Category: Security

TACACS+ on Nexus 7000

I have been through a couple of these Nexus deployments now that use a combination of 7Ks, 5Ks, and 2Ks. If you know anything about this platform you know that TACACS and AAA only really apply to the 7K and 5Ks. Here is my working template of what it takes to get these guys talking to and ACS server.

tacacs-server key 0 YOUR.ACS.KEY
tacacs-server host X.X.X.X
tacacs-server host X.X.X.X
tacacs-server host X.X.X.X
aaa group server tacacs+ GROUP.NAME
server X.X.X.X
server X.X.X.X
server X.X.X.X
source-interface YOUR.VLAN or YOUR.VRF or YOUR.ETHERNET

aaa authentication login default group GROUP.NAME
aaa authentication login console group GROUP.NAME
aaa authorization commands default group GROUP.NAME
aaa accounting default group GROUP.NAME
aaa authentication login error-enable
Read more

Seven more reasons Packetlife.net ROCKS!

Stretch over at Packetlife goes above and beyond when it comes to practical network blogging.  Even more he publishes insanely good cheet sheets that I print, laminate and carry with me every day.  Often a customer will have a question and I pull out the handy cheet sheet and just leave it with them.  So today Strech posted Seven Free ways to improve your networks security so click through to it and do these things TODAY!  So often it is the little things that bite us in the ass when it comes to security and while letting just one little thing slip through is bad enough, so often we are lettting lots of little things through.  So start here and lets lockdown the tubes baby!

What on earth can I do with this stupid PC Card Slot…

So for the past two years I have been a Mac guy.  I have fallen in love with the clean easy to use interface of OSX coupled with the power of the base os for when I need to get down and dirty on a network.  Along with this love affair I had come the the conclusion that the days of portable computers bristling with ports and expansion slots like guns from battleships of old were gone.  Then I switched jobs and was issued my Dell Lattitude D630.  So far it is a nice laptop.  Aside from the OS options I have ( I chose Ubuntu) I was surprised to see all my hardware options including a serial port (woohooo no need to care my keyspan USB adapter!!!!), a docking port slot ont he bottom, the ability to remove my DVD drive for a few extra hours of battery, 4 USB slots, VGA out on board, an a PCMCIA slot.

Lets just say out of all of those mentioned my PCMCIA (PC CARD) slot was my least favorite.  Many computers are moving to the PC Express Cards that have much more bandwidth for options just out audio and video interfaces.  So I just left my PC Card slot alone with the blank that had come in it.  Some of the guys I work with are carrying super thin laser mice in that slot and my wife’s HP has a cool little remove that hides in that bay but all in all it seems pretty useless.  That was till I found an old CF to PCMCIA apter that I had picked up to try to use CF cards in my older Cisco routers (That did not work!). Read more

I put my bird in Fort Knox…go on try to steal it.

If you follow staticnat then you will know that I recently started a new job.  They issued me a new Dell Latitude D630 including the upgraded video card.  This was  bit a of a change since I have been using a Macbook exclusively for the past two years.  What I learned to love about the the Macbook was the strength of the underling OS and its elegant GUI for day to day use.  Knowing my OS opt out of the Win32 world and take the dive into Linux as my primary work environment.  This was easy enough considering my laptop came installed with WinXP and the Ubuntu 7.10 installer CD does a great job creating a dual boot system with minimal hassle to the end user. Read more

Captain the warp subsystems are down what should we do?!!!

Over the last two years I have become quite the Mac/OSX fan.  For years I was down on apple and to this day think I had every right to be.  But with OS 10.4 and now 10.5 they have created a powerful and flexible unix distribution for the general user and the power users.  However I have from time to time notices funky issues with software such as the Cisco IpSec VPN client.

Most recently in 10.5.1 I kept getting the VPN subsystem could not be contacted.  Well here is the fix from nate,

“If you are running Cisco’s VPNClient on Mac OSX, you might be familiar with (or tormented by) “Error 51: Unable to communicate with the VPN subsystem”. The simple fix is to quit VPNClient, open a Terminal window, (Applications -> Utilities -> Terminal) and type the following:
sudo /System/Library/StartupItems/CiscoVPN/CiscoVPN restart
and give your password when it asks. This will stop and start the “VPN Subsystem”, or in other words restart the CiscoVPN.kext extension.”

Thanks Nate and I hope this help everyone else out there keep their WARP core under control….later!

The Magical Disappearing ASA ACL.

I was on a client site about a month ago finishing an ASA install running PIX IOS 7.2.3. We were moving the client from flat ACLs to Object Group based ACLs, Object groups and named hosts. But for whatever reason we were having problems with the ACL. So from the command line I planned on using the tried and true no access-list “ACL NAME” to get rid of the offending ACL and start over. I was confused when the ACL did not go away. Well in reading 6200networks yesterday I came accross the the answer. From global config mode use clear configure access-list “id” and is should take care of that troublesome ACL. Thanks to Joe at 6200networks for the info.

Digital Demons, lets cast them out of our digital homes.

Back on March 19th of this year I posted, “Three weeks in two, bah who needs sleep.”, I must have lied because between those two weeks and the subsequent crazy weeks following I pretty much fell off the map. During the aforementioned two weeks though I visited Ottawa, Canada for Sales and Engineering training for CryptoCard. For me trips like this are exciting not for the trip but for the time I get to spend with other professionals learning, hanging out and passing on our tricks to each other. During a break on the training routine our instructor Patrick posed a question something to the affect of; if we don’t like spam and attacks and we know that 20 to 30% of all spam and attacks come from North Korea and China then why don’t we block them at the edge? Read more