Aerohive HiveOS 4

Aerohive really stood out to me at Wireless Tech Field Day back in March.  They’re a great company with a lot of interesting ideas behind wireless technology today that run counter to what you are hearing from the mainstream vendors.  The most perpendicular of these is that having a controller-based wireless network is no longer the way to go now that the processing power of access points (APs) has caught up to the modern era.  You can still have a software program directing their configuration and provisioning, but needed to run all that traffic through a centralized box is just asking for trouble.  Accordingly, Aerohive is coming out with some updates to their software offerings.

Aerohive announced the newest release of their HiveOS, version 4.0.  To go along with it, they are also releasing a new version of their HiveManager software, 4.0 as well.  The folks at Aerohive let me take a sneak peak at the bells and whistles on their new products.  The idea behind HiveOS 4 and HiveManager 4 is the ability to simplify the configuration of the network for guest users and mobile devices.  The current trend in wireless technology today is moving away from providing your employees with corporate mobile devices, such as tablets and smartphones, and instead configuring your network to allow more of a Bring Your Own Mobile Device approach.  From the CxO’s new iPad to a Galaxy Tab 10.1, the landscape of wireless client devices is proliferating quickly.  One of the areas where Aerohive told me they are seeing this explosion of BYOMD is in the healthcare industry.  With so many doctors and specialists floating in and out of hospitals, the number of different devices hopping on the wireless network at any given time is staggering.  Add in the patients and their families and loved ones and you can see how crazy things can get at times.  As a network admin, you can’t just tell all those people that they are only allowed to get on your network if they use the right device.  Doctors, in particular, become very attached to their mobile device and would prefer taking it around to each site they visit rather than be issued an “approved” mobile device upon arrival.  It becomes more important then to configure your wireless in such as way to provide the best experience for your users while at the same time protecting them and protecting the network from harm.

One way that Aerohive is helping this guest device explosion is by offering the ability to have your users self enroll on a portal page for a Private Pre-Shared Key (PPSK).  I like the idea of a PPSK, since it essentially provides a throw-away password for each user and allows you to grant access without giving away the whole network.  This also does away with any kind of need to have an open guest network, which has been shown in recent months to be vulnerable to all kinds of snooping and sniffing software, such as the infamous Firesheep.  In HiveOS 4, you can also tag those PPSKs with an expiration time and date, so for instance the network admins at a concert performance or sporting event can mark all the self-generated PPSKs to expire two hours after the end of the show to help prevent people from leeching the network forever.  This can help you setup easy access for your clients to generate their own PPSKs via a web portal so the admins need not get involved in the process while at the same time making sure that you can restrict access should the need arise.  If you have a user that is misbehaving or needs to be disconnected, you merely disable their PPSK without needing to rekey the network.  This feature is also a great idea in places where employee turnover is rather high.

Another new feature in HiveOS 4 is the ability to snoop on mobile Internet devices, or MIDs as Aerohive refers to them.  Every mobile device you can buy today identifies itself in one form or another.  Most of the time this is done via browser user agents.  As a quick example, the user agent on your iPhone announces to the website that it is indeed a Fruit Company Mobile Phone, and the website displays a mobile-friendly site with larger text and fewer graphics.  In much the same way, HiveOS 4 allows the network to determine which devices are being used  and restrict them with policies.  For instance, you may want to give your CxO unfettered access to all corporate resources on his laptop.  If he uses his iPad, you may want to restrict him from accessing servers which don’t support his tablet.  If he jumps on with his iPhone, you may wish to further restrict him to Internet access only.  By snooping on the user agents, you can configure these policies quickly and easily without restricting access on his other devices.  Think of a restaurant, for example.  The host/hostess up front would love to use an iPad to take reservations quickly and easily, but the management is worried they might instead use it to surf the web or spend more time on Facebook than face-to-face with customers.  In HiveOS 4, you can restrict the host station iPads from the Internet and only allow them access to the reservation system.  A win for everyone that is interested in things other than status updates.  Note that this is all done without the need to enable 802.1x authentication on the network, a very time consuming and hairy process for even the most seasoned security and network people.

One unexpected addition in HiveOS 4 is spectrum analysis.  Cisco has really been pushing the advantages of the Cognio chip embedded in all of it’s 3500 series APs.  When we asked Aerohive about doing spectrum analysis in their APs at WFD, the answer was “wait and see”.  I’m pleased to announce that with HiveOS 4, you can now enable a spectrum analyzer in your Aerohive 802.11n APs.  The interface in HiveManager 4 is all based on HTML5, so it has no display issues on your favorite Fruit Company Mobile Device.  There is a large signature database included, so you can plot the air waves and then compare them to a list of known interference sources in case you aren’t sure whether it’s a Bluetooth headset or a cordless phone causing interference.  This is great if you want to enable the spectrum analyzer on a remote AP and then have someone back at the office check the interference source while you walk around trying to find out who’s hiding a microwave under their desk (Here’s a tip:  Look for the guy glowing in the dark…).  This feature is included in HiveOS 4 at no additional cost.  One caveat I noticed – HiveManager can only receive data from 10 spectrum analysis sources at once, so you can’t configure any more than that.  When I asked about this limitation, I was informed that in order to receive and process the data quickly and efficiently, they had to put a limit on it, so 10 is it.  For now, at least.

HiveOS 4 Spectrum Analysis running on your favorite Fruit Company Tablet

For those of you out there that may be Aerohive partners, there is also a new Partner Admin page that allows you to demo the product and set up customer evaluations.  You can also remote in and add devices to your customer’s network or even delegate certain tasks to administrators at the customer site.  This is a great addition for those providers looking to add Aerohive as a kind of managed services wireless solution.  For one low monthly fee, you can lease Aerohive gear to your customers and manage it from one location.  You can involve the customer admins as little or as much as you want.

There are a lot of other great features that are in HiveOS 4 and HiveManager 4, so you should head over to Aerohive’s site and check it out.  The upgrade is free for all existing Aerohive customers and will be available on June 20.

Tom’s Take

I like what Aerohive is doing with their approach to wireless.  By moving the intelligence of the network out into the access points, they alleviate some of the bottleneck issues with controllers.  They also have some great ideas that they bring to the table to increase the visibility of their software with certain verticals, such as education and health care.  However, if software is your game, you’re only as good as the features in your latest release.  I think Aerohive nailed it with HiveOS 4.  They’ve added a lot of new features to help admins address their pain points in the Bring Your Own Mobile Device era, as well as adding a much-needed feature that will allow them to compete with offerings from Cisco in the spectrum analysis arena.  By making this upgrade available for all existing customers, you can refresh your wireless network with the click of a button.  No forklifts needed.  So join me in raising a glass to the latest release of HiveOS:

I look forward to seeing more good stuff from Aerohive in the future.


I received a sneak peak at the offering from Aerohive before the launch date.  No consideration was asked for in my attendance, and none was offered.  The opinions and analysis offered in this post are mine and mine alone.

NFC: Not For Consumers (Yet)

There’s been quite a bit of buzz recently regarding the capabilities surrounding Near Field Communications (NFC).  The idea behind this is that a user can be provided with a low-powered, short range (about 2 inches) wireless transmitter/receiver that can be used in a variety of applications, such as providing access control to restricted doors, airline or mass transit check-in/ticketing, and even payment methods.  Google especially has upped the ante in this last department with the announcement of Google Wallet, a movement to make your phone into your primary method of payment for goods and services.  While I’m behind the idea that you can start using mobile devices for electronic payment, I think that the NFC idea isn’t quite ready for prime time just yet.

1.  NFC-enabled devices are few and far between.  The list of devices that have built-in NFC transmitters is longer than expected…provided you live anywhere other than the United States.  Most of the phones that have NFC chips are Nokia devices primarily marketed in Europe.  The main devices found in the US are (naturally) the Google Nexus S and to my surprise the Blackberry Bold/9900.  While I’ve been told the boys in Mountain View make a mighty nice phone, the adoption rates aren’t nearly as high as other devices from Motorola and the Fruit Company Mobile Device Company.  In fact, rumors that the iPhone 5 *might* include a NFC chip had people foaming at the mouth.  Why’s that?  Well, despite what others might tell you, putting a new technology in the next iPhone is a good way to push it toward the mainstream.  This may not guarantee that it will be adopted, but based on the sales numbers that the iPhone usually produces, putting a NFC chip in it would get it to several million people in short order.  Once the technology is more pervasive than a few hundred thousand handsets, I think there’ll be more effort given to incorporating it into payment methods.  Otherwise, it will sit unused, taking up valuable space in your phone that could have been used for a bigger battery or a fancy gyroscope.

2.  NFC-enabled retailers are few and far between.  This is the same as number 1, except it’s the other side of the coin.  Not seeing any real need to provide NFC receivers for a non-existent demand, retailers haven’t really put any in.  Think back to the MasterCard PayPass or American Express ExpressPay.  How many people have you seen with those cards?  How many of those terminals have you seen?  I’ve seen a few of the newer ones here and there, but never at any big box retailers or department stores.  If Google or Apple are serious about driving adoption of this kind of technology, they may have to work with the credit card companies to underwrite the replacement of NFC-enabled POS devices.  Walmart won’t spend millions to replace their terminals on a whim with the possible hope of having NFC customers, but if Google agrees to pay 25% and MasterCard agrees to pay 25%, that might be the tipping point to spur adoption.  Starbucks has faced a similar issue with their mobile payment system.  Starbucks began testing the use of barcodes in their mobile app to see if adoption would take off.  Their testing areas, Seattle and Silicon Valley, showed that people were willing to use their iPhones or Nexi devices to pay with a virtual Starbucks card.  Once they rolled out their mobile terminals across the country, I wonder if they’ve seen the same kind of adoption in places other than coffee-crazy Seattle or tech-friendly Silicon Valley.  If the mobile manufacturers want to drive this technology, they may have to put their money where their chips are.

3.  Who has my money?  This is probably going to be the biggest problem standing in the way of mobile device NFC payment.  Right now, Google Wallet works with Citi MasterCard and Google pre-paid cards.  Not an impressive list of authorized cards, to say the least.  If Apple were to adopt this technology in the iPhone 5 or iPhone 5GSX+++, they obviously would want the funds used to purchase things stored in your iTunes account.  Whoever controls the money controls your spending habits.  Think about having a number of small bank accounts, each with small amounts of money.  You can’t use any one account for all your purchases due to the lack of significant funds in any one of them.  Extrapolate that further.  Would you really tie up, say, $500 worth of your income in an iTunes NFC payment account?  I don’t think the electric company accepts iTunes yet, and you can’t really use Google pre-paid cards at a Coke machine.  The credit card companies are going to be hesitant to partner with Google and Apple unless terms are favorable for them to keep getting their 2% margins (or better) and the device manufacturers are not going to want to use the technology unless they can get their cut, especially Apple and their 30% tax on anything they touch.  The fight among each of these parties is likely to keep the whole thing shelved for the foreseeable future, unless some kind of breakthrough can be reached.

Tom’s Take

I think NFC has the opportunity to be a real game-changer for Personal Area Network (PAN) applications.  An example, if you will.  Those that have played the Metal Gear Solid series of games no doubt remember the annoyance in Metal Gear Solid 1 where you were required to be holding a door key card when you wanted to enter.  In every game after that, the key cards utilized PAN technology to allow you to pass through them without the need to select them every time.  NFC-type communications at it’s best.  Now apply those lessons to the real world.  Your phone can replace your access badge.  Your phone can unlock the front door to your house.  You can use your phone for a boarding pass or a parking meter fob or any one of a number of cool futuristic things.  Yes, even a payment method.  However, there are enough challenges to make adoption difficult at best.  Everyone wants to lock you into their particular flavor of NFC banking to best help you find ways to spend your money.  Until we get some kind of universal access or centralized clearinghouse that all the interested parties can agree on, I don’t think NFC will be replacing my wallet any time soon.  Let’s hope time proves me wrong on this one.

Friday Fun Links – 5/27

This week’s link collection tends to fall on the side of security.  Whether you have a Mac or you work for Lockheed Martin, it’s been a rough few days.

Krebs on Security: ChronoPay Fueling Mac Scareware Scams

Perhaps Apple will have better luck than others who have tried
convincing ChronoPay to quit the rogue anti-virus business, but I’m
not holding my breath. As I noted in a story earlier this year,
ChronoPay has been an unabashed “leader” in the scareware industry
for quite some time.

I don’t need to tell you that the majority of spyware/malware/crapware out there is motivated today by money.  It is a little surprising to find out that one company seems to be masterminding things.  And with the surge in Mac sales raising their profile among hackers, expect a flood of junk for the Mac.

Reuters: Hackers Breach US Defense Contractors

Unknown hackers have broken into the security networks of
Lockheed Martin Corp and several other U.S. military contractors,
 a source with direct knowledge of the attacks told Reuters.  
They breached security systems designed to keep out intruders
by creating duplicates to "SecurID" electronic keys from
EMC Corp's RSA security division, said the person who was not 
authorized to publicly discuss the matter.

I am Jack’s complete lack of surprise.  As we discussed on Packet Pushers almost 2 months ago, there was more to the RSA breach than was being let on.  Looks like the tokens are compromised and making copies is easier than RSA would like.  If you’re using SecurID tokens, it’s best to discontinue their use if possible and get in touch with RSA to get them replaced.  You might also think about mentioning you don’t want them pulled from stock.  You know, just in case…

RFC 6127 – IPv4 Run-Out and IPv4-IPv6 Co-Existence Scenarios

Check out our latest discussion of All Things NAT, as well as fun things like Carrier-Grade NAT (NAT 444), Teredo, and my personal favorite…jabbing bamboo shoots under your fingernails.

9.@ Must Die!

Frequent visitors to my site should know that I am a voice rock star on top of my other regular networking/wireless/server/virtualization/etc roles.  One of the things I have tried to do since the very beginning of my time in voice is avoid using unnecessary shortcuts and make things work right the first time.  This is no different when it comes to the likes of route patterns in Cisco Unified Communications Manager (CUCM).  I speak of course of the infamous “@” route pattern.

When configuring a route pattern in CUCM, I have seen some documentation suggest that you configure your route pattern using the “@” wildcard and be done.  In CUCM, the “@” is a wildcard macro that contains most of the numbering plan for North America, also known as NANP.  In North America, we use 10-digit telephone numbers that are composed of a 3-digit area code followed by a 7-digit local number.  The first digit of the area code cannot be a zero or a one, and the first digit of the local number cannot be a zero or a one either.  The NANP format is usually represented as NXX-NXX-XXXX, where N is a number between two and nine, and X is any number.  The “@” wildcard takes this information and builds several route patterns in CUCM than can match numbers that you might want to dial.  However, “@” has some additional issues that have to be addressed.  Often, you must configure your local area code with a route filter to allow the system to recognize when a local call is dialed.  You also will need to configure things like country code and possibly even end-of-dial strings to help calls be terminated quickly.  If these items are not configured properly, CUCM will have to wait for the interdigit timeout to expire before deciding to send the dialed digits to the PSTN gateway.  By default, this interdigit timeout is 15 seconds, which can be an eternity to a user.

In my career, I have never used the “@” wildcard.  I have always configured my own route patterns.  To me, it looks much cleaner and is easier to troubleshoot rather than having to unwind a shortcut macro.  For the following examples, “9” is used as a pre-dot PSTN access code and is assumed to be stripped at some point before arriving at the PSTN.

911 and 9.911 – Emergency services route patterns.  You need to have these or your people can’t dial emergency services.  If you’d like to read more about my reasons for configuring both route patterns, check it out over here.

9.[2-8]XX – Service codes. These are defined by NANP to provide 3-digit access to special services.  There is no 111 access code.  I don’t include 911 in this configuration due to the explicit urgent priority pattern configured explicitly for emergency services.

9.1[2-9]XX[2-9]XXXXXX – Long Distance.  Most long distance providers in the country use “1” to signal that a long distance call outside of your area code is being made.  This route pattern looks for an 10-digit number prefixed with “91”  The “1” is sent with the number to signal a long distance call.  This is pretty straight forward and will likely be required on all route plans.

9.011! – International calls.  I still configure international call route patterns even if my customers don’t care for them.  I limit their use via Calling Search Spaces (CSS).  It’s better to have the route pattern configured and available to turn on at a moment’s notice in case the CxO starts asking why he can’t call London or Tokyo.  I use a “!” at the end of the route pattern to signal that there could be any number of digits after “011”, which is the international access code for the United States.  The caveat is that you must wait for the interdigit timeout to expire before the call is dialed.  You can add an octothorpe (#) after the “!” to signal that you are done dialing digits, but if that is your only route pattern, you must dial the # or the call will not go through.

The remaining two route patterns that get configured are a little trickier and often cause issues on the system depending on how they are configured.  Local calling is different depending on where you live.  Some metropolitan areas are still on the small side, so you are allowed to dial only seven digits to complete a call.  This is true where I live in Oklahoma City, which is totally contained in the 405 area code.  In other areas, such as Dallas/Ft. Worth or New York City, there are so many telephone numbers that you must use a full 10 digit number to make a call.  As more and more phones are sold and activated, especially cellular phones, the move to 10-digit dialing for most everyone is inevitable.  Until the day when 10 digits are universal, there are somethings to keep in mind for route patterns.

9.[2-9]XXXXXX is used for 7-digit dialing for local calls.  9.[2-9]XX[2-9]XXXXXX is used for 10-digit local calling.  If both of these route patterns are configured on the system at the same time, there can be issues.  In the best case, users must wait for the interdigit timeout to expire on local calls, since when only 7 digits are dialed CUCM is still waiting to see which route pattern to match for the call to complete.  In the future, there will be no use for the 7-digit pattern, and only the 10-digit pattern will be present.  Until that time, here’s a trick you can use to help avoid the interdigit timeout for local calls.

Configure the 7-digit pattern for your local calls.  If you live in an area like I do where some calls inside your area code can be dialed at 10-digit and not be long distance, i.e. not prefixed with a “1”, then configure a 10-digit route pattern with the explicit area code set, such as 9.405[2-9]XXXXXX.  You don’t need to configure a 10-digit route pattern in this case, since any non-local call outside your area code will require a “1” to dial.  This will help you avoid the interdigit timeout on local calls, which should keep your users from rioting.  When your city or county or area code finally implements an overlay area code and starts requiring the use of 10-digit dialing, simply remove the explict area code route pattern (9.405[2-9]XXXXXX in the above example) and the 7-digit route pattern and configure the 10-digit route pattern, 9.[2-9]XX[2-9]XXXXXX.

This should be enough to help you configure all of your NANP dialing needs without the horror that is 9.@.  Much like the <none> partition, 9.@ is a dirty crutch that usually ends up doing more harm than good, especially when it comes time to troubleshoot odd behavior of route patterns and why one is being overridden by something you can’t even see.  By having your route patterns explicitly configured, you not only gain more control over your dialing domain, but you also have the ability to block specific route patterns such as 900 numbers or those nasty Carribean international calls without fear that a crusty old shortcut is still in your system causing you grief and and costing you money.

Fun Links for Friday

I’ve been meaning to start a link round-up post each week to highlight some things that I read that I find interesting or that might slip through the cracks sometimes.

PaulDotCom: Virtualizing Junos

Many times when working with a client network or working on our own we have the need to test, document and validate certain networks configurations in a test environment. Sadly not many have the money to have one so as to test different scenarios so as to gage the impact that this changes might have on the production network. For a majority of configuration when it comes to system settings and routing a virtualized environment can be of great help, sadly anything ASIC or HW Specific configurations. On this blog post I will cover how to virtualize JunOS operating system to aide with testing and validating.

This does indeed work.  Remember though, that you need to be a Juniper customer to download the Junos images.

TED Talk: Beware of Online Filter Bubbles

As web companies strive to tailor their services (including news and search results) to our personal tastes, there’s a dangerous unintended consequence: We get trapped in a “filter bubble”and don’t get exposed to information that could challenge or broaden our worldview.

Something that never occurs to a person because they don’t realize what’s going on.  It seems that the Internet is walling off the outside world from us a piece at at time.

Stephen Foskett, Pack Rat: FCoE vs. iSCSI – Making the Choice”

“FCoE vs. iSCSI” isn’t a battle or cage match. Your choice depends on many factors, and is more a reflection of convergence than a religious conviction

I get to have this conversation with my customers on a regular basis.  Stephen says it a lot better than I do, and he even has a slide deck.

Spin-Off Doctors

A story broke today that the rumor mill has Cisco is considering spinning off the Linksys brand and perhaps even Webex as well.  The majority of response that I’ve seen from my peers ranged from pleasure to downright cheering.  It seems that people have pinned a lot of the ills that have affected Cisco recently on Acquisition Fever.  The fingers are firmly pointed at Flip and Linksys, and with Flip going the way of the dodo last month, Linksys remains as the demon of Cisco’s lack of focus.

I happen to agree with people that say that Linksys has caused Cisco to lose it’s way.  The Linksys acquisition was the point of the spear in Cisco’s drive to launch itself down into the consumer market.  John Chambers has always said that if Cisco can’t move into a market and be the best, they’ll buy someone and make them the best.  So it was with Linksys.  By snapping up a major player in the consumer market, Cisco could bring its guns to bear on a large base of potential customers.  I think that Cisco felt they had the enterprise market wrapped up tight and that those customers would see the Cisco name on a router in their local big box retailer and, just like Pavlov, they’d rush right out and buy it.  Two years ago, I remember seeing a news piece stating that Chambers was even going to retire the Linksys name and instead put the vaunted Cisco badge on all their products.  That never came to pass, and I think that shows what truly is behind the problems with a large company like Cisco playing down to the consumer.

When I walk into my local retailer, I see lots of boxes on the shelves with names like D-Link, Netgear, and Linksys.  I even see a lot of rebranded generic devices built from the cheapest parts available and graced with names like Rocketfish or CompUSA.  These are the products that consumers look for when they go to Best Buy or OfficeMAX.  They buy whatever is on sale or whatever the guy in the solid colored shirt recommends.  There isn’t any brand loyalty at the bottom of the totem pole.  I bought a very cheap CompUSA wireless router once upon a time just so my laptop could connect from the living room.  It lasted me about a year.  Once it died, I didn’t dig out my support contract and get a replacement unit from San Jose.  I just went down to Walmart and bought a replacement.  I think it’s much the same for customers the world over.  Consumer technology is mostly disposable to them.  There’s not much mission-critical equipment in the average house, so when something dies, it’s usually easier to replace it with a new gadget than it is shipping it off and waiting to get the same one back.  Customers don’t want maintenance contracts and next-business day support.  It’s dog-eat-dog down at the bottom and every penny you can squeeze out of your product is a penny you can put in your piggy bank.  No R&D, no investment in the future.  Just cheap circuit boards and minimal packaging with crappy instructions.

When Cisco finally found this out sometime late last year, it only made sense that they needed to start moving away from the consumer market.  The first to go was the ümi, Cisco’s failed foray into consumer Telepresence.  The average consumer doesn’t want to spend $500 for a video conferencing unit only to have to turn around and pay $50/month to make it work.  Flip was next to go, as Cisco never truly found a way to integrate it into their business model.  Other companies started doing it cheaper and better than Flip, and when the headsman’s axe fell, there were no survivors.  Linksys being spun off would give Cisco some breathing room in the low end of the market.  This would be key, since HP and Juniper are starting to take big bites out of the enterprise space Cisco has been so dominant in for years.  They need to leave the unprofitable consumer space to make up ground in their core business, and they’ve said as much recently.

Webex is an interesting challenge.  Most people that use it love it.  It’s much better than Cisco’s own MeetingPlace offerings, so much so that Cisco dumped their licensing deal with Adobe and now uses Webex for everything from product launches to TAC support calls.  It would seem the Webex integrates very tightly into the collaboration offerings that Cisco is touting.  I’ve heard from some insiders though that the the Webex acquisition was a nightmare that never seemed to end.  Cisco touted the fact that it took them months to close the Scientific Atlanta purchase (one that still baffles me to this day) and closed on Webex in a matter of weeks.  However, I’ve been told that the Webex people never really integrated well with Cisco corporate.  There was a lot of infighting amongst the teams, and in fact several pipeline deals were being closed with nary a mention of Cisco.  It was almost as if the Webex people forgot who was purchasing whom, and the antagonism was palpable.  It wasn’t until a senior VP came into the Webex team and started canning the unruly people left and right that the message came across crystal clear – Webex is now a part of Cisco, not the other way around.

If the idea that Webex is still an autonomous unit under the Cisco umbrella is still pervasive among the Webex team, it might make sense for Cisco to spin off its problem child and just license the technology for its collaboration efforts going forward.  It almost seems that way today, with the Webex platforms being offered in a totally different manner from Cisco’s other product lines.  There have been some false starts in trying to leverage the cloud-based software as a service (SaaS) opportunites the Webex could offer, like Webex Mail.  I think Cisco isn’t for sure how to make Webex work outside of their web meeting product and rather than let that technology wither and die on the vine, it might be better to release it back into the wild and let it find it’s own way.

Tom’s Take

Cisco has already said that they are getting back to basics and concentrating on their core strategies.  They also said to expect some job cuts and the reduction of product lines.  People were shocked when Flip was shut down, but I think that’s the tip of the iceberg here.  Spinning Linksys into a separate company that can be more agile and focus in on the consumer and small business markets is an outstanding idea.  It gives the Linksys team the ability to stay competitive in their primary area of business without feeling the pressure from their corporate overlords to make money hand over fist.  At the same time, the rumor to spin off Webex is shocking to most, as the service is beloved by all of its users and no doubt will flourish in any form.  I think this is more of a culture clash between old-guard Cisco and the Webex team.  The only real way to sort this mess out is to let them go their separate ways and maybe one day they can hang out again as just friends.  Cost cutting and retrenching of your product lines is never a fun task, and it usually calls out the wolves ready to decry your fall from grace.  However, in the case of Cisco I think that spinning off these clunkers is just what the doctor ordered.

Rollover Beethoven – USB’s In Town

Every Cisco engine…rock star in the world should have a rollover cable or two stashed away in their bag/car/pocket just in case.  The rollover serial cable is the hallmark of access to a Cisco device.  The console port is the last resort for configuration when all else has gone wrong.  It is the first thing you should plug into when you boot up a router for the first time and the best way to get info you couldn’t otherwise find.  However, the days of the serial cable are quickly becoming numbered.

It wasn’t all that long ago that every PC manufactured included a 9-pin serial connection.  These ports were handy for all kinds of devices, including printers and modems.  However, with the introduction of Universal Serial Bus (USB) connections, the usefulness of the serial (and parallel) ports has been waning quickly.  By utilizing a higher speed connection that more tightly integrates into the system, the need to configure devices with DIP switches and play COM port roulette have long since passed.  As it is with any transition though, there have been some holdouts in the movement to retire serial ports.  While some of these are understandable due to outdated single-purpose technology, others have never made any sense to me, like the Cisco rollover console cable.  Surely there must be a better way to connect to the serial port of a device than with an outdated technology holdover from the 80s?  I myself am a victim of this kind of thinking, having used an IBM T30 Thinkpad well past its useful life simply because it had an integrated serial port and my replacement laptop wouldn’t.

When Cisco developed the new ISR G2 line of routers, someone in the console access department finally decided to wake up and get with the 2000’s.  Thanks to their efforts, the Cisco routers and switches manufactured today have started including a new console access option:

In the picture above, you can see the familiar RJ-45 console port to the right and the newer USB console port to the left, indicated with the USB icon.  This new port allows those of us that have spent most of our lives using the flat blue rollover serial cables to add a new, exciting cable to our bag, the USB A-to-mini cable.

The new USB port allows the user to access the router’s console with a newer cable instead of relying on the standby rollover cable.  However, you need to take a few steps first.  You have to head out to the Cisco Connections Online (CCO) download page and pull the driver for your particular operating system if you’re running on Windows.  Make sure you specify 32-bit or 64-bit, since this driver will be masquerading as a COM port on your system.  You don’t want to waste time downloading a driver that won’t work.  Once you’ve installed the driver, you can plug in your USB connection to any USB port and then to the router.  It will look like an additional COM port on your system, probably with a high number like COM6 or COM7, so make sure you’ve got a terminal emulator that allows you to choose your COM port.  I tend to use TeraTerm for this very reason, but your terminal program of choice should do nicely.  For those of you in the audience with Macbooks, you don’t need to download any drivers at all.  Seems like OS X already has the right driver built in, so just plug and and get cranking.  As a quick aside, Cisco will attempt to sell you a $30 USB console cable when you order the router. JUST. SAY. NO.  This is a regular USB A-to-Mini cable that can be purchased at Walmart for about $10.  You can even use the USB cable that came with your digital camera or Blackberry or old Motorola RAZR.

Once you get attached to the USB console port, you’ll find that it works pretty much the same as the RJ-45 port that you’ve become attached to over the years.  You can also plug in a regular old serial cable into the RJ-45 port if you need a second connection.  The RJ-45 console port will mirror what’s going on with the USB console port.  However, since their both Console 0, only one of them will have preference on the input.  In this case, that’s the USB port.  So if you have a terminal access server plugged in for reverse telnet connections and someone comes in and attaches a USB connector, you can watch what’s going on but you can’t do anything about it.  You can specify a timeout value if you’d like so you can force a logout after inactivity.  You can do that with the following command:

Router(config)# line con 0
Router(config-line)#usb-inactivity-timeout <value in minutes>

Note that this command doesn’t work on the 2900 series ISR G2 routers for some strange reason.  Oh well, feature request down the road.  For those of you out there that don’t feel comfortable with the idea of having just anyone off the street walking up and consoling into your router via USB, you can always disable the USB console port in favor of the RJ-45 connection as follows:

Router(config)# line con 0
Router(config-line)# media-type rj45

Bingo.  USB port locked out.  Now only those people in possession of a serial-to-USB adapter or a Redpark iOS Console Cable will have access.

Tom’s Take

I have three rollover cables in my various laptop bags.  I keep two for emergencies and one in case someone doesn’t have theirs.  I passed out console cables to all my engineers and technicians once and told them the next time I asked them for their console cable, they’d better present this one to me.  A console cable is an indispensable tool for anyone that works on Cisco equipment.  Having the USB option is always welcome since I no longer have to fumble for my USB-to-serial adapter or worry that the dodgy drivers are going to bluescreen my Windows 7 64-bit laptop over and over again.  Still, there is a lot of Cisco equipment out there with the older RJ-45 cable setup as the only console option.   So you can’t just throw out the old rollover serial cables just yet.  Better to throw a USB cable in your bag for those glorious days where you get to access a newer device.  Then you can await the day when you can bury your rollover cable alongside Beethoven.