Tuesday, July 8, 2014

ASA Sub-Interfaces

Question From A Customer

Question: I have an ASA in production with several ports configured.  One of these ports has a single IP assigned to it, and an ACL applied to it.  If I create sub-interfaces under that port and trunk into it with various VLANs from the upstream switch, what will happen to the "main port's" configuration?  Will it still work too?

Answer: Keep in mind that you create an ACL and then “apply” it to an interface.  As soon as you create virtual sub-interfaces under a physical interface, from a software and config perspective that physical interface goes “dormant” and virtually all its configuration(s) other than speed and duplex are ignored.  As a result, any ACL applied to that main interface will no longer affect traffic that physically traverses the port.  So in short, your current ACL will stop working (and it will look like the port did too).

Most likely as soon as you configure a sub-interface on the port it will stop passing traffic or applying rules.  My recommendation is that if you have a free port on the FW, configure that with all your changes, sub-intefaces, VLANs, etc, while it is in a down state and then when ready bring it up and physically move the cable.  If you don’t have a free port and are only using the base ports included with the chassis, you may want to look at adding the 4/6 port expansion card (depending on model).

There can be other unforeseen effects as well, and running an Active/Active or Active/Standby cluster may complicate it further, so if you feel the least bit uncomfortable with this change, or if you work for a company with a low tolerance for "learning on the job" or has very short maintenance window it may be a good idea to get a qualified engineer on the line (or onsite) to help with the prep work and/or cut-over.  They can help you pre-build the configs, check at the upstream and downstream switches to make sure there won’t be issues, and then be available during cut-over to get any problems corrected quickly.

If you don't have a trusted network company you already work with, reach out to me and I'll put you in touch with a qualified engineer.  Contact info is on the right side of the page under "Professional Inquiries".

Friday, June 20, 2014

Licensing Cisco ASA 5500-X NGFW (CX) for Redundancy

If you are working on budgets and are considering replacing your firewall, you may run into this question, and the answer is not particularly easy to find.  "If I buy a pair of ASA 5500-X firewalls and plan to run them active/active, and  want to run the Next Generation Firewall (NGFW) (formerly CX) feature set, do I need one subscription license for the pair or do I need one for each chassis?".

Based on the Partner Ordering Guide (requires CCO login and partner status), updated Dec. 2013,  in version 9.2.1 of the ASA code you need one subscription license per physical chassis.  A screen shot of the line is below for those who can't get the original doc.

The logic behind this doesn't make a whole lot of sense, and I expect they'll change it at some point.  On the surface it seems logical, two chassis can each pass traffic and so should each be licensed.  If Active/Active were an option for NGFW I would agree, however, at this point the NGFW only supports Active/Passive which means that only one chassis at a time will be passing traffic and when a fail-over does occur, the passive device (now active) will continue to pass NGFW traffic without inspection if it is already midstream.  So to summarize:

1. You have to have a subscription license for each chassis, despite the fact that logically they are one.
2. You have to have a subscription license for each chassis, despite the fact that you can't run the NGFW features in active/active mode (the traditional firewall features still support this, just not AVC, WSE, or IPS)
3. You have to have a subscription license for each chassis, despite the fact that the NGFW doesn't share session state between chassis (the traditional firewall features still support this, just not AVC, WSE, or IPS) so fail-over don't allow uninspected traffic.

Give the demand for A/A firewalls, I'm certain in the near future they'll release a version of the NGFW code that supports passing state information between firewalls as well as allows for Active/Active deployments.  They'll also likely build support for a single subscription for Active/Passive pairs.  However, right now we'll have to continue to pay for it like it supports A/A and hope at some point it becomes reality.

Friday, June 6, 2014

vCloud Hybrid Service (In the middle of the night)

My wife shook me awake at 3am this morning.  She asked me, "what is vCloud Hybrid Service?".  I blinked at her several times trying to figure out if I was dreaming and wondering why she would even be curious about that.  As I came fully awake I could hear a man's voice in our house.  He was saying, "with the vCloud Hybrid Service you can setup virtual data centers...".  I wasn't dreaming; the training video I had been watching before bed had somehow restarted and was blasting thru the house at full volume.  As I stumbled downstairs to turn it off I wondered to myself "how did this happen, and exactly how many virtual data centers can you have??".  Well, at least it didn't wake the kids.

Thursday, May 29, 2014

Configuring the Cisco IOS to Log Login Attempts

This post is part of a larger project on getting your devices to email you a list of daily config changes.  It is titled, Keeping Track Of Cisco IOS Device Config Changes.

How many times in a month does someone try to log into your switches or routers?  And who is it? Do you care?  You should, and it isn't that hard to find out and keep track of. With two lines you can configure your switch or router to track what IP Address they came from and what time of day they attempted to log in.  It isn't much, a username would be great too, but it is something to go on.  The commands you want to enter are:

login on-failure log
login on-success log

Once you have entered these two commands and saved the config, you will begin to see entries in your logs that look similar to this:

*Mar 21 20:57:01: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: test_user] [Source:] [localport: 22] at 16:59:53 CDT Wed Mar 21 2012

You Are The CEO Of Your Own Life

My thoughts on a popular phrase, "You are the CEO of your life":
You are the CEO of your own life.  You may be employed by a company but you don’t work for a company.  You work for yourself.  Your career is yours.  You will apply it on behalf of many companies over your lifetime.  Build the corporation of YOU, apply it for the company who gives you the most benefit, and do it with passion, and it will always provide for you and those you love.

Wednesday, April 23, 2014

Manage Your Network No Matter What

Its a Thursday afternoon and the sky is clear and the sun is out.  The breeze is just light enough to make the leaves rustle and  you have the rest of the week off.  Too bad that despite the fishing poles in the back of your car and the two days of approved vacation you are sitting in your data center watching lights blink.  Nothing is coming in and nothing is going out.  If the local telecom carrier can bring your internet, voice, and MPLS circuits back up by the end of the day you just might get to enjoy tomorrow off.  If not, the folks in the call center will enjoy tomorrow off in stead.  The carrier won't confirm it but the backhoe at the end of the block is looking pretty guilty.

Over the years I've been in similar situations more than once.  Sure, we could talk about redundant circuits or diverse carriers or disaster recover plans, and each of those are worth their own article, but today lets assume that for whatever reason those things didn't happen.  There are numerous scenarios where you may lose visibility into your network or access to your management network (please tell me you have a dedicated and secured management network), whether it be snow or hurricane or power outage.  No matter the cause, you need visibility into your network with no excuses.

You say internet VPN.  What if the internet is down?  You say access across your WAN from your DR site?  What if your MPLS or Metro Ethernet are down?  You say dial up.  What if the PRI or SIP trunks are down?  You say POTS line into a modem?  What if the phone lines are dug up?

Each of those are acceptable options, but the main problem with each of these solutions is that the vast majority of the time the last mile (or local loop) of all your circuits are from the same single carrier.  Even if ATT or Sprint or MCI says its their service, they lease that "local loop" from your local carrier.  That means you have a potential single point of failure.  You have to have a different solution.

The easy solution is cellular.   There are a number of console server  manufacturers such as Opengear
that support 3G or 4G data connections.  With a SIM card and monthly service contract with your favorite cell provider you can guarantee that no matter what happens as long as your datacenter has power you can manage your network (hopefully you have a nice UPS backed up by a generator).  They provide authentication, security, and logging.  You can log into the console of any device connected.  You can manage any device in your network from anywhere.  Even if its in an area of your building where you don't get a cell signal the addition of a remote antenna will make access a reality.

If a console server is something you haven't looked at yet, take the time and build the business case, get a quote, and get it put in.  As usual, cellular shouldn't be your only access, but layering it on top of VPN or MPLS or POTS will ensure you have the access you need.  It means that in stead of sitting in the data center waiting for the circuits to come back up so you can call the boss and tell him, you could be sitting in a boat catching bass/trout/tuna and using your ipad to test your network every few minutes (or better yet have it putty into your firewall and setup a persistent ping to google so you see it as soon as it comes up).  It will bring piece of mind and make you look like a genius to the higher-ups.

Monday, July 29, 2013

Windows Down

I spent a good portion of the weekend working on the outside of our house, painting and some general maintenance.  Saturday afternoon, while climbing down off the roof my 9 year old son ran up to me and told me that the local hardware store had called.  He was in quite a panic, their Windows screens were down.

I thought that was an odd thing for the hardware store to call me about, and on a Saturday.  True, I had help them out in the past with some backups and wireless networking, but it had been quite a while and I didn't know they had my home number.

I spend most of my time working on networks these days, but figured I could fix a simple windows server problem so I jumped in the car and headed over, they're only about 3 blocks away.  I walked in expecting to find the place in a panic with do-it-yourself'ers stressing out because they can't buy their deck screws, lawn fertilizer, and cans of paint on a beautiful Saturday afternoon.  Much to my surprise, everything looked normal.  No  panic, no frantic writing down orders on paper, nobody had broken out the old credit card machine.

I found one of the owners and asked what was going on, what was wrong.  "Nothing" was their reply, it had been a fairly busy day and they were happy with the volume of traffic.  They'd run out of a few things, but otherwise everything was humming along smoothly.  I asked about the computers and they said they were working fine, and had been all day.

A little confused I turned to leave.  About half way out the door the owner said, "hey, your order is done early, did you want to take it with you?".  My order?  What order?  Oh yeah, I had forgotten about that.  I had dropped of some old torn up screens that went on the bedroom windows to be re-screened, but they weren't due to be done for another week.

Then it all made sense:
"Window Screens are Done", over the phone to a 9 year old who knows that Dad "fixes computers" sounds an awful lot like "Windows Screens are Down".

Well, at least the screens were done early, and they look great.