Aerohive HiveOS 4

Aerohive really stood out to me at Wireless Tech Field Day back in March.  They’re a great company with a lot of interesting ideas behind wireless technology today that run counter to what you are hearing from the mainstream vendors.  The most perpendicular of these is that having a controller-based wireless network is no longer the way to go now that the processing power of access points (APs) has caught up to the modern era.  You can still have a software program directing their configuration and provisioning, but needed to run all that traffic through a centralized box is just asking for trouble.  Accordingly, Aerohive is coming out with some updates to their software offerings.

Aerohive announced the newest release of their HiveOS, version 4.0.  To go along with it, they are also releasing a new version of their HiveManager software, 4.0 as well.  The folks at Aerohive let me take a sneak peak at the bells and whistles on their new products.  The idea behind HiveOS 4 and HiveManager 4 is the ability to simplify the configuration of the network for guest users and mobile devices.  The current trend in wireless technology today is moving away from providing your employees with corporate mobile devices, such as tablets and smartphones, and instead configuring your network to allow more of a Bring Your Own Mobile Device approach.  From the CxO’s new iPad to a Galaxy Tab 10.1, the landscape of wireless client devices is proliferating quickly.  One of the areas where Aerohive told me they are seeing this explosion of BYOMD is in the healthcare industry.  With so many doctors and specialists floating in and out of hospitals, the number of different devices hopping on the wireless network at any given time is staggering.  Add in the patients and their families and loved ones and you can see how crazy things can get at times.  As a network admin, you can’t just tell all those people that they are only allowed to get on your network if they use the right device.  Doctors, in particular, become very attached to their mobile device and would prefer taking it around to each site they visit rather than be issued an “approved” mobile device upon arrival.  It becomes more important then to configure your wireless in such as way to provide the best experience for your users while at the same time protecting them and protecting the network from harm.

One way that Aerohive is helping this guest device explosion is by offering the ability to have your users self enroll on a portal page for a Private Pre-Shared Key (PPSK).  I like the idea of a PPSK, since it essentially provides a throw-away password for each user and allows you to grant access without giving away the whole network.  This also does away with any kind of need to have an open guest network, which has been shown in recent months to be vulnerable to all kinds of snooping and sniffing software, such as the infamous Firesheep.  In HiveOS 4, you can also tag those PPSKs with an expiration time and date, so for instance the network admins at a concert performance or sporting event can mark all the self-generated PPSKs to expire two hours after the end of the show to help prevent people from leeching the network forever.  This can help you setup easy access for your clients to generate their own PPSKs via a web portal so the admins need not get involved in the process while at the same time making sure that you can restrict access should the need arise.  If you have a user that is misbehaving or needs to be disconnected, you merely disable their PPSK without needing to rekey the network.  This feature is also a great idea in places where employee turnover is rather high.

Another new feature in HiveOS 4 is the ability to snoop on mobile Internet devices, or MIDs as Aerohive refers to them.  Every mobile device you can buy today identifies itself in one form or another.  Most of the time this is done via browser user agents.  As a quick example, the user agent on your iPhone announces to the website that it is indeed a Fruit Company Mobile Phone, and the website displays a mobile-friendly site with larger text and fewer graphics.  In much the same way, HiveOS 4 allows the network to determine which devices are being used  and restrict them with policies.  For instance, you may want to give your CxO unfettered access to all corporate resources on his laptop.  If he uses his iPad, you may want to restrict him from accessing servers which don’t support his tablet.  If he jumps on with his iPhone, you may wish to further restrict him to Internet access only.  By snooping on the user agents, you can configure these policies quickly and easily without restricting access on his other devices.  Think of a restaurant, for example.  The host/hostess up front would love to use an iPad to take reservations quickly and easily, but the management is worried they might instead use it to surf the web or spend more time on Facebook than face-to-face with customers.  In HiveOS 4, you can restrict the host station iPads from the Internet and only allow them access to the reservation system.  A win for everyone that is interested in things other than status updates.  Note that this is all done without the need to enable 802.1x authentication on the network, a very time consuming and hairy process for even the most seasoned security and network people.

One unexpected addition in HiveOS 4 is spectrum analysis.  Cisco has really been pushing the advantages of the Cognio chip embedded in all of it’s 3500 series APs.  When we asked Aerohive about doing spectrum analysis in their APs at WFD, the answer was “wait and see”.  I’m pleased to announce that with HiveOS 4, you can now enable a spectrum analyzer in your Aerohive 802.11n APs.  The interface in HiveManager 4 is all based on HTML5, so it has no display issues on your favorite Fruit Company Mobile Device.  There is a large signature database included, so you can plot the air waves and then compare them to a list of known interference sources in case you aren’t sure whether it’s a Bluetooth headset or a cordless phone causing interference.  This is great if you want to enable the spectrum analyzer on a remote AP and then have someone back at the office check the interference source while you walk around trying to find out who’s hiding a microwave under their desk (Here’s a tip:  Look for the guy glowing in the dark…).  This feature is included in HiveOS 4 at no additional cost.  One caveat I noticed – HiveManager can only receive data from 10 spectrum analysis sources at once, so you can’t configure any more than that.  When I asked about this limitation, I was informed that in order to receive and process the data quickly and efficiently, they had to put a limit on it, so 10 is it.  For now, at least.

HiveOS 4 Spectrum Analysis running on your favorite Fruit Company Tablet

For those of you out there that may be Aerohive partners, there is also a new Partner Admin page that allows you to demo the product and set up customer evaluations.  You can also remote in and add devices to your customer’s network or even delegate certain tasks to administrators at the customer site.  This is a great addition for those providers looking to add Aerohive as a kind of managed services wireless solution.  For one low monthly fee, you can lease Aerohive gear to your customers and manage it from one location.  You can involve the customer admins as little or as much as you want.

There are a lot of other great features that are in HiveOS 4 and HiveManager 4, so you should head over to Aerohive’s site and check it out.  The upgrade is free for all existing Aerohive customers and will be available on June 20.

Tom’s Take

I like what Aerohive is doing with their approach to wireless.  By moving the intelligence of the network out into the access points, they alleviate some of the bottleneck issues with controllers.  They also have some great ideas that they bring to the table to increase the visibility of their software with certain verticals, such as education and health care.  However, if software is your game, you’re only as good as the features in your latest release.  I think Aerohive nailed it with HiveOS 4.  They’ve added a lot of new features to help admins address their pain points in the Bring Your Own Mobile Device era, as well as adding a much-needed feature that will allow them to compete with offerings from Cisco in the spectrum analysis arena.  By making this upgrade available for all existing customers, you can refresh your wireless network with the click of a button.  No forklifts needed.  So join me in raising a glass to the latest release of HiveOS:

I look forward to seeing more good stuff from Aerohive in the future.


I received a sneak peak at the offering from Aerohive before the launch date.  No consideration was asked for in my attendance, and none was offered.  The opinions and analysis offered in this post are mine and mine alone.

NFC: Not For Consumers (Yet)

There’s been quite a bit of buzz recently regarding the capabilities surrounding Near Field Communications (NFC).  The idea behind this is that a user can be provided with a low-powered, short range (about 2 inches) wireless transmitter/receiver that can be used in a variety of applications, such as providing access control to restricted doors, airline or mass transit check-in/ticketing, and even payment methods.  Google especially has upped the ante in this last department with the announcement of Google Wallet, a movement to make your phone into your primary method of payment for goods and services.  While I’m behind the idea that you can start using mobile devices for electronic payment, I think that the NFC idea isn’t quite ready for prime time just yet.

1.  NFC-enabled devices are few and far between.  The list of devices that have built-in NFC transmitters is longer than expected…provided you live anywhere other than the United States.  Most of the phones that have NFC chips are Nokia devices primarily marketed in Europe.  The main devices found in the US are (naturally) the Google Nexus S and to my surprise the Blackberry Bold/9900.  While I’ve been told the boys in Mountain View make a mighty nice phone, the adoption rates aren’t nearly as high as other devices from Motorola and the Fruit Company Mobile Device Company.  In fact, rumors that the iPhone 5 *might* include a NFC chip had people foaming at the mouth.  Why’s that?  Well, despite what others might tell you, putting a new technology in the next iPhone is a good way to push it toward the mainstream.  This may not guarantee that it will be adopted, but based on the sales numbers that the iPhone usually produces, putting a NFC chip in it would get it to several million people in short order.  Once the technology is more pervasive than a few hundred thousand handsets, I think there’ll be more effort given to incorporating it into payment methods.  Otherwise, it will sit unused, taking up valuable space in your phone that could have been used for a bigger battery or a fancy gyroscope.

2.  NFC-enabled retailers are few and far between.  This is the same as number 1, except it’s the other side of the coin.  Not seeing any real need to provide NFC receivers for a non-existent demand, retailers haven’t really put any in.  Think back to the MasterCard PayPass or American Express ExpressPay.  How many people have you seen with those cards?  How many of those terminals have you seen?  I’ve seen a few of the newer ones here and there, but never at any big box retailers or department stores.  If Google or Apple are serious about driving adoption of this kind of technology, they may have to work with the credit card companies to underwrite the replacement of NFC-enabled POS devices.  Walmart won’t spend millions to replace their terminals on a whim with the possible hope of having NFC customers, but if Google agrees to pay 25% and MasterCard agrees to pay 25%, that might be the tipping point to spur adoption.  Starbucks has faced a similar issue with their mobile payment system.  Starbucks began testing the use of barcodes in their mobile app to see if adoption would take off.  Their testing areas, Seattle and Silicon Valley, showed that people were willing to use their iPhones or Nexi devices to pay with a virtual Starbucks card.  Once they rolled out their mobile terminals across the country, I wonder if they’ve seen the same kind of adoption in places other than coffee-crazy Seattle or tech-friendly Silicon Valley.  If the mobile manufacturers want to drive this technology, they may have to put their money where their chips are.

3.  Who has my money?  This is probably going to be the biggest problem standing in the way of mobile device NFC payment.  Right now, Google Wallet works with Citi MasterCard and Google pre-paid cards.  Not an impressive list of authorized cards, to say the least.  If Apple were to adopt this technology in the iPhone 5 or iPhone 5GSX+++, they obviously would want the funds used to purchase things stored in your iTunes account.  Whoever controls the money controls your spending habits.  Think about having a number of small bank accounts, each with small amounts of money.  You can’t use any one account for all your purchases due to the lack of significant funds in any one of them.  Extrapolate that further.  Would you really tie up, say, $500 worth of your income in an iTunes NFC payment account?  I don’t think the electric company accepts iTunes yet, and you can’t really use Google pre-paid cards at a Coke machine.  The credit card companies are going to be hesitant to partner with Google and Apple unless terms are favorable for them to keep getting their 2% margins (or better) and the device manufacturers are not going to want to use the technology unless they can get their cut, especially Apple and their 30% tax on anything they touch.  The fight among each of these parties is likely to keep the whole thing shelved for the foreseeable future, unless some kind of breakthrough can be reached.

Tom’s Take

I think NFC has the opportunity to be a real game-changer for Personal Area Network (PAN) applications.  An example, if you will.  Those that have played the Metal Gear Solid series of games no doubt remember the annoyance in Metal Gear Solid 1 where you were required to be holding a door key card when you wanted to enter.  In every game after that, the key cards utilized PAN technology to allow you to pass through them without the need to select them every time.  NFC-type communications at it’s best.  Now apply those lessons to the real world.  Your phone can replace your access badge.  Your phone can unlock the front door to your house.  You can use your phone for a boarding pass or a parking meter fob or any one of a number of cool futuristic things.  Yes, even a payment method.  However, there are enough challenges to make adoption difficult at best.  Everyone wants to lock you into their particular flavor of NFC banking to best help you find ways to spend your money.  Until we get some kind of universal access or centralized clearinghouse that all the interested parties can agree on, I don’t think NFC will be replacing my wallet any time soon.  Let’s hope time proves me wrong on this one.

Friday Fun Links – 5/27

This week’s link collection tends to fall on the side of security.  Whether you have a Mac or you work for Lockheed Martin, it’s been a rough few days.

Krebs on Security: ChronoPay Fueling Mac Scareware Scams

Perhaps Apple will have better luck than others who have tried
convincing ChronoPay to quit the rogue anti-virus business, but I’m
not holding my breath. As I noted in a story earlier this year,
ChronoPay has been an unabashed “leader” in the scareware industry
for quite some time.

I don’t need to tell you that the majority of spyware/malware/crapware out there is motivated today by money.  It is a little surprising to find out that one company seems to be masterminding things.  And with the surge in Mac sales raising their profile among hackers, expect a flood of junk for the Mac.

Reuters: Hackers Breach US Defense Contractors

Unknown hackers have broken into the security networks of
Lockheed Martin Corp and several other U.S. military contractors,
 a source with direct knowledge of the attacks told Reuters.  
They breached security systems designed to keep out intruders
by creating duplicates to "SecurID" electronic keys from
EMC Corp's RSA security division, said the person who was not 
authorized to publicly discuss the matter.

I am Jack’s complete lack of surprise.  As we discussed on Packet Pushers almost 2 months ago, there was more to the RSA breach than was being let on.  Looks like the tokens are compromised and making copies is easier than RSA would like.  If you’re using SecurID tokens, it’s best to discontinue their use if possible and get in touch with RSA to get them replaced.  You might also think about mentioning you don’t want them pulled from stock.  You know, just in case…

RFC 6127 – IPv4 Run-Out and IPv4-IPv6 Co-Existence Scenarios

Check out our latest discussion of All Things NAT, as well as fun things like Carrier-Grade NAT (NAT 444), Teredo, and my personal favorite…jabbing bamboo shoots under your fingernails.

9.@ Must Die!

Frequent visitors to my site should know that I am a voice rock star on top of my other regular networking/wireless/server/virtualization/etc roles.  One of the things I have tried to do since the very beginning of my time in voice is avoid using unnecessary shortcuts and make things work right the first time.  This is no different when it comes to the likes of route patterns in Cisco Unified Communications Manager (CUCM).  I speak of course of the infamous “@” route pattern.

When configuring a route pattern in CUCM, I have seen some documentation suggest that you configure your route pattern using the “@” wildcard and be done.  In CUCM, the “@” is a wildcard macro that contains most of the numbering plan for North America, also known as NANP.  In North America, we use 10-digit telephone numbers that are composed of a 3-digit area code followed by a 7-digit local number.  The first digit of the area code cannot be a zero or a one, and the first digit of the local number cannot be a zero or a one either.  The NANP format is usually represented as NXX-NXX-XXXX, where N is a number between two and nine, and X is any number.  The “@” wildcard takes this information and builds several route patterns in CUCM than can match numbers that you might want to dial.  However, “@” has some additional issues that have to be addressed.  Often, you must configure your local area code with a route filter to allow the system to recognize when a local call is dialed.  You also will need to configure things like country code and possibly even end-of-dial strings to help calls be terminated quickly.  If these items are not configured properly, CUCM will have to wait for the interdigit timeout to expire before deciding to send the dialed digits to the PSTN gateway.  By default, this interdigit timeout is 15 seconds, which can be an eternity to a user.

In my career, I have never used the “@” wildcard.  I have always configured my own route patterns.  To me, it looks much cleaner and is easier to troubleshoot rather than having to unwind a shortcut macro.  For the following examples, “9” is used as a pre-dot PSTN access code and is assumed to be stripped at some point before arriving at the PSTN.

911 and 9.911 – Emergency services route patterns.  You need to have these or your people can’t dial emergency services.  If you’d like to read more about my reasons for configuring both route patterns, check it out over here.

9.[2-8]XX – Service codes. These are defined by NANP to provide 3-digit access to special services.  There is no 111 access code.  I don’t include 911 in this configuration due to the explicit urgent priority pattern configured explicitly for emergency services.

9.1[2-9]XX[2-9]XXXXXX – Long Distance.  Most long distance providers in the country use “1” to signal that a long distance call outside of your area code is being made.  This route pattern looks for an 10-digit number prefixed with “91”  The “1” is sent with the number to signal a long distance call.  This is pretty straight forward and will likely be required on all route plans.

9.011! – International calls.  I still configure international call route patterns even if my customers don’t care for them.  I limit their use via Calling Search Spaces (CSS).  It’s better to have the route pattern configured and available to turn on at a moment’s notice in case the CxO starts asking why he can’t call London or Tokyo.  I use a “!” at the end of the route pattern to signal that there could be any number of digits after “011”, which is the international access code for the United States.  The caveat is that you must wait for the interdigit timeout to expire before the call is dialed.  You can add an octothorpe (#) after the “!” to signal that you are done dialing digits, but if that is your only route pattern, you must dial the # or the call will not go through.

The remaining two route patterns that get configured are a little trickier and often cause issues on the system depending on how they are configured.  Local calling is different depending on where you live.  Some metropolitan areas are still on the small side, so you are allowed to dial only seven digits to complete a call.  This is true where I live in Oklahoma City, which is totally contained in the 405 area code.  In other areas, such as Dallas/Ft. Worth or New York City, there are so many telephone numbers that you must use a full 10 digit number to make a call.  As more and more phones are sold and activated, especially cellular phones, the move to 10-digit dialing for most everyone is inevitable.  Until the day when 10 digits are universal, there are somethings to keep in mind for route patterns.

9.[2-9]XXXXXX is used for 7-digit dialing for local calls.  9.[2-9]XX[2-9]XXXXXX is used for 10-digit local calling.  If both of these route patterns are configured on the system at the same time, there can be issues.  In the best case, users must wait for the interdigit timeout to expire on local calls, since when only 7 digits are dialed CUCM is still waiting to see which route pattern to match for the call to complete.  In the future, there will be no use for the 7-digit pattern, and only the 10-digit pattern will be present.  Until that time, here’s a trick you can use to help avoid the interdigit timeout for local calls.

Configure the 7-digit pattern for your local calls.  If you live in an area like I do where some calls inside your area code can be dialed at 10-digit and not be long distance, i.e. not prefixed with a “1”, then configure a 10-digit route pattern with the explicit area code set, such as 9.405[2-9]XXXXXX.  You don’t need to configure a 10-digit route pattern in this case, since any non-local call outside your area code will require a “1” to dial.  This will help you avoid the interdigit timeout on local calls, which should keep your users from rioting.  When your city or county or area code finally implements an overlay area code and starts requiring the use of 10-digit dialing, simply remove the explict area code route pattern (9.405[2-9]XXXXXX in the above example) and the 7-digit route pattern and configure the 10-digit route pattern, 9.[2-9]XX[2-9]XXXXXX.

This should be enough to help you configure all of your NANP dialing needs without the horror that is 9.@.  Much like the <none> partition, 9.@ is a dirty crutch that usually ends up doing more harm than good, especially when it comes time to troubleshoot odd behavior of route patterns and why one is being overridden by something you can’t even see.  By having your route patterns explicitly configured, you not only gain more control over your dialing domain, but you also have the ability to block specific route patterns such as 900 numbers or those nasty Carribean international calls without fear that a crusty old shortcut is still in your system causing you grief and and costing you money.

Fun Links for Friday

I’ve been meaning to start a link round-up post each week to highlight some things that I read that I find interesting or that might slip through the cracks sometimes.

PaulDotCom: Virtualizing Junos

Many times when working with a client network or working on our own we have the need to test, document and validate certain networks configurations in a test environment. Sadly not many have the money to have one so as to test different scenarios so as to gage the impact that this changes might have on the production network. For a majority of configuration when it comes to system settings and routing a virtualized environment can be of great help, sadly anything ASIC or HW Specific configurations. On this blog post I will cover how to virtualize JunOS operating system to aide with testing and validating.

This does indeed work.  Remember though, that you need to be a Juniper customer to download the Junos images.

TED Talk: Beware of Online Filter Bubbles

As web companies strive to tailor their services (including news and search results) to our personal tastes, there’s a dangerous unintended consequence: We get trapped in a “filter bubble”and don’t get exposed to information that could challenge or broaden our worldview.

Something that never occurs to a person because they don’t realize what’s going on.  It seems that the Internet is walling off the outside world from us a piece at at time.

Stephen Foskett, Pack Rat: FCoE vs. iSCSI – Making the Choice”

“FCoE vs. iSCSI” isn’t a battle or cage match. Your choice depends on many factors, and is more a reflection of convergence than a religious conviction

I get to have this conversation with my customers on a regular basis.  Stephen says it a lot better than I do, and he even has a slide deck.

Spin-Off Doctors

A story broke today that the rumor mill has Cisco is considering spinning off the Linksys brand and perhaps even Webex as well.  The majority of response that I’ve seen from my peers ranged from pleasure to downright cheering.  It seems that people have pinned a lot of the ills that have affected Cisco recently on Acquisition Fever.  The fingers are firmly pointed at Flip and Linksys, and with Flip going the way of the dodo last month, Linksys remains as the demon of Cisco’s lack of focus.

I happen to agree with people that say that Linksys has caused Cisco to lose it’s way.  The Linksys acquisition was the point of the spear in Cisco’s drive to launch itself down into the consumer market.  John Chambers has always said that if Cisco can’t move into a market and be the best, they’ll buy someone and make them the best.  So it was with Linksys.  By snapping up a major player in the consumer market, Cisco could bring its guns to bear on a large base of potential customers.  I think that Cisco felt they had the enterprise market wrapped up tight and that those customers would see the Cisco name on a router in their local big box retailer and, just like Pavlov, they’d rush right out and buy it.  Two years ago, I remember seeing a news piece stating that Chambers was even going to retire the Linksys name and instead put the vaunted Cisco badge on all their products.  That never came to pass, and I think that shows what truly is behind the problems with a large company like Cisco playing down to the consumer.

When I walk into my local retailer, I see lots of boxes on the shelves with names like D-Link, Netgear, and Linksys.  I even see a lot of rebranded generic devices built from the cheapest parts available and graced with names like Rocketfish or CompUSA.  These are the products that consumers look for when they go to Best Buy or OfficeMAX.  They buy whatever is on sale or whatever the guy in the solid colored shirt recommends.  There isn’t any brand loyalty at the bottom of the totem pole.  I bought a very cheap CompUSA wireless router once upon a time just so my laptop could connect from the living room.  It lasted me about a year.  Once it died, I didn’t dig out my support contract and get a replacement unit from San Jose.  I just went down to Walmart and bought a replacement.  I think it’s much the same for customers the world over.  Consumer technology is mostly disposable to them.  There’s not much mission-critical equipment in the average house, so when something dies, it’s usually easier to replace it with a new gadget than it is shipping it off and waiting to get the same one back.  Customers don’t want maintenance contracts and next-business day support.  It’s dog-eat-dog down at the bottom and every penny you can squeeze out of your product is a penny you can put in your piggy bank.  No R&D, no investment in the future.  Just cheap circuit boards and minimal packaging with crappy instructions.

When Cisco finally found this out sometime late last year, it only made sense that they needed to start moving away from the consumer market.  The first to go was the ümi, Cisco’s failed foray into consumer Telepresence.  The average consumer doesn’t want to spend $500 for a video conferencing unit only to have to turn around and pay $50/month to make it work.  Flip was next to go, as Cisco never truly found a way to integrate it into their business model.  Other companies started doing it cheaper and better than Flip, and when the headsman’s axe fell, there were no survivors.  Linksys being spun off would give Cisco some breathing room in the low end of the market.  This would be key, since HP and Juniper are starting to take big bites out of the enterprise space Cisco has been so dominant in for years.  They need to leave the unprofitable consumer space to make up ground in their core business, and they’ve said as much recently.

Webex is an interesting challenge.  Most people that use it love it.  It’s much better than Cisco’s own MeetingPlace offerings, so much so that Cisco dumped their licensing deal with Adobe and now uses Webex for everything from product launches to TAC support calls.  It would seem the Webex integrates very tightly into the collaboration offerings that Cisco is touting.  I’ve heard from some insiders though that the the Webex acquisition was a nightmare that never seemed to end.  Cisco touted the fact that it took them months to close the Scientific Atlanta purchase (one that still baffles me to this day) and closed on Webex in a matter of weeks.  However, I’ve been told that the Webex people never really integrated well with Cisco corporate.  There was a lot of infighting amongst the teams, and in fact several pipeline deals were being closed with nary a mention of Cisco.  It was almost as if the Webex people forgot who was purchasing whom, and the antagonism was palpable.  It wasn’t until a senior VP came into the Webex team and started canning the unruly people left and right that the message came across crystal clear – Webex is now a part of Cisco, not the other way around.

If the idea that Webex is still an autonomous unit under the Cisco umbrella is still pervasive among the Webex team, it might make sense for Cisco to spin off its problem child and just license the technology for its collaboration efforts going forward.  It almost seems that way today, with the Webex platforms being offered in a totally different manner from Cisco’s other product lines.  There have been some false starts in trying to leverage the cloud-based software as a service (SaaS) opportunites the Webex could offer, like Webex Mail.  I think Cisco isn’t for sure how to make Webex work outside of their web meeting product and rather than let that technology wither and die on the vine, it might be better to release it back into the wild and let it find it’s own way.

Tom’s Take

Cisco has already said that they are getting back to basics and concentrating on their core strategies.  They also said to expect some job cuts and the reduction of product lines.  People were shocked when Flip was shut down, but I think that’s the tip of the iceberg here.  Spinning Linksys into a separate company that can be more agile and focus in on the consumer and small business markets is an outstanding idea.  It gives the Linksys team the ability to stay competitive in their primary area of business without feeling the pressure from their corporate overlords to make money hand over fist.  At the same time, the rumor to spin off Webex is shocking to most, as the service is beloved by all of its users and no doubt will flourish in any form.  I think this is more of a culture clash between old-guard Cisco and the Webex team.  The only real way to sort this mess out is to let them go their separate ways and maybe one day they can hang out again as just friends.  Cost cutting and retrenching of your product lines is never a fun task, and it usually calls out the wolves ready to decry your fall from grace.  However, in the case of Cisco I think that spinning off these clunkers is just what the doctor ordered.

Rollover Beethoven – USB’s In Town

Every Cisco engine…rock star in the world should have a rollover cable or two stashed away in their bag/car/pocket just in case.  The rollover serial cable is the hallmark of access to a Cisco device.  The console port is the last resort for configuration when all else has gone wrong.  It is the first thing you should plug into when you boot up a router for the first time and the best way to get info you couldn’t otherwise find.  However, the days of the serial cable are quickly becoming numbered.

It wasn’t all that long ago that every PC manufactured included a 9-pin serial connection.  These ports were handy for all kinds of devices, including printers and modems.  However, with the introduction of Universal Serial Bus (USB) connections, the usefulness of the serial (and parallel) ports has been waning quickly.  By utilizing a higher speed connection that more tightly integrates into the system, the need to configure devices with DIP switches and play COM port roulette have long since passed.  As it is with any transition though, there have been some holdouts in the movement to retire serial ports.  While some of these are understandable due to outdated single-purpose technology, others have never made any sense to me, like the Cisco rollover console cable.  Surely there must be a better way to connect to the serial port of a device than with an outdated technology holdover from the 80s?  I myself am a victim of this kind of thinking, having used an IBM T30 Thinkpad well past its useful life simply because it had an integrated serial port and my replacement laptop wouldn’t.

When Cisco developed the new ISR G2 line of routers, someone in the console access department finally decided to wake up and get with the 2000’s.  Thanks to their efforts, the Cisco routers and switches manufactured today have started including a new console access option:

In the picture above, you can see the familiar RJ-45 console port to the right and the newer USB console port to the left, indicated with the USB icon.  This new port allows those of us that have spent most of our lives using the flat blue rollover serial cables to add a new, exciting cable to our bag, the USB A-to-mini cable.

The new USB port allows the user to access the router’s console with a newer cable instead of relying on the standby rollover cable.  However, you need to take a few steps first.  You have to head out to the Cisco Connections Online (CCO) download page and pull the driver for your particular operating system if you’re running on Windows.  Make sure you specify 32-bit or 64-bit, since this driver will be masquerading as a COM port on your system.  You don’t want to waste time downloading a driver that won’t work.  Once you’ve installed the driver, you can plug in your USB connection to any USB port and then to the router.  It will look like an additional COM port on your system, probably with a high number like COM6 or COM7, so make sure you’ve got a terminal emulator that allows you to choose your COM port.  I tend to use TeraTerm for this very reason, but your terminal program of choice should do nicely.  For those of you in the audience with Macbooks, you don’t need to download any drivers at all.  Seems like OS X already has the right driver built in, so just plug and and get cranking.  As a quick aside, Cisco will attempt to sell you a $30 USB console cable when you order the router. JUST. SAY. NO.  This is a regular USB A-to-Mini cable that can be purchased at Walmart for about $10.  You can even use the USB cable that came with your digital camera or Blackberry or old Motorola RAZR.

Once you get attached to the USB console port, you’ll find that it works pretty much the same as the RJ-45 port that you’ve become attached to over the years.  You can also plug in a regular old serial cable into the RJ-45 port if you need a second connection.  The RJ-45 console port will mirror what’s going on with the USB console port.  However, since their both Console 0, only one of them will have preference on the input.  In this case, that’s the USB port.  So if you have a terminal access server plugged in for reverse telnet connections and someone comes in and attaches a USB connector, you can watch what’s going on but you can’t do anything about it.  You can specify a timeout value if you’d like so you can force a logout after inactivity.  You can do that with the following command:

Router(config)# line con 0
Router(config-line)#usb-inactivity-timeout <value in minutes>

Note that this command doesn’t work on the 2900 series ISR G2 routers for some strange reason.  Oh well, feature request down the road.  For those of you out there that don’t feel comfortable with the idea of having just anyone off the street walking up and consoling into your router via USB, you can always disable the USB console port in favor of the RJ-45 connection as follows:

Router(config)# line con 0
Router(config-line)# media-type rj45

Bingo.  USB port locked out.  Now only those people in possession of a serial-to-USB adapter or a Redpark iOS Console Cable will have access.

Tom’s Take

I have three rollover cables in my various laptop bags.  I keep two for emergencies and one in case someone doesn’t have theirs.  I passed out console cables to all my engineers and technicians once and told them the next time I asked them for their console cable, they’d better present this one to me.  A console cable is an indispensable tool for anyone that works on Cisco equipment.  Having the USB option is always welcome since I no longer have to fumble for my USB-to-serial adapter or worry that the dodgy drivers are going to bluescreen my Windows 7 64-bit laptop over and over again.  Still, there is a lot of Cisco equipment out there with the older RJ-45 cable setup as the only console option.   So you can’t just throw out the old rollover serial cables just yet.  Better to throw a USB cable in your bag for those glorious days where you get to access a newer device.  Then you can await the day when you can bury your rollover cable alongside Beethoven.

The Century Club

I’m not usually one for milestones on things, but I wanted to take a second for my 100th blog post.  In truth, when I started this thing back in September, I never thought I’d have a hundred posts in me.  I just wanted to get a few things off my chest that wouldn’t fit into 140 characters on Twitter.  I never expected anyone to take an interest in my ramblings about stuff.  But, for some reason, you all came to see what was floating around in my mind and it’s really taken off from there.  This blog has been more than just an outlet for harping on about NAT or being funny some of the time.  It’s also helped me to hear from vendors I might not otherwise talk to, get a weekend job running my mouth, and enjoy the fame and fortune of being a semi-famous technology blogger.  Still waiting on the fame and certainly the fortune, though.

Since making my very first post on September 23rd, I’ve taken 234 days to post 100 entries.  That works out to be a post about every 2.5 days, which is much better than the unofficial standard I hold myself to of trying to post about once a week.  I’ve had about 31,000 visitors so far, on average about 190 a day.  Not bad for someone that thought they’d be lucky to get 10 readers.

I thought it might be fun to revisit the most popular posts out of my first hundred.  I was a little shocked by some of them:

#5 – The Recertification Treadmill Aside from my huge Wall of Shame behind my desk, I get a lot of questions about certifications in the industry.  People want to pass the CCNA or the JNCIA and then run right out and get a job.  This post was a way to let people know that there is another side to doing nothing but taking tests all the time.  It was also my hope that certification organizations would perk up and start offering CPE-like credits for recertifying.  Eh, maybe next year…

#4 – Fruit Company Console: My Review of the Cisco Console Companion for the iPad/iPhone I really liked this one.  I got to review a piece of technology that people were curious about and put it through its paces.  I wrote a long article with tons of pictures and explanations about the inner workings of the cable and the software.  I even got the developer to leave a comment about upcoming features!  This post was responsible for my largest amount of traffic in one day, 523 page views.  It was kind of humbling to see that people wanted to hear my opinion about something.

#3 – Hooray for Bruno! My discussion of the addition of layer 2 troubleshooting to the CCIE lab and my summation of the Cisco discussion threads about it.  Not that big a deal when it came out, but it consistently gets hits from search engines each week.  My post right before it about the announcement of the addition of the layer 2 stuff was a little more emotional and perhaps a little over the top, but I think getting grounded back in the reality of things and posting a follow up with hard facts as opposed to screaming was a little better overall.  I guess CCIE candidates are still curious about what to expect inside that little room, and Google sends them my way for some reason.

#2 – God Help Us, We’re In The Hands Of Engineers Without a doubt, the post that really launched my blog.  Crafted because of a comment someone left on Jeremy Stretch’s blog, this post took off like wildfire.  I got tons of DMs about it from my fellow enginee…rock stars telling me they loved it.  My post was result of  my irritation at the idea that people in the IT industry can’t use the term “engineer” to describe themselves.  My comment leveled at P. Eng was my frustration at the fact people think it’s a title that should be put on a pedestal.  At the end of the day, I might have taken the troll bait, but I felt better about things, and from what I’ve been told a few other people did as well.  I still use the term “rock star” on here to refer to network engineers as a way to poke a bit of fun at this post.  This was the first post on my blog to reach 1,000 views.

#1 – CUVA Windows 7 64-bit Support To be completely honest, this is the most shocking thing I’ve seen in my first hundred posts.  I wrote this post when I was trying to get my old CUVA camera working with my new Windows 7 64-bit laptop.  I found the answers scattered across a Cisco forum and buried 6 or 7 pages into the thread.  I decided to clarify them a little and post them here so that I could find them again if I needed them.  This wasn’t an instant success like the Engineer or Console Cable posts, but it does receive the most consistent traffic stats each week.  I guess that there are enough CUVA cameras out there that don’t work with the new versions of Windows that people want to start searching the Internet to make them operational again.  This post only recently overtook the Engineer post as the #1 viewed post on my site, and at the rate it gets hits, I doubt anything will overtake it in the foreseeable future.

Those are the highlights of my first hundred posts.  How about the next hundred?  Well, I considering starting a sort-of weekly link posting.  I read a lot of stories during the week, and I discuss some of them on the Packet Pushers podcast, but I don’t get to talk about all the things I digest.  I figure by highlighting a few of them, especially the good commentaries, it will help share some of the things I encounter during my scouring of the Internet.  What else?  I’m really curious to hear what you have to say about when I’ve written.  More humor?  Less humor?  More technical deep dives into things?  More CCIE stuff?  Less CCIE stuff?  I write whatever pops into my head most of the time, but if I know there are things that my audience likes to read, I can focus more on those.

In the end, I want to thank each and every one of you that read my blog.  Committing thoughts to phosphors doesn’t really impact me one way or the other.  I would probably do it even if I had zero readers, as it kind of cathartic to be able to get this stuff out of my head and down someone semi-permanent.  But my readers take time out of their busy lives to read through things and post comments, discuss, and share my thoughts with others.  It goes without saying that my attendance at Tech Field Day and my regular spots on Packet Pushers would not have been possible without all of you believing in me enough to stick with me while I figured this whole blogging thing out.  Once again, thank you from the bottom of my heart.

Stay tuned for the next hundred posts.  We’ll see what happens from here.

Unity In Your Community – Unified Messaging

Voice mail is a funny thing in the IT industry.  Some people live by it and use it as their primary form of communication.  Others would prefer to take voice mail and throw it into a river.  Regardless of your views, configuring voice mail to integrate with other forms of communication has been an interesting task in the past to say the least.  I’d like to take a few words to talk about unified messaging as I understand it and why I find it so critical in my infrastructures that I design and build.  Note that I’ll be discussing Cisco unified messaging for the most part, with a little Microsoft flavor thrown in here and there.

If you’ve been using a Cisco phone system at any time in the past 10 years, you are probably intimately familiar with Cisco Unity.  Unity has been the flagship voice mail system for Cisco from the very start of their journey down the road of unified communications.  Unity at its heart is a place to store voice mail messages and retrieve them, usually via phone.  It allows you to provision a server for many different kinds of voice mail interfaces besides Cisco CallManager, such as Octel or PIMG.  However, the thing that has most attracted people that I talk to is the promise of what Cisco calls “Unified Messaging”.  This is the idea that your voice mail messages are stored in the same container as your other forms of communication, in this case emails.  By locating the voice messages in the same area as your email, you only need to look at one program or portal to receive all of your messages, voice or electronic.  That is the real promise of unified communications, and the one that I managed to sell my users on.  Couple in the fact that you could receive email on a smartphone and you can get your office voice mail no matter where you might be.  However, Unity is not without it’s drawbacks.

How exactly do you pull off unified messaging?  Well, the key lies in the fact that Unity on supports unified messaging on Microsoft Exchange or Lotus Domino platforms.  You need to specify your platform when you order.  Why’s that?  Because the Unity server you load is actually an Exchange or Domino platform that integrates with your existing environment.  Even if you order a Unity server as a stand-alone voice mail server, you are still loading Exchange and using it to store voice mail messages, except you can only retrieve them via telephone (unless you are crafty…).  Unified messaging can only work if you are storing the messages on a “partner” server, which is a box other than the Unity server.  Essentially Unity serves as a gateway to move messages to the Exchange or Domino server.  This isn’t without its challenges.  Unity requires your directory schema to be extended in order to support unified communications.  Since the latest versions of Unity still load Exchange 2003, you must be able to support that version in your environment, which can be difficult for those that have been running Exchange 2007 or 2010 for a while.  Any time you install a major patch to your partner Exchange server, you have to patch Unity to work with it.  When we upgraded our Exchange 2003 server to 2007, it took two major patches and a few hours to sort out the resulting mess.  I didn’t even want to think about what might happen once we upgraded to Exchange 2010.  Unity 8 has dropped all support for Domino, so if you want to keep unified messaging with Domino you’re kind of stuck.  You still need to use Windows Server 2003 to install and support Unity.  The list could go on for a while, but all you really need to do is go find a Cisco voice person and casually mention Unity to them.  Odds are good you’ll see them twitch, followed by horror story after horror story about Unity.

Cisco has been developing a different form of server for the past few years in parallel to the Unity development.  Originally designed to be a smoother integration with Cisco CallManager, Cisco Unity Connection was positioned to those customers that didn’t need full unified messaging and didn’t need thousands of subscribers.  While the 1.x versions still relied on Windows as the server OS, the message store didn’t not need Exchange or Domino to function.  As Cisco started migrating the CallManager platform from Windows to a Linux-based OS, so too did Unity Connection slowly migrate to the same Unified OS under the hood.  This helped Cisco avoid paying license fees to Microsoft for each CallManager or Connection system sold.  The shift to Linux came in part because Cisco could release security patches for the whole platform at once without the need to wait on Microsoft to patch OS vulnerabilities only to then have Cisco test those same patches to ensure the CallMangager or Connection software still functioned.  Also, when Microsoft introduced Exchange 2007 they included a role for Exchange called Unified Messaging.  This was the beginning of Microsoft’s push toward voice software, and many say that it came because Cisco was having so much success using Exchange as a voice message store that Microsoft wanted to jump in the game.  Hence, Cisco had a great desire to move their voice messaging platforms to a non-Microsoft OS.  There was still a problem, however.

Without Exchange or Domino, there is simply no way to provide true Unified Messaging.  Cisco attempted to do something similar in Connection 6.x and 7.x with what they called “Integrated Messaging”.  This allowed a customer to attach to Connection as an IMAP mailbox or to have Connection deliver a copy of the message to your Exchange mailbox as a forwarded email.  This presented a couple of problems for customers such as the users that I support.  Firstly, my users wanted the ability to check their messages from outside the office.  With Unity, all their messages are delivered into their mailboxes, so they just check the one email account.  With Connection, they needed to log into the Connection server, so I would have needed to expose the Connection server to the outside Internet, something I wasn’t exactly comfortable with.  Secondly, with Unity when a message is checked in Outlook or on the web, it changes the state of the message waiting indicator (MWI) to reflect that the message has been listened to.  For some of my users, the volume of voice mail they receive would cause a panic attack if I told them they had to listen to each message on the phone to clear that light.  Because of things like these, no matter how much I may have hated Unity, I couldn’t get rid of it because Connection didn’t do everything I needed it to do.

Enter Unity Connection 8.5.  Cisco has gone to great lengths to create a true unified messaging platform, sans Exchange.  Sorry for those Domino users out there, but Connection 8.5 only support unified messaging on Exchange.  I think both of you Domino people left in the world will have plenty of time to think about where you’ve gone wrong.  Anyway, Unity Connection 8.5 uses an agent to track the message state in the message store and synchronize it with the copy of the message that is deposited in your Exchange mailbox.  Listen to the voice mail on your phone and the message is marked as read in your inbox.  Delete the message from your inbox and it is removed from your phone and placed in the trash, which is a lot better than it just being outright deleted like it was in Unity.  This is the kind of unified messaging behavior that finally got me to the point of migrating my users off of Unity.  After judicious use of COBRAS, I was able to get my users up and running on Connection and shut off Unity once and for all.  The only “change” was a couple of users asking me if the Cisco Lady’s voice had changed for some reason, since the Connection voice prompts were a little newer than the old ones found on Unity.

Tom’s Take

Unified messaging is a great thing, but the infrastructure that needs to be in place to support it isn’t.  It gives us headaches and indigestion from all the moving parts needed to make the whole thing work correctly.  Those that have survived a Unity install and have labored to support it would do well to take a look at Unity Connection 8.5.  It provides almost every feature you might want from Unity while leaving all the old Microsoft cruft behind.  For those that have never had the ability to use unified messaging, you should definitely give it a try.  You’ll find your users thanking you.

The Land Of Opportunity

It’s been *checks watch* about 38 minutes since I last thought about NAT, so it’s probably time to sit down and write some more about it.  I’ve got an image to uphold after all.  I wrote about my position on NAT a couple of posts ago, and in it I discussed NAT64.  I railed against it much the same as introducing any kind of NAT into IPv6.  Ivan Pepelnjak, a very well respected and frighteningly intelligent networking rock star, listened to the Packet Pushers show that fueled my rant and read my blog post.  He then posted an article where he takes NAT64 and puts it into proper perspective.  I read through it, and guess what?

He’s absolutely right.

Yep, Ivan nailed that one.  NAT64, which is the process of translating IPv6 addresses into IPv4 addresses, has a use when it comes to allowing the IPv6 Internet to access content that is still stuck on the IPv4 Internet.  Without some sort of translation mechanism, those IPv6-only hosts will be walled off from the IPv4 Internet in general.  The other methods he discusses are either completely insane, like Carrier-grade NAT (NAT444), or are impractical from a support standpoint, like dual-stacking.  I happen to think dual-stacking is the way to go with this, but I don’t want to be the local ISP trying to support a D-Link router running a dual stack when someone’s mom calls for support.

Ivan’s final point of the article hits home in a way that should make people sit up and pay attention.  “The proper way to tackle this issue is to make your content available over IPv4 and IPv6. IPv4 clients won’t notice it and IPv6 clients will use native IPv6 connectivity bypassing NAT64.”  He’s spot on with this one too.  If you build your content aware of both IPv4 and IPv6, you won’t have any real issues when it comes to IPv6-only hosts.  I’m going to take this one step further, though.  Let me ask a question that I think really cuts to the heart of the Internet in general when it comes to content creation and consumption:

What content would you access that is IPv4-only?

Right now, that question would be answered with “everything”, since IPv6 adoption is spotty at best.  However, with World IPv6 Day looming in less than a month, the sponsor list is growing quickly.  Google, Yahoo, & Facebook are already on board, and 163 more companies are ready to flip the switch as well.  If you think about it, there’s a great importance that should be attached to making your content IPv6 accessible.  In my IPv6 presentation, I talked about the impact of new content providers in the APNIC region creating things that you won’t be able to see if you are on the IPv4 Internet, since they are out of IPv4 addresses totally at this point, for all intents and purposes.  However, look at it from the perspective of an IPv4-only content provider.  You’ve got all this great content that you want to serve out to your audience.  Many of your audience members are starting to hear about IPv6 and wonder how it will be implemented.  More still, like those in the APNIC region, are unable to view your IPv4 content right now.  For those hopping on the IPv6-only Internet, it probably looks a lot like it did back in Vint Cerf’s day – a whole lot of nothing.  If you want to stake your claim for your content, are you going to wait for someone to come out with a NAT64 appliance?  Are you going to sit around until an IPv6-to-IPv4 transition is possible on a load balancer?  If you are, you had best start packing up your office, because you won’t stick around for long.  The handwriting is already on the wall.

World of Warcraft, the largest Massively Multiplayer Online Role-Playing Game (MMORPG) enabled IPv6 connectivity in their recent v4.1.0 patch.  They’ve been talking about it since March.  Now, those 10 million subscribers won’t have to worry about NAT64 if they get assigned an IPv6-only prefix.  They’ll just keep on playing the same way they’ve always played.  I think it’s going to end up being the same for 75% of the services that you use today.  Things like e-mail, calendaring, and popular websites will be IPv6 ready well ahead of any kind of IPv4 exhaustion.  Those that rely on advertising revenue won’t hesitate to get IPv6 enabled so as to not lose out on an untapped market of IPv6-only hosts.

Tom’s Take

NAT isn’t pretty.  It’s a necessary evil.  It has uses, and as Ivan pointed out they can be pretty important to keep the content-rich Internet from looking like a barren desert.  But at the same time, there is a path away from the need to slap a NAT64 band-aid on things.  By enabling IPv6 now, you avoid the expense and hassle of needing to wait for NAT64 to be finalized and argued about until the vendors are blue in the face.  You, as a content provider, can serve your content and ads and subscriptions to a whole new world of consumers in this new land of opportunity while the IPv4-only world gets left by the wayside, trying to figure out how to patch the problem rather than fixing it right the first time.

As a side note here, if you are at all interested in IPv6 and its implementation and impact, you need to sign up for Ivan’s excellent webinars.  He’s a genius when it comes to MPLS, IPv6, and datacenter networking.  In fact, do yourself a favor and save money by just buying a subscription to all of them.  At $199, it might sound like a pricey purchase, but since you’re going to want to listen to everything he’s got to say, it works out to be a great investment in your future.