security is not enabled. If you try to change the mode of a secure port to trunk, the port mode is not changed.
• Dynamic port: A port in dynamic mode can negotiate with its neighbor to become a trunk port. If you try to enable port security on a dynamic port, an error message appears, and port security is not enabled. If you try to change the mode of a secure port to dynamic, the port mode is not changed.
• Dynamic-access port: If you try to enable port security on a dynamic-access (VLAN Query Protocol [VQP]) port, an error message appears, and port security is not enabled. If you try to change a secure port to dynamic VLAN assignment, an error message appears, and the VLAN configuration is not changed.
• EtherChannel porT: Before enabling port security on the port, you must first remove it from the EtherChannel. If you try to enable port security on an EtherChannel or on an active port in an EtherChannel, an error message appears, and port security is not enabled. If you enable port security on a not-yet active port of an EtherChannel, the port does not join the EtherChannel.
• 802.1X port: You cannot configure an 802.1X port as a secure port. If you try to enable port security on an 802.1X port, an error message appears, and port security is not enabled. If you try to change a secure port to an 802.1X port, an error message appears, and the 802.1X settings are not changed.
• Switch Port Analyzer (SPAN) destination port: You can enable port security on a port that is a SPAN destination port; however, port security is disabled until the port is removed as a SPAN destination. You can enable port security on a SPAN source port.

References:

• http://en.wikipedia.org/wiki/MAC_flooding
• http://www.cisco.com/…/configuration/guide/swtrafc.html#wp1038501

© Fabio for CiscoZine, 2009. | Permalink | No comment
Post tags: Advanced configuration, Flooding attack

First logo

Second logo

And you, what do you prefer?

© michele for CiscoZine, 2008. | Permalink | One comment
Post tags: Certifications

I wish everyone a very Merry Christmas and Happy New Year.
Fabio - The admin

© Fabio for CiscoZine, 2008. | Permalink | No comment
Post tags: Video

What is a virtual private network?
A virtual private network (VPN) is a computer network in which some of the links between nodes are carried by open connections or virtual circuits in some larger network (e.g., the Internet) instead of by physical wires. The link-layer protocols of the virtual network are said to be tunneled through the larger network when this is the case. One common application is secure communications through the public Internet, but a VPN need not have explicit security features, such as authentication or content encryption. VPNs, for example, can be used to separate the traffic of different user communities over an underlying network with strong security features.

Using this wizard, it is possible create a Layer3 VPN through IPSEC protocol. Internet Protocol Security (IPsec) is a suite of protocols for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a data stream. IPsec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used to protect data flows between a pair of hosts (e.g. computer users or servers), between a pair of security gateways (e.g. routers or firewalls), or between a security gateway and a host.

IPsec is an end-to-end security solution and operates at the Internet Layer of the Internet Protocol Suite, comparable to Layer 3 in the OSI model. Other Internet security protocols in widespread use, such as SSL, TLS and SSH, operate in the upper layers of these models. This makes IPsec more flexible, as it can be used for protecting all the higher level protocols, because applications don’t need to be designed to use IPsec, whereas the use of TLS/SSL or other higher-layer protocols must be incorporated into the design of an application.

Ok, and how can I create a VPN using SDM?
There are few steps to create a VPN server on our Cisco Router:

• Log in your SDM
• Click the Configure icon in the toolbar at the top of the window
• Click the VPN icon in the Tasks toolbar on the left side of the window
• Choose the Easy VPN Server option in the middle part of the window

If you have not configured AAA, the wizard asks you to configure it. Click on “Enable AAA” and click “OK” to close the popup.

After enabling AAA, you can start the VPN wizard:

Click on next button (in this screenshot I will click on “avanti” tab… italian language hihihi), select the interface that will receive the VPN request from the VPN client (in my case fastethernet 0/0) and select the preshared keys authentication. Click on next button.

In this step you can configure the IKE proposals: IKE proposal priority, DH group (1, 2, or 5), Encryption algorithm (DES, 3DES, AES, or SEAL), HMAC (SHA-1 or MD5), IKE lifetime. If you prefer, you can change the default settings. Click on next button.

You can use the default or create a new IPsec transform set configuration using these parameters: Transform set name, Encryption algorithm (DES, 3DES, AES, or SEAL), HMAC (SHA-1 or MD5), Optional compression, Mode of operation (tunnel or transport). Click on next button.

In this step you you can choose from three options for the location where Easy VPN group policies can be stored:

• Local: All the groups will be in the router configuration in NVRAM
• RADIUS: The router will use RADIUS server for group authorization
• RADIUS and local: The router will also be able to look up policies stored in an AAA server database that can be reached via RADIUS

The local databse is recommended if you do not have RADIUS or TACACAS+ server in your network. Click on next button.

Now define the group authorization and user group policies.

When you click “Add…” button, you can define: General parameters, DNS/WINS, Split tunneling, Advanced options and Xauth Options. In our case it is sufficient configure the “General parameters” tab. The group name is “test”, the password is “ciscozine” and the IP pool is from 192.168.10.1 to 192.168.10.10. Click on “OK” button to save the Add Group Policy.

Click next.

Once you have finished all the steps to configuring the Easy VPN Server, the Easy VPN Server wizard presents a summary of the configured parameters. 

Click Back to correct any errors in the configuration. Otherwise, click Finish to apply the configuration to the router.

The final configuration will be:

!This is the running config of the router: 192.168.1.12
!----------------------------------------------------------------------------
!version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Ciscozine
!
boot-start-marker
boot-end-marker
!
!
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa session-id common
ip subnet-zero
!
!
!
ip cef
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
username ciscozine privilege 15 secret 5 $1$uZAG$n7SP/bF1Y2UEfepGjtblH.
!
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp xauth timeout 15

!
crypto isakmp client configuration group test
 key ciscozine
 pool SDM_POOL_1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
 set transform-set ESP-3DES-SHA
 reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
!
interface FastEthernet0/0
 ip address 192.168.1.12 255.255.255.0
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
!
interface FastEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
!
ip local pool SDM_POOL_1 192.168.10.1 192.168.10.10
ip http server
ip http authentication local
ip http secure-server
ip classless
!
!
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
!
end

Remember to save the configuration!

To change VPN server settings:

1. Click the Configure icon in the toolbar at the top of the window
2. Click the VPN icon in the Tasks toolbar on the left side of the window

If you would view the VPN status:

1. Click the Monitor icon in the toolbar at the top of the window
2. Click the VPN icon in the Tasks toolbar on the left side of the window

References:

• http://en.wikipedia.org/wiki/Ipsec
• http://en.wikipedia.org/wiki/Vpn

© Fabio for CiscoZine, 2008. | Permalink | No comment
Post tags: SDM, VPN

Future programs will focus on creating sustainable cities, virtual collaboration, mobility solutions and smart energy solutions. green.tv has partnerships with some of the world’s leading environmental organisations, including the United Nations Environment Programme and Greenpeace.

Neil Harris, Business and Sustainability Development manager at Cisco Europe said: “Cisco is committed to a high level of environmental responsibility in its business operations, culture, products and architectural design. Cisco also is in a unique position to use its technology to help arrest, and potentially reverse, the climate trend. Through the intersection of the physical network and the human network, we can empower people to live, work, learn and play in a more environmentally sustainable way.”

What is Green TV?
green.tv is the broadband TV channel for environmental films. green.tv is the first website to bring together films from a whole range of environmental organisations and independent filmmakers and make them available to anyone anywhere.

green.tv is a broad environmental church bringing together ideas and viewpoints from the world’s leading environmental organisations, including UNEP, Greenpeace, Friends of the Earth, Water Aid, IUCN, Stop Climate Chaos and many many more.

References:

• http://newsroom.cisco.com/dlls/2008/prod_121808c.html
• http://www.green.tv/cisco

© Fabio for CiscoZine, 2008. | Permalink | No comment
Post tags: Business, Web TV

There was an enormous amount of activity related to data and online security during the past year. Although no single, overwhelming attack—such as the spread of Melissa, Slammer, or Storm malware in previous years—turned into the signature security event of 2008, the need for increased security protection and continued vigilance remains.

Compared to previous years, online criminals are becoming even more sophisticated and effective, employing a greater number of relatively smaller, more targeted campaigns to gain access to sensitive data. Human nature—in the forms of insider threats, susceptibility to social engineering, and carelessness that leads to inadvertent data loss—continues to be a major factor in countless security incidents. And the increasing use at many organizations of technologies designed to increase collaboration and productivity (such as mobile devices, virtualization, cloud computing, and other Web-based tools and Web 2.0 applications) is stretching the edges of corporate networks, potentially increasing security risks.

Key Findings
This year’s report reveals that online and data security threats continue to increase in number and sophistication. They propagate faster and are more difficult to detect.

Key report findings include:

• Spam accounts for nearly 200 billion messages each day, which is approximately 90 percent of email sent worldwide
• The overall number of disclosed vulnerabilities grew by 11.5 percent over 2007
• Vulnerabilities in virtualization products tripled to 103 in 2008 from 35 in 2007, as more organizations embraced virtualization technologies to increase cost-efficiency and productivity
• Over the course of 2008, Cisco saw a 90 percent growth rate in threats originating from legitimate domains; nearly double what the company saw in 2007
• Spam due to email reputation hijacking from the top three webmail providers accounted for just under 1 percent of all spam worldwide, but constituted 7.6 percent of all these providers’ mail

Fortunately, responses to these threats and trends are improving. Advances in attack response stem from the increased collaboration between vendors and security researchers to review, identify, and combat vulnerabilities.

Presentation of the “Cisco 2008 Annual Security Report”

Botnets

Reputation Hijacking

References: http://www.cisco.com/…/annual_security_report.html

© Fabio for CiscoZine, 2008. | Permalink | No comment
Post tags: Report, Video

But what is Cisco Tcl?
The Cisco IOS Tcl shell was designed to allow customers to run Tcl commands directly from the Cisco IOS CLI prompt. Cisco IOS software does contain some subsystems such as Embedded Syslog Manager (ESM) and Interactive Voice Response (IVR) that use Tcl interpreters as part of their implementation. These subsystems have their own proprietary commands and keyword options that are not available in the Tcl shell.

Several methods have been developed for creating and running Tcl scripts within Cisco IOS software. A Tcl shell can be enabled, and Tcl commands can be entered line by line. After Tcl commands are entered, they are sent to a Tcl interpreter. If the commands are recognized as valid Tcl commands, the commands are executed and the results are sent to the tty. If a command is not a recognized Tcl command, it is sent to the Cisco IOS CLI parser. If the command is not a Tcl or Cisco IOS command, two error messages are displayed. A predefined Tcl script can be created outside of Cisco IOS software, transferred to flash or disk memory, and run within Cisco IOS software. It is also possible to create a Tcl script and precompile the code before running it under Cisco IOS software.

Multiple users on the same router can be in Tcl configuration mode at the same time without interference because each Tcl shell session launches a separate interpreter and Tcl server process. The tty interface number served by each Tcl process is represented in the server process name and can be displayed using the show process CLI command.

The Tcl shell can be used to run Cisco IOS CLI EXEC commands within a Tcl script. Using the Tcl shell to run CLI commands allows customers to build menus to guide novice users through tasks, to automate repetitive tasks, and to create custom output for show commands.

To enter in the “Tool Command Language shell” type “tclsh” command, while to exit type “tclquit“.

Remember: errors in Tcl scripts can cause infinite loops in the router

1. A very simple example: Hello world
Copy this function in the Tcl configuration mode

proc test {} {
puts "Hello world!"
}

The result will be:

Ciscozine#tclsh
Ciscozine(tcl)#proc test {} {

+>puts "Hello world!"
+>}

To test the script type “test”:

Ciscozine(tcl)#test
Hello world!

Ciscozine(tcl)#

2. Ping multiple IP addresses
Often during troubleshooting, it is needed to ping some IP addresses to test connectivity; in these situations Tcl could be very useful.

For instance, suppose to ping the first ‘x’ ip address of the 172.16.1.x/24 network. Usually a network administrator must type “ping 172.16.1.1″ then “ping 172.16.1.2″ and so on…, but it could take a long time.

Tcl could help us with a very simple script:

proc ping_net {x} {
 for {set n 1} {$n<=$x} {incr n 1} {
    exec "ping 172.16.1.$n"
 }
}

The result will be:

Ciscozine(tcl)#proc ping_net {x} {
+> for {set n 1} {$n<=$x} {incr n 1} {
+>    exec "ping 172.16.1.$n"
+> }
+>}

To test the first five IP addresses:

Ciscozine(tcl)#ping_net 5

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.3, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.5, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Ciscozine(tcl)#

In these 2 simple examples, I have used 3 Tcl command: proc, puts, for.

The proc command creates a new command. The syntax for the proc command is: proc name args body
When proc is evaluated, it creates a new command with name name that takes arguments args. When the procedure name is called, it then runs the code contained in body.

The puts command is used to print “somethings”.

The for command in Tcl takes four arguments; an initialization, a test, an increment, and the body of code to evaluate on each pass through the loop. The syntax for the for command is: for start test next body
During evaluation of the for command, the start code is evaluated once, before any other arguments are evaluated.

You can find more informations about tcl command syntax on http://www.tcl.tk/.

References:

• http://www.cisco.com/…/feature/guide/gt_tcl.html
• http://en.wikipedia.org/wiki/Tcl
• http://forums.cisco.com/eforum/servlet/EEM?page=main

© Fabio for CiscoZine, 2008. | Permalink | One comment
Post tags: Advanced configuration, Tcl

And you, what do you want for Christmas?

© Fabio for CiscoZine, 2008. | Permalink | No comment
Post tags: Video

Cisco’s C-Scape Global Forum 2008 brings industry analyst and press communities together with John Chambers, his executive team and guest technology leaders for discussion, debate and dialogue on the industry’s prevailing issues and trends.

This year’s interactive forum will focus on the process of building the Next Internet - a much richer user experience on a global scale - and feature discussion around key market transitions in video, collaboration and data center/virtualization.

C-Scape 2008 will feature general session remarks from members of Cisco’s leadership team including:

• John Chambers, chairman and CEO
• Blair Christie, senior vice president, Corporate Communications
• Rob Lloyd, senior vice president, United States, Canada and Japan
• Randy Pond, executive vice president, Operations Processes and Systems
• Padmasree Warrior, chief technology officer

General session remarks will also be given by guest technology leaders including:

• Art Hair, chief technology officer, The Walt Disney Studios
• Ken Harvey, group managing director, chief technology and services officer, HSBC
• Dick Lynch, executive vice president and chief technology officer, Verizon

C-Scape sessions will be webcast live:

• December 9th from 8:00 a.m. - 12:15 p.m. and 3:55 p.m. - 5:00 p.m. PT
• December 10th from 8:45 a.m. - 10:30 a.m. and 3:00 p.m. - 4:00 p.m. PT

To register for the live video webcasts, please go to:
http://event.ciscowebseminars.com/clients/cisco/CScape2008

© Fabio for CiscoZine, 2008. | Permalink | No comment
Post tags: Webcast