Calin | IPNET - Part 16

Cisco IOS release naming

Most probably you already know this, but for those who are interested, here is a list of the letter definitions for Cisco IOS release trains. In more human terms, if you have loaded an IOS image like c2900-universalk9-mz.SPA.150-1.M5.bin, what those letters (in this case SPA) mean:

A = Aggregation/Access Server/Dial technology
B = Broadband
C = Core routers (11.1CA, 11.1CT, 11.1CC)
D = xDSL technology
E = Enterprise feature set
F = Feature Specific enhancements (11.2F)
G = Gigabit Switch Routers (GSR)
H = SDH/SONET technology (11.3HA)
J = Wireless Networking technology (Aironet)
M = Mobile (Restricted to Mobile Wireless BU usage and further reserved for Mainline)
N = Voice, Multimedia, Conference (11.3NA)
P = Platform features (11.2P)
R = Reserved for ROMMON reference
S = Service Provider
T = Reserved for Consolidated Technology Train
W = LAN Switching/Layer 2 routing
X = A short lived, one-time release (12.0XA)
Y = A short-lived, one-time release (when Xs are exhausted)
Z = A short-lived, one-time release (reserved if Ys are exhausted)

Additional information can be found here.

Cisco QoS at-a-glance

Stephan, a colleague of mine, found the following documents digging through multiple pages of Cisco.com. The documents present a nice view of different QoS approaches and the most important information. Somehow like “cheatsheets”. They were helpful to us when need to implement QoS in some parts of the network that we administer. I hope they will help you as well.

Maybe you’re wondering why I’m adding them here, since the documents are already somewhere in Cisco.com. As you probably know, Cisco has constantly changing their website in the last months and a lot of documentation is misplaced in the Cisco.com sitemap. We already had problems finding all links, so I said why not share it here as they are already public made by Cisco.

You’ll find a Download button under each document, for PDF version and at the end of this post there is a Link to download all documents in an archive. If somebody needs only one document and has a poor Internet connection why to force them to download the full archive.

Cisco – Campus QoS Design

Cisco – Branch QoS Design

Cisco – IPv6 QoS

Cisco – QoS Best Practices

Cisco – QoS Design for IPsec VPNs

Cisco – QoS Design for MPLS VPN Service Providers

Cisco – Scavenger class – QoS Strategy for DoS Worm Attack

Cisco – QoS Design for MPLS VPN Subscribers

Cisco – QoS-Baseline

Cisco – WAN QoS Design

As said in the beginning, if you’d prefer, you download all QoS graphs in one archive.

Let me know your opinions on the above approach on QoS from Cisco. Is is accurate? Do you apply them in your organization weather for Campus, WAN, VPN or even Security?

ACS 5.1 integration with Active Directory [Part II]

In the first part of this article, I described a little bit the installation process for Microsoft Active Directory. Now it’s time to go ahead and talk about the ACS 5.x integration with AD. In the meantime I changed the version “5.1” to “5.x” as version 5.2 is already out there. This tutorials work for both versions.

Maybe you are wondering why I don’t have a separate chapter about the installation process of ACS 5.x. The reason is that the installation is pretty straightforward, as you can see below. You have to follow some instructions, add some mandatory information (IP address, username, password…) and you’re done. Very simple. Because an image worth a thousand words, I took some screenshots during the process to make explanation more easy to follow.

Load the ACS 5.x image and after the initial screen you have to see the following warning. YES is the correct answer.

ACS 5.x will start the installation

If everything goes well, you should see a screen asking to type the keyword “setup”

Next, ACS 5.x will ask for some mandatory information:

Next, ACS 5.x will install all core files and when done it will show a prompt to login. You can go ahead and login or open a web browser and type https://your-ip/acsadmin (in my case this would be https://172.31.82.8/acsadmin , according to the image above). You should see something like this:

Default username: acsadmin and password: default. The system will require to change the default password:

Last step, before system is operational, require you to add the license file. If you got the ACS 5.x image from Cisco website they will provide you with a trial license file or a standard / extended license , if your company already acquired one.

If the installation part is very simple, the next lines I’m sure are critical for some of you. ACS 5.x is available for 2 platforms: bare metal system (that means a dedicated machine) or VMware appliance. If you are like me, then you don’t have a dedicate machine for testing some ACS 5.x solutions and VMware can be difficult sometimes to install and operate. The next alternative, which is free by the way, is VirtualBox. Thanks to Nick Bettison, (Twitter @linickx) we have now a solution to install ACS 5.x on VirtualBox.

He describes step-by-step in an easy to understand example how you can install ACS 5.1 on VirtualBox. As confirmed in a later post, this solution works also for ACS 5.2, just you have to download that release from Cisco website. As Nick says on his website, I want to highlight also that you will not find the ACS 5.x image for download neither on his blog or here. If you have a CCO account you can download a trial version from Cisco website. The trial is free and you can try the ACS solution for 90 days, which I say it’s more than enough for the tests you have in mind.

Note: Lately I saw on some websites, images of ACS 5.x system that pretend to be able to install directly on VirtualBox, without using Nick’s method. Most probably these images work just fine, but keep in mind that you’ll have to download those files from somewhere else than Cisco and I think this is illegal. Using Nick’s method you are on the safe side as you download the ACS 5.x image from Cisco website and the rest on the tutorial uses open source tools.

OK, enough about this, let’s go an see how you can integrate ACS 5.x with AD.

I assume now that you have already installed an Active Directory system and an ACS 5.x (doesn’t matter if bare metal system, VMware or VirtualBox). Also from the ACS 5.x CLI check to see if you can reach AD system (ping test would do it). This test has to be successful to proceed.

On ACS 5.x Web management interface find on the left panel the Users and Identity Stores sections and chose Active Directory:

Important Note: While trying to join ACS to the AD domain, ACS and AD must be time-synchronized. Time in ACS is set according to the Network Time Protocol (NTP) server. Both AD and ACS should be synchronized by the same NTP server. If time is not synchronized when you join ACS to the AD domain, ACS displays a clock skew error. Using the command line interface on your appliance, you must configure the NTP client to work with the same NTP server that the AD domain is synchronized with. Refer to http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/command/reference/acs5_1_cli.html for more information.

Let’s add ACS 5.x to the AD:

Complete the Active Directory Domain Name field with the necessary value. Then, add the username and password. This user needs to be a domain administrator and to have rights to add new machines to Active Directory. Use the Test Connection to see if everything is correct. You can save the configuration. After you save, you will notice that Connectivity Status changed and now it’s showing the joined domain. Also on the top page additional two tabs appear. You’re done!

It seems like an easy task and if everything is prepared in advance the integration itself will work like a charm. From experience I know that if this part is not working smoothly, troubleshooting is not an easy task. If you run into problems, please let me know in Comments and I will help as much as I can.

Next part will be about using the AD Groups and Users together with ACS 5.x.

[adsense_id=”3″]

Cisco CCDA: 640-863 and 640-864

As you probably know the CCDA exam 640-863 will be replaced by the newer version 640-864. The problem is not that Cisco is changing them (this is actually a good thing) but the fact that are too less materials regarding new exam and a lot of contradictory information.

First of all the official Cisco guide: CCDA 640-864 Official Cert Guide, 4th Edition is not yet available. Ciscopress.com announce it to be available June 10, 2011. Despite the fact that you need more knowledge that this guide offer, it would be a good sense to enforce an exam after the documentation for that particular exam is available. It’s true that the CCDA 640-864 Official Cert Guide, Rough Cuts, 4th Edition exist already in electronic format (PDF) on Ciscopress.com. For those of you who are not familiar with Rough Cuts concept, here is a small explanation from Cisco Press:

The Rough Cuts service from Safari Books Online gives you exclusive access to an evolving manuscript that you can read online or download as a PDF and print. A Rough Cuts book is not fully edited or completely formatted, but you’ll get access to new versions as they are created.

Fine, but Rough Cuts, is are not the official guide. I don’t know about your preferences, but from time to time I prefer to read from a hard-copy book than from my monitor.

Now for some good news, even if these are full of contradictory information. According to https://learningnetwork.cisco.com/community/certifications/ccda/syllabus ,
it seems that the 640-863 availability has been prolonged until June 15, 2011 (was April 30, 2011):

Good news for those who plan to take the exam in near future. Bad news? Confusion!

This link: https://learningnetwork.cisco.com/community/certifications/ccda/desgn sustain that nothing is changed:

Pretty confusing, isn’t it? Both are official Cisco links. In the meantime, there is a discussion about this topic on The Cisco Learning Network where few members confirmed that Cisco postponed the date for 640-863 for June 15, 2011. This would be a good thing, giving the conditions that I’ve explained above.

If there is an official statement (beside The Cisco Learning Network thread) I will add an update here.

UPDATE:

Yes, the correct EOL date for the 640-863 DESGN exam is June 15, 2011.

The correct EOL date for the 642-873 ARCH exam is June 16, 2011.

Hope this clarifies any confusion.

Regards,

Rigo
Cisco Learning Network Moderator

I’m just glad that this confusion has been solved and there is still time to take 640-863, before the official documentation for 640-864 is released.

Cisco Secure ACS Unauthorized Password Change Vulnerability

I just finished testing a solution involving ACS 5.2 and Active Directory, when this “good news” hit me in face. It seems that ACS has a vulnerability that allow an unauthenticated attacker to change the password of any user account to any value without providing the account’s previous password.

You might think that this affects older version of the ACS, but in fact all recent versions are affected by this bug (CSCtl77440):

Vulnerable Products

The following Cisco Secure ACS versions are affected by this vulnerability:

Cisco Secure ACS version 5.1 with patch 3, 4, or 5 (or any combination of these patches) installed and without patch 6 or later installed

Cisco Secure ACS version 5.2 without any patches installed

Cisco Secure ACS version 5.2 with patch 1 or 2 (or both of these patches) installed and without patch 3 or later installed

The previous list applies to both the hardware appliance and the software-only versions of the product.

There is no workaround for this bug, but Cisco recommend some actions to limit this problem. One of the recommendation is to limit the number of machines that have direct access to the ACS environment. If you provide UCP (User Change Password) service, then it is recommended to stop it and don’t allow any machine that offer UCP access to ACS. These actions would help if you have a central management area where you connect remotely in order to access your ACS servers.

Now for some good news. It seems that this vulnerability works only if the user is defined in the ACS internal identity store, so if you are using external identity store like Active Directory you are somehow safe. Here are the situations in which this exploit does not work:

This vulnerability cannot be used to change the password for the following types of users accounts:

User accounts that are defined on external identity stores such as a Lightweight Directory Access Protocol (LDAP) server, a Microsoft Active Directory server, an RSA SecurID server, or an external RADIUS server

System administrator accounts for the Cisco Secure ACS server itself that have been configured through the web-based interface

Users accounts for the Cisco Secure ACS server itself that have been configured through the username username password password CLI command

This vulnerability does not allow an attacker to perform any other changes to the ACS database. That is, an attacker cannot change access policies, device properties, or any user attributes except the user password.

For more information have a look to: http://www.cisco.com/en/US/products/products_security_advisory09186a0080b74117.shtml