After changing the name of SkyDrive as a result of a legal objection of British Sky Broadcasting, Microsoft faces problems with the new name OneDrive. In July 2013, a British court welcomed pending an appeal by British Sky Broadcasting Group , according to which the name SkyDrive motivated among European consumers an unacceptable association with the trademark Sky , from his property. This week, Microsoft decided to definitively renounce the name SkyDrive for cloud storage services. The day before, the company announced that mark SkyDrive would be replaced now by OneDrive. However, the idea might not have been entirely accurate, since the company hosted by, also dedicated to the storage in the cloud, has filed his own objection. Thomas Medard Frederiksen, CEO of One.com, said today the publication Neowin.net, that your company is in talks with lawyers’ experts in trademark protection, in order to determine whether the new name chosen by Microsoft violates its own trademark. One.com
http://www.bnxit.com/microsoft-forced-change-skydrive/
January 30, 2014
Microsoft facilitates the management of accounts Office 365 by partners
The editor has improved the console delivered to partners to administer the Office 365 accounts they have opened for business. Made novelties were aimed at making it simpler and faster service to customers.
http://www.bnxit.com/microsoft-facilitates-management-accounts-office-365-partners/
http://www.bnxit.com/microsoft-facilitates-management-accounts-office-365-partners/
EverNote: Sync 4 times faster after upgrading its servers
The Evernote servers is complete. It allows users to perform their synchronizations four times faster. Further improvements are expected.
http://www.bnxit.com/evernote-sync-4-times-faster-upgrading-servers/
http://www.bnxit.com/evernote-sync-4-times-faster-upgrading-servers/
January 29, 2014
Mobile applications, the other target of the NSA
Mobile versions of some applications, in particular those of Facebook, LinkedIn, Twitter and even Angry Birds, have been targeted by spy agencies. Objectives: collect personal and location information.
http://www.bnxit.com/mobile-applications-target-nsa/
http://www.bnxit.com/mobile-applications-target-nsa/
Information Builders launches Skybox for BI projects in the cloud
Skybox is a new managed service mode cloud, which allows you to test and develop risk-free business intelligence projects.
http://www.bnxit.com/information-builders-launches-skybox-bi-projects-cloud/
http://www.bnxit.com/information-builders-launches-skybox-bi-projects-cloud/
Oracle Big Data: tangible business value
While the world makes a digital copy of itself, its ability to produce data has exceeded the capacity of the majority of organizations use them.
http://www.bnxit.com/oracle-big-data-tangible-business/
http://www.bnxit.com/oracle-big-data-tangible-business/
Cisco annual security report unprecedented from advanced attacks and malicious traffic growth
The lack of almost a million experts in security around the world is impacting the abilities of organizations monitor and secure networks, while the vulnerabilities and threats in general reached their highest levels since 2000.
http://www.bnxit.com/cisco-annual-security-report-unprecedented-advanced-attacks-malicious-traffic-growth/
http://www.bnxit.com/cisco-annual-security-report-unprecedented-advanced-attacks-malicious-traffic-growth/
Apple quarterly, 2014: Record sales but concern about the iPhone 5 c
Apple has presented the results of its first fiscal quarter marked by an increase in its turnover and of its profits. If sales of the various products of the firm show records, Tim Cook acknowledges a weaker demand for iPhone 5 c.
http://www.bnxit.com/apple-quarterly-2014-record-sales-concern-iphone-5/
http://www.bnxit.com/apple-quarterly-2014-record-sales-concern-iphone-5/
January 28, 2014
Native Windows malware tries to infect Android devices
Symantec detected incidence that until now had been a curiosity: infection originated on Windows which tries to spread to Android devices. Computer security companies are familiar with incidences of malware for Android that tries to infect Windows systems. Symantec cited the case of Android. Claco, which downloads a file in format portable executable (PE) malicious together with an autorun.inf and installs them in the source of the SD card directory. When you connect the mobile device affected to a computer via USB and AutoRun mode is enabled, Windows will automatically run the malicious PE file. In a fact that highlights how curious, Symantec found something that works the other way around: i.e., a threat of Windows trying to infect the Android devices. The infection begins with a Trojan called Trojan. Droidpak. This Trojan download a malicious DLL (also found as Trojan. Droidpak) and registers it as a system service. Then, the DLL download a configuration file from a remote server.
http://www.bnxit.com/native-windows-malware-infect-android-devices/
http://www.bnxit.com/native-windows-malware-infect-android-devices/
ESET obtained the first position of AV-Comparatives in anti-phishing detection
Smart Security 7 product detects and blocks 99% of phishing websites. The ESET computer security company has won the Gold Award awarded AV-Comparatives, a prestigious organization dedicated to comparisons between different anti-virus, for its anti-phishing protection solutions. Phishing the Web sites is trying to steal money from their victims without having to make any modification to computers or devices used. A security solution that alert of known or suspected phishing sites can protect the user from this type of fraud , writes AV-Comparatives, adding that ESET Smart Security 7 product, has blocked the majority of phishing Web sites in their tests (99%). The interface of ESET Smart Security 7 seemed excellent. Program is, in our opinion, very clear and easy to use even on a touch screen , concludes the analysis of AV-Comparatives. The Advanced Anti-Phishing module was included in the sixth generation of ESET Smart Security. The module includes enhanced protection in the seventh ge
http://www.bnxit.com/eset-obtained-position-avcomparatives-antiphishing-detection/
http://www.bnxit.com/eset-obtained-position-avcomparatives-antiphishing-detection/
Thomson is going to demonstrate the virtues of the Lífi on IT Partners
The manufacturer of LED-based products will show the uses of the Lífi to thousands of visitors at the IT Partners. A canvassed logic for this company that considers that IT resellers are best placed to promote this technology of wireless communication. For those who do not know yet, the Lífi is a wireless communication system that is based on the submission of data by the light sources (mainly LED lamps) amplitude modulation. For some of its promoters, IT distribution networks are best placed to ensure the commercial development of this technology. It is the opinion of the company Thomson Lighting. Proof is that the manufacturer specializing in LED lighting will be exhibitor at the next edition of the fair IT Partners (4 and February 5, 2014 at Disneyland Paris) which attracts every year thousands of professionals. «The purpose of our presence is to carry out demonstrations of the uses of Lífi.» We particularly explain its benefits in places where the GPS does not pass. For examp
http://www.bnxit.com/thomson-demonstrate-virtues-lfi-partners/
http://www.bnxit.com/thomson-demonstrate-virtues-lfi-partners/
What is expected from Windows 8.1 Update 1?
Online Press announces the imminent arrival of the first update of Windows 8.1. Microsoft wants to improve the experience of PC users with the Modern interface and applications. Small overview of expected developments. Through a series of leaks appeared on Win8China and others, published by Russian blogger WZor deemed reliable enough, but also through the articles of the two journalists of ZDNet, Paul Thurrott and Mary Jo Foley, the scoops at first-hand about Windows, we have a relatively accurate idea of what to expect from the Update 1 for Windows 8.1. In the first place, as much prevent on the irreducible traditional office: update seems to maintain the Modern interface and related applications. However, it seems to take into account complaints from users who find these too difficult to use without a touch screen applications. The update will also mitigate the aggressive character of the bureau and the user interface of Windows 8, accentuating the compromise on the environment, gra
http://www.bnxit.com/expected-windows-81-update-1/
http://www.bnxit.com/expected-windows-81-update-1/
How to detect if Google has penalized us?
Everything was going well until, suddenly, there is a drop of traffic on the web. It may be due to many factors, but it is very possible that due to a Google penalty. How to detect it?
http://www.bnxit.com/detect-google-penalized/
http://www.bnxit.com/detect-google-penalized/
Personal data: in the cloud and in the land
Contract services in the cloud is easy and reliable, but it is advisable to know who is behind the service we hired and verify how manages the privacy of our data. Companies and users already undertaken towards the cloud attracted by profits, savings and possibilities. The IDC consultancy estimates that this year the companies will invest 15% more on cloud platforms, but, on occasions, companies and users are unaware or are lost in the nebulous network of cloud. On the occasion of the international day for the protection of data held on 28 January in Europe, on the initiative of the Council of Europe to commemorate the signing of the Convention 108, which regulates the protection of individuals with regard to automatic processing of personal data, provider of Cloud Hosting, Hosting, Housing and telecommunications solutions for the enterprise market. He recalled a series of recommendations at the time of hire services in the cloud: 1) Not to be afraid to the cloud. The consulting firm
http://www.bnxit.com/personal-data-cloud-land/
http://www.bnxit.com/personal-data-cloud-land/
January 19, 2014
Chrome goes to war against noisy tabs
To fight against noise pollution in web pages, Google has added to the latest version of its Chrome browser a mute function. There is nothing worse than advertising hidden behind a tab that starts trumpeting his message or send an insipid music. To fight against this phenomenon of noise pollution which is growing on the Internet, Google had installed last November a function reducing these very intrusive ads in silence. This useful feature daily is now available in the latest stable version of Google Chrome. This function allows you to track the noisy tab with an icon representing a speaker to quickly identify the heckler. You ll also be able to know which tabs are using your webcam or Chromecast if the module is used with a TV with HDMI key Google. A sandbox more effective at blocking malware This update Google Chrome also comes with a tray function reinforced sand blocking the insidious download malicious files, while Windows 8 users will benefit from the Metro interface. Finally, G
http://www.bnxit.com/chrome-war-noisy-tabs/
http://www.bnxit.com/chrome-war-noisy-tabs/
Case Target: 11 GB of data sent to a Russian server
Data pirated payment terminals Target quietly passed through the network of the distribution chain before being directed to a system based in the United States and Russia to server. Numbers of stolen credit cards to millions of distributor Target customers have traveled extensively: after a first step in the United States, the data landed on a server based in Russia. Researchers at two security companies responsible for investigating any violations of data the most devastating Internet history, analyzed the malware that has infected cash registers Target. They found some elements that allow to better understand the method of attack used by hackers. According to the initial results, the attackers managed to enter in the network of Target. For more than two weeks, they were able to hack the data without detection. According to indicators of intrusion, the method demonstrated a high level of expertise and innovation in the procedure, says in its report of January 14, the security firm iS
http://www.bnxit.com/case-target-11-gb-data-russian-server/
http://www.bnxit.com/case-target-11-gb-data-russian-server/
Fujitsu Labs invented a method for searching encrypted data
The method developed by Fujitsu Labs allows you to search 16,000 characters per second encrypted data. It could be used to perform sequential DNA analysis. As if spying on a large scale the U.S. National Security Agency (NSA) was not sufficient to generate enough concern for the protection of privacy, now Fujitsu laboratories that they had put developed a rapid incognito to perform searches in encrypted data method. The technology uses a homomorphic encryption mode said, which allows you to process encrypted data without having to decrypt. The research method developed by Fujitsu can handle lots of data at the speed of 16,000 characters per second. Above all, the search can be any sequence of characters without the support of key words as in one of the labs of Alcatel Lucent. Japanese Labs intends to market its technology in 2015 and sell it as an analytical tool. Fujitsu have no doubt that it will find use in a world where there is more data to process. But if one believes Labs resea
http://www.bnxit.com/fujitsu-labs-invented-method-searching-encrypted-data/
http://www.bnxit.com/fujitsu-labs-invented-method-searching-encrypted-data/
China reactive the creation of a national OS called COS
Faced with monitoring programs of the U.S. security services, China is working on the creation of an alternative and safer Android and Windows operating system. Similar attempts have been made without success. In China, several IT players have announced the development of an OS called COS (China Operating System) based on Linux. This follows several calls Chinese publishers to break the hold of the United States on the software market in China. The operating system has grown to become a national security issue, says the company Liantong Network Communications Technology Shanghai based on the COS website. This company founded in 2012 with the support of the Chinese Academy of Sciences, closely linked to the government develops COS to wear on PCs, smartphones, tablets, and TVs. But behind the words, this initiative may take some time before becoming a reality. A spokesman Liantong said the company was already working on the integration of the OS in an Internet box. It is also in t
http://www.bnxit.com/china-reactive-creation-national-os-called-cos/
http://www.bnxit.com/china-reactive-creation-national-os-called-cos/
More updates for XP, except for anti-virus
If Microsoft decided to stop supporting Windows XP on 8 April 2014, however updates its anti-virus will continue until 2015. To enable companies to complete their migration, Microsoft has decided to continue to provide updates to its anti-virus until 14 July 2015. For businesses, this includes the following products: System Center Endpoint Protection, Forefront Client Security, Forefront Endpoint Protection and Windows Intune running on Windows XP and consumers, Microsoft Security Essentials. Microsoft will not move provided the end date of Windows XP which, for the record, was set for April 8, 2014. However, Microsoft also remember that the best way to protect a computer is still using modern software which security technologies are updated regularly.
http://www.bnxit.com/updates-xp-antivirus/
http://www.bnxit.com/updates-xp-antivirus/
Using WiFi, Fortinet offers to track customers in shops
In shopping centers, security gateways FortiGate feature wireless Internet access shops can provide presence information on buyers who crossed their threshold, recovering the MAC address of their smartphone. Overseas, the sector of retail is very interested in the movement of customers in shops and in shopping centers. For chain stores, it may be useful to know in real time how many people entered their shop and what products hold their attention. The security solutions provider Fortinet offers them in this field a solution that relies on its gateway threat management FortiGate which include a wireless access point, as well as relate to our colleagues at Network World. These devices can now retrieve location information via smartphones buyers moving. When the mobile terminal client is on, FortiGate capture attendance data with the MAC address of its owner, which keeps track of it and to indicate how much time is left in a specific store. If shops offer free WiFi access to their visito
http://www.bnxit.com/wifi-fortinet-offers-track-customers-shops/
http://www.bnxit.com/wifi-fortinet-offers-track-customers-shops/
The creator of BitTorrent developing a steganography tool
Bram Cohen loves exchanges as to have created there a decade BitTorrent. According to the press, he is passionate now security tools and more exactly on steganography. Encryption is now a prominent element in the fight against piracy of data. This technology can make secret written or voice communications. But there are other security tools including steganography, the art of concealing or pass unnoticed a message in another message. According to Forbes magazine, Bram Cohen, inventor of the exchange solution BitTorrent files, working for a year on a steganography tool. This software called Dissident X should allow to hide data discreetly in a site, a business document or any file from a video to an ebook. In his interview to Forbes, Cohen says Braham will dust off old methods of steganography. Thus, traditionally, the messages are embedded in the media bit by bit. With DissidentX, it is possible to encrypt the entire file system via a hash. Furthermore, the tool will encode multiple m
http://www.bnxit.com/creator-bittorrent-developing-steganography-tool/
http://www.bnxit.com/creator-bittorrent-developing-steganography-tool/
Blackphone the smartphone ultra-secure Silent Circle and Geeksphone
Two companies surf the espionage and government monitoring phenomenon to offer a smartphone designed to protect privacy. The Blackphone will be presented at the next Mobile World Congress. Geeksphone, manufacturer of Android smartphones and Firefox OS and Silent Circle, editor encrypted messaging, come together in a joint venture to build a mobile terminal designed to protect privacy. This smartphone called Blackphone be unveiled at the upcoming Mobile World Congress held in Barcelona in February 2014. So that users are able to communicate securely, the Blackphone work on PrivatOS, an Android-based operating system. According to the two partners, they can call and receive calls, send text messages, share and store files and chat videoconferencing securely. They can also access the Internet anonymously through a VPN (Virtual Private Network) connection. Details on the technologies used to secure the terminal, availability or price were not disclosed by the two companies. They will prov
http://www.bnxit.com/blackphone-smartphone-ultrasecure-silent-circle-geeksphone/
http://www.bnxit.com/blackphone-smartphone-ultrasecure-silent-circle-geeksphone/
Dell relies on a security offering end to end
Texan manufacturer has put in working order its various acquisitions to offer a comprehensive range of security, data center to clients. The time is now gaining market share and interactions between services. In Austin, in December 2013, Michael Dell had directed his speech on the rise of the activity of its Software group including the safety aspect. The leader had called his strategy Dell Security Connected with the ambition to become a provider of end to end security from the data center to the employees on protecting data and applications, says Florian Malecki, director of marketing products and solutions in Dell Software. This ambition has been built around several acquisitions Kace for asset management with a focus MDM (Mobile Data Management), Quest for the management of the identity and access and, more recently, on Credant data encryption. Several offers were launched, particularly in the field of BYOD with EMM suite (Mobile Enterprise Management) containing MDM (mobile devic
http://www.bnxit.com/dell-relies-security-offering/
http://www.bnxit.com/dell-relies-security-offering/
NSA hacks radio waves unconnected PC
The New York Times reports that the National Security Agency (NSA) is able to hack data and install malware on so-called air gapped computers that are physically disconnected from the Internet and any kind network. Recently, security researchers have tried to find out if a malware cleverly developed would be able to steal data on a computer using high frequency signals. This is the case of security researcher Dragos Ruiu who said that the name of badBios malware could hijack the microphone and the speaker of a PC. But according to the New York Times, while security professionals think, the National Security Agency is actively hack machine data, theoretically protected by a wall completely sealed off because of any network, and even there install malware. But unlike badBios, NSA does not try to find new software methods to retrieve the data: the U.S. agency has developed a high-tech approach to play as the good old days. Listening to long-range Imagine an Iranian official with a laptop
http://www.bnxit.com/nsa-hacks-radio-waves-unconnected-pc/
http://www.bnxit.com/nsa-hacks-radio-waves-unconnected-pc/
January 10, 2014
Do Green Data Centers Exist?
As the New Year starts on a high note for some, and a low note for others, one thing is for certain, 'green' is in. However, figuring out what green really means is a whole new problem. For the IT world, the word 'green' has been thrown around so many times, the facts have been lost. Especially for companies that sole business revolves around data centers, the word 'green' may cause fear.
Let's face it; data centers can never become fully green. The purpose of these centers is to provide ample amount of backup power, cooling, lighting, and energy at a low cost. Ultimately, the pure number of technical equipment on causes heat that in turn casts waste into the atmosphere. Even for 'green' data centers that waste will never cease to exist.
Companies are pitching, 'cheapest dedicated servers' without concern for 'green.' For the few companies that fit in the middle of this complex Venn diagram, finding renewable energy centers is the only way. To be on the correct path to 'greenness-es,' the application that runs your hardware must be on some sort of carbon reduction enabler. Although your service may reduce transport emissions it still releases high levels of carbon through the servers that is hosting it. Consider selecting a machine that offers the best combination of operations per a second, per a watt, and minimum idle power. Add a high-inlet temperature tolerance and high delta-T to top off your power-efficient IT infrastructure.
Now that the server is picked, consider some other important factors including consolidating client's business to gain load volume on a 24/7 basis. De-duplication is essential, do not allow a server to sit idle; consider target core utilization above 30%. Continuous refreshing the IT hardware will further ensure operations per a watt performance and server power supply is efficient.
The location of your data center matters too. Consider a data center in San Francisco, high humidity levels, chance of earthquake, extreme conditions. On the other hand, consider a data center in Chicago, beyond windy and cold conditions, virtually no extreme conditions. Due to the lack of extreme conditions, hosting in Chicago is cheaper and better for the environment; less use of cooling hardware and disaster recovery. To maintain green, the data centers should maintain temperatures between 26-27 degrees (Celsius). Plus there should be no mechanical refrigeration, just fans and pumps. Further, the system should not use water for adiabatic cooling unless harvest and stored on site.
There is many more ways to ensure the data center you own, use, or are building is 'green.' Doing research on a facility, including, location, temperature, equipment, air waste, etc, should be done prior to placement. Do not forget to consider the state and city in which to place your equipment; some spots are truly better than others. Overall, there are a lot of steps to create 'green' centers, more than many companies are willing to do. Demand your company does it!
Data Center Management Through Careful Environmental Monitoring
Data center management activities are provided to improving the efficiency than it and facilities functions in a organization. This includes a gamut of duties for instance monitoring computer performance, assisting virtualization and consolidation, supervisory servers, network or storage space and controlling energy use and environmental factors like temperature and humidity on rack and server levels.
Environmental monitoring is an important part of Data supervision. But the concerning issue is that although there are lots of data management tools available for sale, most of them forget to provide sufficient visibility directly into Data center environmental circumstances. Moreover lack of planning and coordination on the part of the IT administrators, inadequate option of necessary environmental sensors also results in poor environmental monitoring.
Data center management for heat monitoring
The growth has given rise to the issue of heat denseness. Because of the varying rack densities and the rack heat, temperature control on facility level becomes very difficult. This results in the actual development of hot spots in one area and cooler places in another. The use of temperature sensors can be useful to detect those scorching and cold spots. Accordingly IT administrators can certainly shift workloads and take necessary actions to stop any equipment failure.
Large scales centers require uniform levels of cooling and in-row and in-rack air cooling. And therefore it is advisable to run intelligent controls that can certainly integrate into cooling and monitoring systems to help you run data centers capably. One example is an intelligent control will help track humidity status throughout all units within that. And in case it notices a higher or low humidity reading from any of the sensors it closely monitors your situation and notifies the administrator to begin the remediation process.
Leak and moisture detection within Data center management
One chiller leak in a very data center can result in severe monitory damage as well as hamper enterprise functionality as well as productivity. Install leak detection sensors at all the leak prone sites from the Data to avoid any kind if virtually any water damage. Leak detection sensors can readily integrate into the core monitoring system to de-stress Data management. In an enormous Data with several cooling down areas, these sensors can highly beneficial with regard to monitoring and identifying areas of condensation and excess wetness.
Using varied sensors for you to optimize Data management
Deploying only temperature and humidity/leak sensors will not likely suffice. Efficient center environment monitoring calls for installing various other tools like smoke or fire wireless house alarms, power monitoring systems, protection sensors, etc. While fire alarms can be integrated into the monitoring system in order to avoid fire breakout, power tracking solutions enable you to evaluate the center's Strength Usage Effectiveness (PUE). Room and rack access sensors however can improve the overall physical security system with the Data center.
Conclusion
Environmental monitoring controls should be deployed to enhance Files center efficiency and minimize equipments downtime. Effective info management requires complete automation as well as centralization of physical national infrastructure components. This will permit better utilization of assets and improved uptime capabilities.
Data Center Consolidation - What You Should Know
Data center consolidation is an excellent opportunity for companies that need to lower costs, reduce administration and improve their technology by cutting down their complex infrastructure into a more manageable and greater server or database than they might be able to house on-site.
Some companies prefer these solutions as it allows them to lower your expenses and keep things protected, while others might appreciate to be able to get better technology for the same sum of money that they would dedicate to in-house technology that is only half as effective.
Regardless of reasons for choosing info consolidation, businesses can find several benefits to eliminating their many servers and databases in-house and transferring them to an off-site facility. Included in these benefits is to be able to get better power, greater bandwidths, higher levels of security, and more extra characteristics and capacity offerings than any company might be able to afford to keep on-site. Your data center is critical towards success of a company because its information is actually stored there and utilized as needed. If files are lost or take quite a long time to transmit due to be able to various issues, business can certainly suffer.
Keeping a business running efficiently in the present computer-centric world requires data consolidation in many instances. This type of operation allows businesses to discover the documentation and storage that they can need while paying less for more power, more storage space, faster access, and the advantage of having offsite storage in the eventuality of a catastrophe of all kinds. There are many ways that offsite data center services work extremely well, but these specific offerings are what mostly attract businesses to the concept of data center storage for his or her database and server needs.
Data center consolidation is not for everyone. For illustration, large firms and companies who have the means and ability to create their own data center onsite will have much better results doing so. However, the majority of companies are not large enough to warrant this sort of space or expense, which are them an ideal applicant. All types of organizations can utilize these services, as long as they will take the time to view their options and find the best solution for their distinct needs. Keep these things in mind when you're checking out your own options.
How to Take Data Center Secure Backup
Data protection is actually significant for a lot of huge firms world wide. That is just about the essential topics as well as needs wide range of thing to consider. Because of this , the reason why most of the firms right now are moving to a off-site centre to be able to safe burn for it. Just what turns into really main here's that How to get facts centre safe burn?
There are a variety regarding services which provide you facilities intended for obtaining your information and as well ensure the burn for it. You will discover few and this includes which produce standardised protection. A facts centre is actually 1 to store your entire data, ringbinders as well as information and as well supply a burn to the exact same. You'll discover electrical power types of measure to be able to safe the back up to your data as well as ringbinders and many which can be merely better when compared with some others.
In order to please take a facts centre to fulfill your small business linked needs, a good off-site could possibly be the suitable decision. Because needs intended for obtaining data as well as ringbinders differ from an organization to be able to group, it is considerable to be able to check for the provider which matches your preferences as well as satisfies these well. The wants intended for protection of any firm needs to be customized through the provider. This assists within ensuring most beneficial back up for many information.
Remember that protection comes with a expense consequently you will need to pay out the provider this fees intended for obtaining the information. There are some crucial stuff an organization actively seeks within the facts centre. You'll discover services which offer an individual many points in terms of delivering the safe burn for many information. Ahead of deciding on in anybody make certain that many people comply with this three really main essentials in connection with facts protection.
Your provider are able to provide you the centre using several places as that is really helpful towards the firm. From time to time there is information and that is really very sensitive and so the provider provide an individual several places intended for keeping information. It is possible to safe these kinds of information throughout several places in the country. Because of this factor redundancy may become an important problem although it is easily eliminated.
Data duplication occurs since it is actually stored from several spots. Another thing that you should kept in mind is actually that this provider must adhere to the kind of only two conformity regarding SAS 60 to 70. This can be required for all the firms who will be looking forward to set up the facts centre intended for safe burn. This conformity delivers an individual calculated protection and as well comes after just about all processes as well as plans. Safety measures is vital to find before choosing a provider.
Cisco Data Center Security: Taking the Next Step in Business Information Safety
As technology has advanced, information can be found everywhere as it travels fast and in various mediums. People manage a large majority of their personal data online. Companies must provide Internet conveniences which were not always a part of doing business. Every company has a web site, handles web transactions, stores large amounts of customer information, and relies on many forms of technology to operate successfully each day.
With these business advances comes the increasing responsibility of meeting customer demands and keeping their trust. A secure data center is growing in importance as companies process larger amounts of information. Network hardware providers such as Cisco have recognized this growing need. Products are being continually updated to match the security requirements of these business systems.
The new technology age has also unearthed complications along with the many benefits people utilize through doing business online. Viruses are a threat to every desktop, server, and business computer system. They can take down the entire system in a matter of minutes causing loss of information as well as security breaches. Hackers are constantly trying to gain access into business systems to obtain personal customer information such as financial information. System obtrusions can result in customer identify theft or access to sensitive company information. Cisco data center security helps companies prevent attacks from viruses, firewall obtrusions, and other threats. Many offered products provide multiple features designed to reduce the chances of customer data being compromised.
How Has Cisco Enhanced Network Safety?
The business data center has become a prime objective for individuals who desire to gain or destroy sensitive information. Cisco has integrated many solutions to attempt reduce the risk of a system being attacked. The key is a more counteractive systems approach where threats are controlled, data loss is prevented, and compliance standards are easier to meet. Their solutions are designed to allow for faster deployment of data center technologies while at the same time not compromising threat detection or enforcement of company policies.
Many providers are improving their products to accomplish these same goals. Cisco has included full network visibility, easier policy management, and proactive protection methods. Their Security Intelligence Operations include a firewall, methods for preventing intruders, securing content, and central management of policies. To avoid information reaching the wrong hands when being passed between multiple sites, they have added what is called data leakage protection. Services assist in preventing loss over the Internet as well as protection of backup storage devices. Cisco data center security services also offer further protection of consumer credit card information. Designs are PCI compliant and solutions ensure all connections are secure.
Data security should be a goal of every company. Cisco has many products designed to increase the safety of every piece of data passing through a network. Of course, they are not the only provider stepping up to the challenges of innovative technology. Any company wanting to increase the reliability of their system should always weigh the advantages of each available component on the market. Data loss prevention, intrusion reduction, and policy enforcement must be deciding factors when selecting these components.
What Are The Technology Trends For 2014?
Exactly what do we expect in relation to technology from the forthcoming a long time? What are THIS technological trends? We have to always be informed with what corporations usually are doing, just what technological know-how these are paying for and also the direction they usually are dished up simply by technology.
A number of trends usually are not completely new, since the so-called Web connected with Things and also foriegn research, nevertheless some others are very completely new, for instance 3d producing and also Software Defined Web 2 . 0. All these technological know-how will certainly influence to a great extent onto it with 2014. You will have in relation to 40 thousand linked gadgets having exclusive IP handles with 2020, almost all of which will always be solutions.
Four major aids: sociable, mobile, foriegn and also info, will certainly keep generate change, generating completely new prospects and also making requirement pertaining to superior infrastructure.
One of many trends that can establish the way in which of it from the forthcoming a long time very first we've the WebRTC (Real Period Communication) technology, that allows real-time collaboration from the internet. On this technology, virtually any web browser might include video clip, quick messaging, words message or calls with no end user requiring you to set up any extra ingredients.
Also, end user products and services depending on circumstance usually are modifying the way in which people connect to gadgets, enabling you to shop details about users, to ensure we've appropriate info promptly.
The world wide web connected with points, and also equipment to be able to equipment (M2M) marketing communications help associations in between people, operations, data and also things, mixing video clip, flexibility, foriegn, major data and also machine-to-machine marketing communications (M2M). While using the Web connected with Things gadgets will certainly be part of the material globe, including streets, housewares stores, biomedical gadgets and in some cases pets and the wonderful, through sensors, making terabytes connected with data.
An additional craze are going to be video clip technology with ultra-high explanation ( 4k : 8k- 2160p and also 4320p ), that style a necessary portion of sensible cell phones, increased fact spectacles, tablets, along with other gadgets furnished with the video camera. Moreover, analysis technology that will make it possible for real-time data course of action with moments or even a few minutes may very well be employed with parts for instance Business Brains, including personal analysis instruments to be able to unique sections for instance advertising or even travelling, and also constructing worth data instantly.
Likewise, modifications on interconnection technological know-how are needed. At the moment the system isn't completely sturdy to back up the predicted growth with linked gadgets. Brand new suggestions are developed to change the infrastructure depending on IP process, to be able to technology depending on the Referred to as Info Web 2 . 0 ( NDN ), that make it possible for advertising and marketing info by using web host names in lieu of handles.
An additional strategy may be the software package described technological know-how (SD-X, Software Defined Any), that go beyond virtualization multilevel (SDN and also NFV), to be able to boost their scalability across actual and also digital assets. It ought to be known that will cpa networks can also self-managed when it comes to construction, safety measures, marketing and also troubleshooting using technology or even Autonomous Sites KID (Self -Organizing Networks).
About general public, individual and also a mix of both atmosphere, these will certainly move to energetic situations and also multi-provider atmosphere. Brand new technological know-how this kind of Intercloud will certainly help foriegn service providers across numerous situations.
In the long run the true secret technology trends pertaining to 2014 usually are Cellular devices Selection Management and also Programs and also Portable Apps, the Most Software Defined technology, intelligent machines, 3d producing, the net connected with points, foriegn and also a mix of both THIS as being a service hallway.
The Management connected with Cellular devices, the unanticipated reaction to plans "Bring Your own Device" (BYOD) is actually that will the size of the mobile workforce with businesses will certainly dual or even three-way. It can be predicted that will, simply by 2018, all of the gadgets, research models, contexts and also end user relationship paradigms tactics can make "everything everywhere" must be examined. Corporations will certainly establish insurance policies that will fit expectations definitely in relation to how to proceed and also just what not necessarily, managing mobility using the requirements connected with secrecy and also solitude.
Also, granted the improvement from the efficiency connected with JavaScript, the web browser can be the main progress surroundings pertaining to company software. The actual Apps will certainly keep mature, though software start to always be lowered. The actual Apps usually are smaller sized and also dedicated to a specific have to have, as you move the software is actually larger and also full. Within the forthcoming a long time, it can be predicted that will mobile software and also foriegn products and services combine to the so-called Web Program or even App Web software. These kind of software use the safe-keeping and also digesting electrical power connected with pcs, sensible cell phones and also tablets along with the scalability of the foriegn allowing software to be able to contact various other software and also gadgets. Portable software and also foriegn programs give a smaller sized TCO (total cost connected with ownership).
Software Defined Software features projects including OpenStack, OpenFlow, Open Work out Undertaking as well as the Open Rack, that write about the same imaginative and prescient vision. SDN multilevel technological know-how Suppliers, SDDC data centers, safe-keeping and also infrastructure SDS SDI are typical trying to maintain their own management within their own names.
About Brilliant Devices, with 2020 the age of the sensible equipment boosts by sensible private assistants, analysts intelligent, superior international commercial systems and also general public availability of the initial examples of autonomous cars. Corporations will certainly buy intelligent machines. These kind of machines will certainly increase purchaser aids resistant to the very first samsung wave s8500 connected with early buying simply by corporations.
It absolutely was predicted that will international gross sales connected with 3d ink jet printers boost seventy-five % with 2014; gross sales will certainly dual with 2015. 3d producing can be an productive moderate that can keep costs down from the prototypes.
Nowadays, it isn't simply pcs and also cellular phones linked to cpa networks. There's a selection of various other gadgets for instance automobiles, Tv sets. I am entering the digitalization occasion of the most important products and services and also substances. The world wide web connected with Things could have a significant part on this period of time.
Speaking about foriegn research, a mix of both foriegn plus it as being a company represents technological know-how to function with. Private and also outer individual atmosphere usually are forthcoming in concert, making a boost with foriegn products and services agents (CSBs). It might be important the aggregation managing, the integration and also customization connected with products and services.
About Cloud Buildings, foriegn research designs usually are modifying. The actual demands connected with mobile users usually are generating a boost with research server and also safe-keeping capacity. Private foriegn will change by gadgets to be able to products and services. Users may take advantage of various gadgets, which include Personal computers, but is not depending on a unique device.
Lastly, it must be known that will Business Brains has been placed as one of the technological know-how in which a major change is necessary. BI technology will certainly create worth with large businesses; data mining and also canceling instruments can be a lot more sophisticated. In a hard economic climate, small business thinking ability allows professionals to be able to warrant small business decisions having specific quantities.
All of us figured the net connected with Things, 3d producing, technological know-how associated with coping with cellular phones and also Cloud Assistance Agents usually are a lot of the technological craps bets that will eventually blow up following season. They'll use a large influence and also distributed to be able to most of the organizations over the following several years.
Beginning adoption connected with technological know-how represents the cut-throat gain pertaining to corporations, therefore know the trends from the forthcoming a long time, despite the fact that we reside in the modifying globe, will help you create the very best decisions and still provide the very best alternatives that will spotlight in relation to your rivals.
Unlocking Encryption - A Method of Data Security
Encryption is an increasingly important set of technologies that enables customers to safeguard private data in computers, across public or private networks, or in other machine-readable forms.
There is much more data at risk of being compromised than ever before. This, in conjunction with the increasing cost of a data breach, measured in both "hard" dollar terms like legal settlements, and "soft" costs such as loss of customer loyalty, makes the intelligent use of encryption and other data-protection technologies increasingly necessary for organizations of all sizes.
For the small- and medium-sized market, the ideal data encryption approach would be both affordable and easily integrated into a comprehensive data backup and business systems continuity solution. It would include powerful, standards-based encryption, and offer a robust key management function.
Imagine a bank with 20,000 customers, most with multiple accounts and bank cards. Every night, the bank makes a complete tape backup of its core information servers. The tapes are then placed in a storage box. Sometime during the day, a van driver from the tape storage firm drops off an older set of tapes (no longer needed), and picks up the box of new tapes.
Any such practice could lead to tapes being mislaid or stolen from loading docks, being accidentally dropped off at the wrong sites, or being lost or stolen from the delivery van, among other things. Once the tapes are in the wrong hands unencrypted data is easily compromised.
Fortunately, encryption functionality can be easily integrated into an organization's backup processes, protecting all data on the company's servers and backup devices, and all data taken off site for archiving.
Keys and key management
A key is a piece of information, or parameter, that controls the operation of a cryptography algorithm. Modern encryption algorithms typically use either symmetric or asymmetric keys. Asymmetric key encryption uses a pair of keys, called a public key and a private key, and is best suited for protecting data that has a wide audience -- such as web sites with secure access established for many users.
Symmetric key methods use the same key for both encryption and decryption. Symmetric keys are excellent for use with devices and appliances in which the need to share keys is very limited. This is typically the case with data backup devices, for which one specifically does not need to allow many parties access to the key.
If you lose your house key, a locksmith can pick the lock mechanically and help you regain access. If you lock your keys in the car, there are many specialized tools that can help you open the door. But any encryption method that allowed this kind of "alternative access" in the event of a lost key would be fatally insecure. These days, most encrypted data is essentially indecipherable to thieves and completely lost to the owner in the absence of the necessary key for decryption. This puts enormous pressure on the owner to not forget the key. It's important to pick a "strong" key, often many, many characters long, which makes it harder to guess, but also harder to remember. And writing the key down brings its own obvious security risks.
Implementation methods
Data encryption can be incorporated into your workflow in a variety of different ways, each with its own advantages and disadvantages. When implementing data encryption on a network, there are four basic ways to approach the process:
File system encryption on a server. File system encryption is probably the easiest to implement. But this type of encryption places very heavy CPU demand on the server, which often makes it impractical for a busy Exchange or SQL server because of the computing power required.
Additionally, server file system encryption doesn't allow for centralized management - rather, it must be implemented on a per-server basis, and managed only with respect to that system. And in a multiple-OS environment, this kind of file system-based encryption may not be available for each OS used.
In-line encryption. In-line encryption is typically performed by a dedicated hardware "appliance," and is fairly simple to implement. The appliance normally has two network connections, with plain text coming in through the network, and cipher (encrypted) text coming out of the device. Encryption appliances can protect all the data that's in line be saved on backup media. And the servers and backup devices can operate at their own speed, as if there was no encryption being performed.
But this encryption methodology is a poor choice for some firms. In-line devices require lightning-speed hardware to operate, pushing the typical cost up. And in the event of a real disaster, a new unit must be procured before any file or system restoration can occur.
Backup media encryption. The most commonly used type of encryption takes place on the backup media - either on the server driving the tape backup device (for example, the media server in a Veritas environment), or on the tape drive itself.
When implemented on the tape server, encryption can dramatically reduce the performance of the backup system, since a large portion of the server's CPU resources are diverted to perform the encryption. Using a tape drive that provides its own encryption processing can reduce the overall load on the tape server. These drives are expensive, however, and require that all tape units be of the same model or family to achieve full encryption.
Backup device encryption. The key difference between backup device encryption and backup media encryption is the location at which the encryption is performed. Encryption at the backup device level provides much stronger overall data security. This is true because the data can be encrypted once (at the device), and remain encrypted regardless of its location at any future time.
If data is encrypted as it arrives at the device, then the data stored on the backup device for local rapid recovery is also protected from inside attacks. This approach avoids the performance degradation associated with file system encryption, and also removes the complexity of applying encryption tools across multiple operating systems.
Planning a successful implementation
There are six keys to implementing an encryption capability within your overall data protection and disaster recovery strategy. These represent the true "critical success factors." Get these six correct and you'll have a very high probability of success.
1. Maintain universal data recovery. Wherever the encrypted data resides (local backup device, remote data center, offline media, or archive media), you must be able to reliably reverse the process and produce unencrypted data.
2. Select a single approach for all your sensitive data. Be sure to pick an approach that allows you to implement encryption once, and protect all your sensitive data through a single, integrated capability.
3. Minimize resource impact. Encryption can come at a price. Be sure yours is acceptably small. Be sure the CPU load from the encryption process is sufficiently "lightweight" to avoid a material decay in the rate at which your systems process their normal work. Save network bandwidth by compressing data before transmission, and by sending only changed blocks of data. Choose a simple, powerful, and intuitive user interface.
4. Prevent unauthorized access to data. Data should be encrypted so that a "clear text" copy may be reproduced only after proper authentication has been provided.
5. Have a key management strategy. You should choose a solution with powerful key management capabilities, making it easy to change keys frequently, recover old files for which the original keys may have been lost, and otherwise strike a balance between safety and accessibility.
6. Test in advance. You must prove that your solution can both encrypt (and store encrypted data in all locations) and successfully create clear text from any encrypted sources.
Historically, the cost and difficulty associated with implementing encryption to augment a firm's data security was simply too daunting, especially for small- to medium-sized enterprises. But now solutions exist that bring enterprise-class encryption technology to businesses of all sizes.
Historically, the cost and difficulty associated with implementing encryption to augment a firm's data security was simply too daunting, especially for small- to medium-sized enterprises. But now solutions exist that bring enterprise-class encryption technology to businesses of all sizes.
January 09, 2014
Cisco - How to configure an IKEv2 Site to Site IPSEC VPN ?
Within this article we will show you the steps required to build an IKEv2 IPSEC Site to Site VPN on a Cisco ASA firewall.
IKEv2 provides a number of benefits of its predecessor IKEv1, such as ability for asymmetric authentication methods, greater protection over IKE DoS attacks, interoperability between vendors for DPD/NAT-T, and less overhead and messages during SA establishment.
Note : The previously created object groups are used to define the local and remote endpoints.
IKEv2 provides a number of benefits of its predecessor IKEv1, such as ability for asymmetric authentication methods, greater protection over IKE DoS attacks, interoperability between vendors for DPD/NAT-T, and less overhead and messages during SA establishment.
NAT Exemption
First of all we create our NAT exemption. This is to ensure that traffic is not NAT`d before being sent down the tunnel.
object-group network REMOTE-ENCDOM
network-object <REMOTE ENCDOM> 255.255.255.0
object-group network LOCAL-ENCDOM
network-object <LOCAL ENCDOM> 255.255.255.0
nat (inside,outside) 1 source static LOCAL-ENCDOM LOCAL-ENCDOM destination static REMOTE-ENCDOM REMOTE-ENCDOM
network-object <REMOTE ENCDOM> 255.255.255.0
object-group network LOCAL-ENCDOM
network-object <LOCAL ENCDOM> 255.255.255.0
nat (inside,outside) 1 source static LOCAL-ENCDOM LOCAL-ENCDOM destination static REMOTE-ENCDOM REMOTE-ENCDOM
Encryption Domain
Next, we define our endpoints, i.e what we want to encrypt.Note : The previously created object groups are used to define the local and remote endpoints.
access-list ENCDOM100 extended permit ip object-group LOCAL-ENCDOM object-group REMOTE-ENCDOM
Phase 1 Proposal
We then define our Phase 1 proposals. You may of spotted that multiple ciphers are defined for each "method". This is because IKEv2 sends across a single proposal containing multiple ciphers, compared to IKEv1 in which multiple proposals are sent.
crypto ikev2 enable outside
crypto ikev2 policy 10
encryption 3des des
integrity sha md5
group 5
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption 3des des
integrity sha md5
group 5
prf sha
lifetime seconds 86400
Phase 2 Proposal
Next, the Phase 2 proposals are configured.
crypto ipsec ikev2 ipsec-proposal IKEV2-IPSEC-ESP-AES-SHA1
protocol esp encryption aes
protocol esp integrity sha-1
protocol esp encryption aes
protocol esp integrity sha-1
Tunnel Group
At this point, the tunnel group is created. Just like IKEv1 the preshared key is defined. However, IKEv2 allows you to use different authentication methods for both local and remote authentication.
tunnel-group 172.16.1.1 type ipsec-l2l
tunnel-group 172.16.1.1 ipsec-attributes
ikev2 remote-authentication pre-shared-key <PRESHARED KEY>
ikev2 local-authentication pre-shared-key <PRESHARED KEY>
tunnel-group 172.16.1.1 ipsec-attributes
ikev2 remote-authentication pre-shared-key <PRESHARED KEY>
ikev2 local-authentication pre-shared-key <PRESHARED KEY>
Crypto Map
Finally the crypto map is configured. This combines the previously created encryption domain, the remote peer, and the phase 2 policy into a single crypto map. This then assigned to the outside interface.
crypto map CRYPTOMAP 100 match address ENCDOM100
crypto map CRYPTOMAP 100 set peer <REMOTE PEER IP>
crypto map CRYPTOMAP 100 set ikev2 ipsec-proposal IKEV2-IPSEC-ESP-AES-SHA1
crypto map CRYPTOMAP interface outside
crypto isakmp identity address
crypto map CRYPTOMAP 100 set peer <REMOTE PEER IP>
crypto map CRYPTOMAP 100 set ikev2 ipsec-proposal IKEV2-IPSEC-ESP-AES-SHA1
crypto map CRYPTOMAP interface outside
crypto isakmp identity address
Debug / Show Commands
Here the most command debug and show commands,- debug crypto ikev2 platform 5 - debug phase 1 (ISAKMP SA`s)
- debug crypto ikev2 protocol 5 - debug phase 1 (ISAKMP SA`s)
- debug crypto ipsec - debug phase 2 (IPSEC SA`s)
- show crypto ikev2 sa - show phase 1 SA`s
- show crypto ipsec sa - show phase 2 SA`s
ASA - VPN Traffic is not being encrypted (CSCsd48512)
Issue
Traffic is sent out from the ASA unencrypted.Cause
This can be caused by a duplicate (stale) ASP crypto table entry, this prevents the ASA encrypting any traffic destined for the remote host.There are 2 commands which shows this behaviour. They are,
fw-asa(config)# show ipsec stat | grep Missing SA failures
fw-asa(config)# show asp table classify crypto
Below shows an example of the output of 'show asp table classify crypto'. Here you can see that there a 2 duplicate entries.fw-asa(config)# show asp table classify crypto
Interface outside:
!
out id=0xd616fff0, priority=70, domain=encrypt, deny=false
hits=855899, user_data=0x473ccf4, cs_id=0xd5deba08, reverse, flags=0x0, protocol=0
src ip=192.168.100.0, mask=255.255.255.0, port=0
dst ip=172.16.1.0, mask=255.255.255.0, port=0, dscp=0x0
out id=0xd1592dd0, priority=70, domain=encrypt, deny=false
hits=0, user_data=0x4bed13c, cs_id=0xd5deba08, reverse, flags=0x0, protocol=0
src ip=192.168.100.0, mask=255.255.255.0, port=0
dst ip=172.16.1.0, mask=255.255.255.0, port=0, dscp=0x0
Note : Details of this bug can also be viewed
within CSCsd48512 (Duplicate ASP crypto table entry causes firewall to
not encrypt traffic)!
out id=0xd616fff0, priority=70, domain=encrypt, deny=false
hits=855899, user_data=0x473ccf4, cs_id=0xd5deba08, reverse, flags=0x0, protocol=0
src ip=192.168.100.0, mask=255.255.255.0, port=0
dst ip=172.16.1.0, mask=255.255.255.0, port=0, dscp=0x0
out id=0xd1592dd0, priority=70, domain=encrypt, deny=false
hits=0, user_data=0x4bed13c, cs_id=0xd5deba08, reverse, flags=0x0, protocol=0
src ip=192.168.100.0, mask=255.255.255.0, port=0
dst ip=172.16.1.0, mask=255.255.255.0, port=0, dscp=0x0
Solution
There are 2 solutions to this issue,- Reboot the firewall.
- Upgrade the firewall to a version 7.0(4.13), 7.2(0.46), 7.1(2.1), 7.0(5), 7.2(1) or 8.0(0.1).
Zone Based Firewall ZBFW
Continuing to check things off from the blueprint. Did some ZBFW labbing today. Here are some important stuff to be aware of.
ZBFW is basically a wrapper for CBAC. We create policys between zones
and assign interfaces to zones instead of applying CBAC rules to
interfaces.
By default all traffic to the self zone will be allowed (router from
and to router itself). If we apply policys to self zone then everything
is dropped except for the traffic that is explicitly permitted. We need
to be aware of this to not mess with the routing if we get such a task
at the lab.
The self zone can only inspect TCP, UDP and ICMP but not protocols
like telnet and SSH. To work around this we can do a class-map matching
an ACL AND the protocol TCP if we are matching telnet traffic.
It’s not very intuitive to see which traffic is dropped. We can turn
on logging with ip inspect log drop-pkt. This helps a lot to see which
traffic is being dropped.
ZBFW is massive in configuration, you will be typing a lot. It is
easy to get confused and mix things. Name things intuitively, name
class-maps CM_INSIDE_PROTOCOLS, name policy-maps PM_INSIDE_TO_OUTSIDE or
names similar to that. If you don’t you will easily get lost after a
while due to the massive config.
Packet counters for ZBFW can’t be trusted, this seems to be due to a bug. Verify by pinging or telneting to create traffic.
Use Notepad when creating the config, it is faster and less prone to errors.
All traffic flows are unidirectional so we need to create zone pairs
for both directions depending if we want traffic to flow both ways.
We can have three different actions for traffic in the policy-maps.
Pass – Traffic gets through but not return traffic is permitted. Useful for “stateless” protocols like RIP
Inspect – Allow traffic through and also allow the return traffic back.
Drop – Drop the traffic
Inspect – Allow traffic through and also allow the return traffic back.
Drop – Drop the traffic
If we have a policy-map that allows some traffic through, the rest of
the traffic not matching any class will be implicitly dropped, this is
even if we don’t specify a class class-default.
That are the most important things you need to be aware of when configuring this feature.
Designing VPC and Routing
I’ve been seeing some network problems lately, at sites where the problem was designing the VPC and routing mix correctly. Generally, there’s plenty of room to make a mistake, the situation is a bit confusing to most people. So I’m going to try to explain how to separate out routing and Layer 2 (L2) forwarding with VPC’s, so the routing will work correctly. I’m hoping to help by explaining the problem situation you need to avoid as simply as I can, and showing some simple examples, with lots of diagrams. For a simple description of how basic VPC works, see my prior posting, How VPC Works
.Cisco
has put out some pretty good slideware on the topic, but there are an
awful lot (too many?) diagrams. Either that’s confusing folks, or people
just aren’t aware that VPC port channels have some design limitations,
you can’t just use them any which way as with normal port channels (or
port channels to a VSS’d 6500 pair).
The short
version of the problem: routing peering across VPC links is not
supported. (Adjacency will be established but forwarding will not work
as desired.) The “vpc peer-gateway” command does not fix this, and is
intended for another purpose entirely (EMC and NetApp end systems that
learn the router MAC address as the source MAC in frames, rather than
using ARP and learning the default gateway MAC address).
Let’s start by repeating the basic VPC forwarding rule from the prior blog:
VPC Rule 101
VPC
peers are expected to forward a frame received on a member link out any
other member link that needs to be used. Only if they cannot do so due
to a link failure, is forwarding across the VPC peer link and then out a
member link allowed, and even then, the cross-peer-link traffic can
only go out the member link that is paired with the member link that is
down.
The same
rules apply to routed traffic. Since VPC does no spoofing of the two
peers being one L3 device, packets can get black-holed.
The Routing with VPC Problem
Here’s the
basic situation where we might be thinking of doing VPC and can get
into trouble. Note I’ve been using dots for routed SVI’s, just as a
graphical way to indicate where the routing hops are. (No connection
with the black spot in the novel Treasure Island.)
This is
where we have a L3-capable switch and we wish to do L2 LACP
port-channeling across two Nexus chassis. If the bottom switch is
L2-only, no problem. Well, we do have to think about singly-homed
servers, orphan (singly-homed) devices, non-VPC VLANs, failure modes,
etc., but that is much more straight-forward.
All is fine if you’re operating at Layer 2 only.
Let’s walk
through what VPC does with L3 peering over a L2 VPC
port-channel. Suppose a packet arrives at the bottom switch C (shown by
the green box and arrow in the diagram above or below). The switch has
two routing peers. Let’s say the routing logic decides to forward the
packet to Nexus A on the top left. The same behavior could happen if it
chooses to forward to B. The router C at the bottom has a (VPC) port
channel. It has to decide which uplink to forward the packet over to get
it to the MAC address of the Nexus A at the top left.
Approximately
50% of the time, based on L2 port channel hashing, the bottom L3 switch
C will use the left link to get to Nexus A. That works fine. Nexus A
can forward the frame and do what is needed, i.e. forward out another
member link.
The other
50% or so of the time, port channel hashing will cause router C to L2
forward the frame up the link to the right, to Nexus B. Since the
destination MAC address is not that of Nexus B, Nexus B will L2 forward
the frame across the VPC peer link to get it to A. But then the problem
arises because of the basic VPC forwarding rule. A is only allowed to
forward the frame out a VPC member link if the paired link on Nexus B is
down. Forwarding out a non-member link is fine.
So the problem is in-on-member-link, cross-peer-link, out-another-member-link: no go unless paired member link is down. Routing does not alter this behavior.
Yes, if
there is only one pair of member links, you cannot have problems, until
you add another member link. If you add a 2nd VLAN that is trunked on
the same member links, inter-VLAN routing may be a problem. If you just
do FHRP routing at the Nexus pair, no, the L2 spoofing handles MAC
addresses just fine (using the FRHP MAC so no transit of the peer link
is necessary). It’s when your inter-VLAN routing is via an SVI on one of
the bottom switches routing to a peer SVI on the Nexus pair that you
will probably have problems.
You can
have similar problems even if only one of the two Nexus switches is
operating at L3, or has a L3 SVI in a VLAN that crosses the VPC trunks
to the switch at the bottom. We will see an example of this later.
Conclusion:
it is up to us to avoid getting into this situation! That is, VPC is
not a no-brainer, if you want to mix it with routing you must design for
that.
You can
also do this sort of thing with two switches at the bottom of the
picture, e.g. pair of N5K to pair of N7K’s. Or even VSS 6500 pair to VPC
Nexus pair. See also our Carole Reece’s blog about it, Configuring
Back-to-Back vPCs on Cisco Nexus Switches, and the Cisco whitepaper with
details, http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps708/white_paper_c11_589890.html.
VPC is allowed and works, but we need to design it to operate at L2
only.
Drilling Down on VPC Routing
We are
also OK if we use a FHRP with a VPC to get traffic from a VPC’d server
to a pair of Nexii, and then route across non-VPC point-to-point links,
e.g. into the campus core or WAN. VPC does very well at spoofing L2,
and the virtual MACs used with the three FHRP’s allow direct forwarding
out VPC member links by VPC peers. Routing to the core uses non-VPC
non-member links, so no problem.
The
problem in the L3 story above is that the frame is being forwarded at L2
to the real MAC not virtual MAC of A, and B is not allowed to do the
routing on behalf of A.
The next
diagram shows how this typically bites us. If we’re migrating from
6500′s (bottom) to Nexus (top) and we are inconsistent, we can get in
trouble. If our packet hits an SVI, is routed to Nexus B but sent via
Nexus A, then Nexus B will not be able to route the frame again out the
member link marked with the red X, to get to a L3 SVI on the bottom
right switch D.
This might
happen from datacenter to user closet, if you have L2 to a collapsed
core/distribution Nexus pair, with some SVI’s between old 6500 C and new
Nexus switches A and B in the datacenter, and closet switches with
SVI’s on the same switches as the datacenter SVI’s (switch D in the
diagram). It might also happen if you have some VLANs with SVI’s on
datacenter access switches like C, and other VLANs on other datacenter
access switches like switch D (perhaps even with all SVI’s migrated to
live only on the Nexus pair). It can even happen on one switch, where C
and D are the same switch, and you’re routing between VLANs via an SVI
on C. (Same picture, just a little more cluttered because the green
arrow and red X are on the link back to C.)
Summary: Making Routing Work with VPC
Here’s the
Cisco-recommended design approach, using my drawing and words. The
black links are L2 VPC member links. The red links are additional
point-to-point routed links.
The simple
design solution is to only allow L2 VLANs with SVI’s at the Nexus level
across the VPC member links. If you must have some SVI’s on the bottom
switch(es) and some others on the Nexus switches, block those VLANs on
the L2 trunks that are VPC members, and route them instead across
separate L3 point-to-point links, shown in red in the above diagram. Of
course, if you’re routing say VLAN 20, there would be no point to having
a routed SVI for VLAN 20 on the bottom switch and on the Nexus switches
as well.
The point
to point routed interfaces do not belong to VLANs, so they cannot
possibly accidentally be trunked over the member links, which are
usuallly trunks.
When you
have SVI’s rather than routed interfaces or dot1q subinterfaces, you
have to be aware of which VLANs you do and do not allow on the VPC
member links. If you have many VLANs that need routing, use dot1q
subinterfaces on the routed point-to-point links to prevent “VPC routing
accidents”. Or use SVI’s and trunking over the point-to-point non-VPC
links, just be very careful to block those VLANs on the VPC trunk member
links.
Using VPC to Buy Time to Migrate to L3 Closets
As you
will have noticed in my recent blog, Simplicity and Layer 2, I like L3
closets. That generally means your L2 is mostly confined to the
datacenter. No L2 problems out in the closets!
Our
present discussion is highly relevant if you are migrating from L2 to L3
closets. Several hospitals we are working with have had spanning tree
problems (or risk). They wish to reduce their L2 domains size and any
risk by moving to L3 closets. One way to tackle this is to drop Nexus
switches in at the core or distribution layer (they are sometimes
combined layers), and start out running VPC to all the L2 closets. That
“stabilizes the patient” to buy time and stability for the cure, L3
closets.
If you
whittle away at sprawling VLANs spanning closets, buildings and
campuses, you can generally manage to clean up one closet at a time.
Iterate for the next year or two. Painful, but much more robust!
Consider a
single closet switch that you’re working on. You can get yourself to a
situation where the SVI’s are in the distribution layer Nexuses, say,
and you have L2 VPC member trunks to the closet switch (now represented
by the bottom switch in our above diagrams). When all the VLANs are
single-closet-only VLANs, you can then un-VPC the uplinks to that one closet,
turn them into point-to-point routed links, put the SVI’s on the closet
switch instead, and be done. If you want a slower transition, add
separate L3 routed point-to-point links like the above red lines, and
control which VLANs are trunked across the VPC member links. All it
takes is organization and being clear about where you’re doing L2 and
where you’re doing L3 — which I’d say should be part of the design
document / planning.
Another Example
One more
real world example shows how it is easy to not see the potential
problem. Suppose you have a router, e.g. an MPLS WAN router, and for
some reason you have to attach it to a legacy switch at the bottom of
the picture, as shown in the following diagram:
Why would
you do this? In one case we’ve seen, the vendor router had a
FastEthernet port, and the Nexus switch had no 100 mbps capable ports.
Another is copper versus fiber ports and locations of the devices in
question.
Suppose
the uplinks are VPC members, and because of the VPC routing problems,
the site is trying to make this work with just a VPC on the right Nexus
switch, switch B. In the case in question,; C and D were actually the
same switch, but I’m presenting it this way since the diagram is more
clear when I show two switches.
At the
left we see a packet hitting a SVI in the leftover 6500 (which some
sites would shift to being a L2-only access switch, and other sites
would discard or recycle elsewhere in the network.).
The bottom
left switch SVI can route to other SVI’s that are local. To get to the
WAN router, the left switch needs to somehow route the packet via the
top right Nexus, Nexus B somehow. It turns out there is exactly one VLAN
with SVI’s on all three switches, which gives switch C a way to route
to the rest of the network. Switch C therefore follows the dynamic EIGRP
routing, by routing into the shared VLAN with next hop Nexus B.
In 50% of
the flows, the packet goes via the left Nexus A, across the peer link,
and thus B cannot forward it out the VPC member link to get to the
router.
Exercise for the reader; Consider traffic going the other way, from the WAN back to the datacenter. See the following diagram:
Does it work? If not, what goes wrong? Can you explain it? [Hint: there's a red X in the above diagram for a reason!]
Possible Solutions
(1) Attach
the MPLS VPN WAN router to one or both Nexii directly. Note that
dual-homing via the 6500 (bottom right) is a Single Point of Failure
(SPoF), so connecting to only one N7K is no worse (or better).
(2) Put
the SVI for the router’s VLAN on the bottom right switch, and convert
the uplinks to L3 point-to-point. Or use dedicated point-to-point links
for all routed traffic from bottom right to the two Nexii. Since point
to point routed interfaces don’t belong to VLANs, they can’t
accidentally be trunked over VPC member links.
(3) Have
no SVI’s on the Nexii — do all routing on the bottom switches. That
actually works — but doesn’t help in terms of getting the routing onto
the much more powerful Nexus switches, which is where you probably want
it.
Conclusion
Please
don’t draw the conclusion that you can’t do routing with VPC. You can in
certain ways. What you do not want is a router or L3 switch interacting
with routing on VPC peers over a VPC port-channel link. You can route
to VPC peers as long as you’re not using a VPC port-channel, e.g. just a
plain point-to-point link or a L3 port-channel to a single Nexus. If
there is an SVI at the bottom (that is, not on the Nexus pair) for a
given VLAN, block it from the member links and thereby force it to route
over the dedicated routed links. In that case, don’t allow the VLAN
across the VPC peer link either: that link should only carry the VLANs
that are allowed on the VPC member links, and no others, no routing,
nothing else.
You can also route over a VPC port-channel, as long as your routing peers are reached at L2 across the VPC but are not the VPC peers your VPC connects to. That is, routing peering across a L2-only VPC Nexus pair in the middle is OK.
In the
datacenter, stick to pure L2 when doing VPC, up to some sort of L3
boundary. When doing L3, use non-VPC L3 point-to-point links. If you
have a pod running off a pair of L3-capable Nexus 55xx’s and you feel
the need to VPC some L2-ness through your Nexus 7K core, fine, just use
dedicated links for the L3 routing. And when doing so, don’t use SVI’s,
use honest to goodness L3 ports, that is, “no switchport” type ports.
That way you cannot goof and forget to disallow any relevant VLANs
across VPC member links that are trunks.
Upcoming
design consideration: don’t VPC multi-hop FCoE. It’s OK to VPC FCoE at
the access layer, just don’t do it beyond there. Why not VPC multi-hop
FCoE? Among other reasons, it makes it far too easy to merge fabrics
accidentally. That’s a Bad Thing, definitely something you do not
want to do! Also, you do have to be careful about FCoE with a 2 x 2 VPC
— that’s covered in the Nexus course (now named “DCUFI”). Which I’m
teaching about once a month for FireFly (www.fireflycom.net)
Why Did Cisco Do It This Way?
I think
the engineers expected everyone doing L3 to put it on separate links.
It’s not clear to me why they thought people would WANT to do that. Nor
the confusion about SVI’s and where you were doing routing that a lot of
people seem to have (i.e. understanding it too complex for real world).
It might also have something to do with the datacenter switch
positioning of the Nexus products.
References
Quote from that thread: “We don’t support running routing protocols over VPC enabled VLANs.”
Cisco Flex Link
Flex link is a Cisco solution which replaces STP in certain network topologies. It
works by detecting link down on a primary interface and then bringing up the backup
interface that has been defined as backup. It is most commonly implemented at the access
layer where the switch has dual uplinks to the distribution layer.
How does it work?
Under the primary interface the backup interface is defined with the switchport backup
interface command. This command can be applied to L2 links or portchannels. The backup
interface is kept in down state until the primary fails. Under normal conditions traffic
will flow through the primary interface so all dynamic MAC entries are learned via the
primary interface.
As soon as the primary interface goes down the backup interface is brought online.
These things happen when the primary fails:
transmitted and STP is disabled on the interfaces that are enabled for Flex link.
Bringing the backup interface up is very fast and should take less than a second. To send
out dummy multicast frames the MAC-address table move update feature needs to be enabled.
Preemption
Preemption is disabled by default. Enabling preemption means that the primary interface
will be brought into forwarding when it comes back. There is a preemption delay that can
be set to prevent flapping. Enable preemption if you have a primary interface of
higher bandwidth than the backup one.
Load balancing
Flex link can support load balancing. This means that one interface is primary for a set
of VLANs and backup for other VLANs and vice versa. Enable this if you need to use both
uplinks to support the amount of traffic exiting the switch.
Advantages of Flex links
What are the advantages of Flex link?
There are always negative sides with every solution/protocol in networking. It’s always
a choice to make to make the right design.
Risk of loops
So how could a loop be formed with Flex link? The first scenario is that someone
accidentally connects two access switches together.
Because Flex link has no concept of STP if the link between the access switches is
brought into forwarding a loop has formed. This could be stopped by implementing BPDU
guard on all non uplink ports.
There could also be a situation where a link is added between the access and distribution
layer and because the Flex link does not consume/send BPDUs a loop could form.
Summary
Flex link is a STP replacement from Cisco that works by bringing up an backup interface
when the primary interface has gone link down. It is light weight and fast but relies
on links going physically down. It also has the risk of loops in certain topologies.
It’s a viable solution where STP is not wanted due to buying a L2 service from a
provider or such to not mix STP with the provider.
works by detecting link down on a primary interface and then bringing up the backup
interface that has been defined as backup. It is most commonly implemented at the access
layer where the switch has dual uplinks to the distribution layer.
How does it work?
Under the primary interface the backup interface is defined with the switchport backup
interface command. This command can be applied to L2 links or portchannels. The backup
interface is kept in down state until the primary fails. Under normal conditions traffic
will flow through the primary interface so all dynamic MAC entries are learned via the
primary interface.
As soon as the primary interface goes down the backup interface is brought online.
These things happen when the primary fails:
- All dynamic MAC entries are moved to the backup interface
- Moves the backup link into a forwarding state
- Transmit dummy multicast frames to multicast destination 01:00:0c:cd:cd:cd
- The source of these frames are the sources learned by the switch on its local ports
transmitted and STP is disabled on the interfaces that are enabled for Flex link.
Bringing the backup interface up is very fast and should take less than a second. To send
out dummy multicast frames the MAC-address table move update feature needs to be enabled.
Preemption
Preemption is disabled by default. Enabling preemption means that the primary interface
will be brought into forwarding when it comes back. There is a preemption delay that can
be set to prevent flapping. Enable preemption if you have a primary interface of
higher bandwidth than the backup one.
Load balancing
Flex link can support load balancing. This means that one interface is primary for a set
of VLANs and backup for other VLANs and vice versa. Enable this if you need to use both
uplinks to support the amount of traffic exiting the switch.
Advantages of Flex links
What are the advantages of Flex link?
- Light weight, no BPDUs transmitted.
- Fast to converge
- The topology is deterministic and not subject to STP reconverging due to misconfig
There are always negative sides with every solution/protocol in networking. It’s always
a choice to make to make the right design.
- Relies on link down to detect failure
- Can’t detect unidirectional links
- Can’t detect wonky SFP or hardware failure not leading to link down
- Risk of loops in certain topologies
Risk of loops
So how could a loop be formed with Flex link? The first scenario is that someone
accidentally connects two access switches together.
Because Flex link has no concept of STP if the link between the access switches is
brought into forwarding a loop has formed. This could be stopped by implementing BPDU
guard on all non uplink ports.
There could also be a situation where a link is added between the access and distribution
layer and because the Flex link does not consume/send BPDUs a loop could form.
Summary
Flex link is a STP replacement from Cisco that works by bringing up an backup interface
when the primary interface has gone link down. It is light weight and fast but relies
on links going physically down. It also has the risk of loops in certain topologies.
It’s a viable solution where STP is not wanted due to buying a L2 service from a
provider or such to not mix STP with the provider.
Understanding Cisco Nexus 2000 Series Fabric Extenders
Cisco Nexus 2000 Series Fabric Extenders (FEX) behave and can be
considered as remote line cards for Cisco Nexus switches. The fabric
extender acts as an extension to the parent Cisco Nexus switch fabric;
the fabric extender and the parent Cisco Nexus switch together form a
distributed modular system. With this architecture, the fabric extender
typically is at top-of-rack (ToR) with the parent Cisco Nexus switch at
end-of-row (EoR).
A simple topology with one Cisco Nexus 5548UP switch and one Cisco Nexus 2248PQ Fabric Extender may look like the below with the Fabric Extender at ToR and Nexus 5548UP at EoR.
Here are some absolute basics you need to know about Cisco Nexus 2000 Series Fabric Extenders:
- - No software is included with the Cisco Nexus Fabric Extender; the software is automatically downloaded and upgraded from its parent switch.
- - The parent switch pushes the configuration data to the Fabric Extender. The Fabric Extender does not store any configuration locally.
- - The Fabric Extender can connect to the switch through a number of separate physical Ethernet interfaces or at most one EtherChannel interface.
- - The Fabric Extender is managed by its parent switch over the fabric interfaces. Cisco advertises a zero-touch configuration. The Fabric Extender is discovered by the parent switch by detecting the fabric interfaces of the Fabric Extender.
- - The parent switch establishes in-band IP connectivity with the Fabric Extender. The parent switch assigns the Fabric Extender an IP address in the range of ’127.0.0.0/8′, commonly known as loopback addresses, to avoid potential conflicts with IP addresses utilized in the network.
- - The Fabric Extender updates the parent switch with its operational status. All Fabric Extender information is displayed using the parent switch commands for monitoring and troubleshooting.
- - There are two types of interfaces: fabric interfaces (uplinks) and host interfaces (server-facing ports).
- - All Fabric Extender host interfaces are set to spanning tree edge ports with “BPDU Guard” enabled and cannot be configured as spanning tree network ports.
- - Servers utilizing active/standby teaming, 802.3ad port channels, or other host-based link redundancy mechanisms can be connected to Fabric Extender host interfaces.
- - Any device running spanning tree connected to a Fabric Extender host interface will result in that host interface being placed in an error-disabled state when a BPDU is received.
- - Any edge switch that leverages a link redundancy mechanism not dependent on spanning tree such as Cisco Flexlink or vPC (with BPDUFilter enabled) may be connected to a Fabric Extender host interface. Since spanning tree is not utilized to eliminate loops, extra precaution must be taken to ensure a loop-free topology below the Fabric Extender host interfaces.
- - The Fabric Extender does not perform any local switching. All traffic is sent to the parent switch where the switching and any policy enforcement is handled.
There are two options for how the uplinks of the Fabric Extender connect to the parent switch: 1. Static Pinning Fabric Interface Connection or 2. EtherChannel Fabric Interface Connection. The type of connection will determine how the traffic from an end host is distributed to the parent switch through the Cisco Nexus Fabric Extender.
The “Static Pinning Fabric Interface Connection” allows for a deterministic relationship between the host interfaces and the parent switch; you can configure the Fabric Extender to use individual fabric interface connections. The “EtherChannel Fabric Interface Connection” provides load balancing between the host interfaces and the parent switch; you can configure the Fabric Extender to use an EtherChannel fabric interface connection. This connection bundles 10-Gigabit Ethernet fabric interfaces into a single logical channel.
In the diagram further above, if using the first first four ports on the Nexus 5548UP with a EtherChannel Fabric Interface Connection to the Fabric Extender, the configuration would be as shown below.
Cisco Nexus 5548UP Config:
configure terminal
interface port-channel 2
switchport mode fex-fabric
fex associate 100
exit
interface ethernet 1/1
switchport mode fex-fabric
fex associate 100
channel-group 2
exit
interface ethernet 1/2
switchport mode fex-fabric
fex associate 100
channel-group 2
exit
interface ethernet 1/3
switchport mode fex-fabric
fex associate 100
channel-group 2
exit
interface ethernet 1/4
switchport mode fex-fabric
fex associate 100
channel-group 2
end
copy running-config startup-config
In the configuration above the “switchport mode fex-fabric” command sets the EtherChannel to support an external Fabric Extender. The “fex associate 100″ command associates the chassis ID to the Fabric Extender unit attached to the interface; the range of the chassis ID is from 100 to 199. Once the configuration is complete, you can run the “show interface port-channel 2 fex-intf” command to display the association of a Fabric Extender to the EtherChannel interface.
Although the FEX architecture provides a single point for management and policy enforcement with zero-touch installation on the Fabric Extender, it also introduces the issue of all traffic being switched upstream by the parent switch as the fabric extender is not capable of doing local switching. If you have heavy ‘east-west’ traffic in your network, this may not be the best network architecture for you to deploy.
Subscribe to:
Comments (Atom)