Extreme Altitude 4511 Wireless Access Point Announced

September 26th 2011

Extreme Altitude 4511

Extreme Networks have announced a new low footprint wireless access point the Altitude 4511. The unit is designed to simplify wireless deployment by being able to install onto existing wall sockets that hold RJ11 or RJ45 sockets. Interestingly, the access point can also act as a controller for up to 24 other units which in our view is a teriffic idea and will simplify deployment.

The unit itself is about the size of an iPhone and is built on an Atheros chip set. All of Extreme’s enterprise wireless management facilities are supported including Dot1X authentication.

Barry Hesk

Cisco Catalyst 6500 New Modules

September 19th 2011

Cisco Systems have recently announced a series of new modules available for the Catalyst 6500 series platform which has already celebrated its 10th birthday. According to a well placed source, these annoucements are intended to carry the 6500 well into its 2nd decade.

In Summary:

A new VSS capable supervisor, the Supervisor 2T is available which provides up to 2 Terabits of switching capacity per platform, with up to 80 Gbps per slot.

A new range of high density 10 Gb interface cards, and for the first time, a non oversubscribed 8 port 10 GB module.

Existing 67XX 10 GB modules are NOT supported on the Sup2T. The newer 68XX and 69XX modules are not supported on the older Supervisors including the Sup720s.

Some points on 10 GB Support:

If you stay with Sup 720, you have a choice of the following 10GB modules, each of which has a 40 GB switch fabric connection.

X6704 – 4 Port X2 Module. RRP £12.5k. No oversubscription. X2 modules additional.
X6708 – 8 Port X2 Module. RRP £24k. 2:1 oversubscription. X2 modules additional.
X6716G – 16 Port X2 Module. RRP 25k. 4:1 oversubscription. X2 modules additional
X6716T – 16 Port Copper Module. RRP £14k. 4:1 oversubscription.

If you move to the Sup2T, you have some additional options, however you can’t use any of the above modules.

X6816G – 16 Port X2 module. RRP £25k. 4:1 oversubscription. X2 modules additional
X6816T – 16 Port Copper Module. RRP £14k. 4:1 oversubscription.

X6908G – 8 Port X2 module. RRP £25k. No oversubscription.

68XX modules have a 40 GB switch fabric connection.
69XX modules have a 80 GB switch fabric connection.

Barry Hesk

PPPOA failures on IOS 15.1

September 17 2011

Just a quick one. All latest versions of version 15.1 IOS on CCO have a major bug when it comes to ADSL.

If the underlying ATM interface bounces at any point, the PPPOA dialer interface will go down, and will never recover without a reboot. The ATM interface will show as up, however all outbound packets will be dropped. PPP will show request time outs as if the remote end isn’t responding.

We have a TAC case open and will update this post with fix details. It’s been acknowledged by TAC as a bug.

15.0(1)M trains seem to be ok, and it seems to be something that has crept into 15.1.

Barry Hesk

Intrinsic Connect RSS Feed

Being based on WordPress, Intrinsic Communications Connect is available as an RSS feed.

You can simply copy the attached link into any RSS capable piece of software which includes most browsers and email clients. If you subscribe to the feed, you will automatically be updated each time a new post is created.


Barry Hesk

Cisco CP-6921 handset restrictions

15 September 2011

Cisco have recently marked as end of sale the CP-7911 handset which is a “work horse” handset for many customer deployments. The 6921, featuring a headset port and full duplex speakerphone which the 7911 didn’t have, seems to be an attractive option however there are a few of restrictions to be aware of.

1. The 6921 whilst being a two line phone does not support two calls per button. The second channel can only be used for transfer or conference. This is unlike the way that the 7911 operates which provides two calls per button.

2. DND does not work on the handset when mapped to a softkey. This is an issue that is known by Cisco and there is a workaround of setting it to the 2nd button. However, if you want to use the 2nd button as a second line, you can’t use DND. This does not sound great to us.

3. Auto Answer on headsets. Other Cisco handsets that support auto answer on headsets provide the ability to play a “zip” tone on auto answer so that the agent knows a call has just arrived. The 6921 does NOT support this tone and we don’t know why. It can seemingly play the tone for internal calls, however it does not play it for external calls. Cisco TAC confirm that this is expected behaviour however we haven’t been able to find any documentation that reflects this. It also seems like a very strange restriction. Net result, we’d be loath to recommend 6921s with headsets if you want auto answer.

So all in all, be careful how you deploy 6921s. They are not as attractive as they appear at first glance.

Barry Hesk

Cisco IOS AnyConnect SSL VPN Configuration

15 September 2011

Cisco have been pushing the new versions of their AnyConnect client for some time now. They have also announced as End of Sale the traditional IPSEC based client which has been around for a number of years. This means that the IPSEC client will not be available on new OS platforms and is also not supported on 64 bit platforms.

The new client is the AnyConnect Secure Mobility Client which will be the platform to use moving forwards.

At the head end, both Cisco ASA Firewalls, and IOS based routers with the correct software image are supported. Licenses are required on both platforms – which is a change from Cisco as on the ASA platform in particular, the cost of IPSEC VPN was bundled into the unit cost.

Attached is a sample config for an IOS based router. You will need version 15 to get this to work properly.

ip http server enable
ip http secure-server enable
ip local pool client-pool
webvpn gateway SSLVPN
ip address X.X.X.X port 443
http-redirect port 80
ssl trustpoint TP-self-signed-3096684075
webvpn install svc flash:/webvpn/anyconnect-win-3.0.3054-k9.pkg sequence 1
webvpn context SSLVPN
ssl authenticate verify all
policy group SSLVPN_Policy
functions svc-required
svc address-pool “client-pool”
svc keep-client-installed
svc split include
svc split include
default-group-policy SSLVPN_Policy
gateway SSLVPN
max-users 10

Barry Hesk

HP launch new enterprise security software packages

13 September 2011

Hewlett Packard (HP) have announced new enterprise security software packages based on products that have been aquired in the last couple of years.

ARCSight, TippingPoint and Fortify Software have been combined into a single overarching management platform to give a central view of network operation and risk management.

Barry Hesk

Diginotar SSL certificate attack

6 Sep 2011
It’s been widely reported in the press that Dutch Certificate Authority (CA) Diginotar was breached by hackers. As a result, 531 digital certificates were fraudulantly issued including for several *.google.com domains.

A good article describing what happened is available here:


Mozilla (author of Firefox) has taken the unique step of removing Diginotar’s root CA from it’s trusted list within its broswer; this means that Firefox will no longer trust ANY site that is using a cetificate that was issued Diginotar.

Expect the fallout from this to continue for some time yet….

Barry Hesk

Cisco ASA 8.3 NAT

Cisco ASA Version 8.3 (and now 8.4) has been out and shipping for quite some time. Based around our own experiences, and some feedback from customers we’ve been researching.

The following link provides a really helpful overview of what has changed in version 8.3 and higher.


It’s fair to say that NAT in 8.3 does cause confusion and is a radical departure from what was in place previously. In our minds, it’s much more aligned to the way that Checkpoint perform NAT on their platforms. It is also worth pointing out that in our experience, migrating from 8.2 to 8.3 does not work smoothly, or in some cases at all, and you will almost definitely need to rebuild your NAT from scratch at version 8.3. If you’re planning an upgrade to 8.3 or 8.4 please bear it in mind, and that you may need to completely rework your NAT. For most people this is not a massive issue as typically you may have a couple of static NAT entries, some exclusions for VPN traffic, and a dynamic interface based statement to catch everything else. However, if you have anything a little more complex, like policy NAT make sure you test and test again to ensure it’s all working ok.

Barry Hesk