Today many businesses are looking to squeeze more productivity out of their existing technology infrastructure. It just so happens that I love helping them unlock features that they never knew existed to provide a cost-effective technology solution to a business need.

For example, many organizations own a mysterious blue box buried in a wiring closet somewhere with the words “Cisco 2800″ printed in white across the front bezel. I am of course talking about a Cisco router; it usually runs for years with little or no intervention.

It never ceases to amaze me how these little devices are underutilized; they are FILLED with potential functionality. I would like to share with you three really cool—but little known– features of your router that offer big benefits. Since every IOS feature set is different depending on the version, check the Cisco Feature Navigator to verify support.

DISCLAIMER: A misconfigured router can leave your network in a nonfunctional state and we never recommend tampering with ISP-owned CPE equipment. Always work with a certified IT professional before making network hardware configuration changes.

Network Based Application Recognition (NBAR)
NBAR is a mechanism by which your router can identify predefined types of traffic. Once the traffic is identified, it can be added to a class map, which can be added to a policy map (QoS feature) and thus marked for special handling.

So what does that mean?  You know all of that BitTorrent traffic, such as Kazaa, Napster, and Grokster? Your router can pinpoint this traffic and slow it to a crawl (police/shape) or drop it completely. Conversely, we can also prioritize other types of traffic such as SQL and Kerberos. The advantage of NBAR over traditional class map mechanisms is that it can classify services that are more dynamic than a simple TCP/UDP port or source/destination IP.

Intrusion Prevention System (IPS)
Intrusion Prevention System or IPS is a method of intelligently identifying traffic patterns or certain types of traffic based on a signature file or “suspicious pattern” (called heuristic detection) and block the malicious traffic. Think of it as a police officer that sits in line with the traffic flowing inside your network. While there are certain hardware-based IPS devices, certain IOS versions have it built in with no extra hardware required.

GRE Tunnel IPsec VPN
Many organizations are running some sort of IPSec VPN already, yet there is a little known variant called an IPsec VPN GRE Tunnel. What is the difference, you ask?  In terms of functionality, it is somewhat similar to a traditional site-to-site VPN, but the GRE Tunnel has the added benefit of being able to propagate dynamic routing traffic such as OSPF LSA’s and EIGRP Hello messages. This is a crucial distinction: you can run a dynamic routing protocol across geographical, separate locations with all of the benefits such as dynamic path selection, route summarization and greater scalability. 

If you have any questions about these features, or if you would like to realize more IT efficiency in your operation, give us a call. Or registerfor our upcoming Lunch and Learn event, Microsoft and Cisco: A Perfect Match on September 16.

Most people understand why one of the most important aspects of a technology solution is the need for security. Oddly enough, one area in particular that is neglected most often is the switching (“Layer 2″) domain within an organization.

Why is this so often neglected?  It could be due to a lack of awareness. Also, while most organizations are willing to invest in a firewall solution, the general impression is that the most significant attack vector is from the outside. But there’s more to this story.

Here are three types of attacks that your Internet firewall, not matter how good, generally can’t stop:

VLAN Hopping: This is when an attacker gains access to the restricted network segment (VLAN) by manipulating a misconfigured access layer switch using tagged frames to masquerade traffic where it should not be. This is the equivalent of Tom Cruise using spy masks in the movie Mission Impossible to trick his foes into providing him with access to vital information and documents.

ARP Poisoning: An attacker replies to ARP requests on behalf of another host and is able to intercept traffic bound for it. Think of this as someone going to your mailbox, reading your mail, then placing the mail back into your mailbox. Only in this case what is being read is all of the data being sent to and from your workstation or server.

MAC Flooding: An attacker floods the network with an invalid MAC address in an attempt to max out the switch CAM table. Once this occurs, the switch becomes like a hub and will allow sniffing of ALL data frames on the network segment. This is like a person (we all know one!) who is normally reserved and quiet, but when they have a bit too much to drink they starting spilling the beans about anything and everything, even stuff you don’t care to hear. If you feed a switch too much Layer 2 data, it starts blabbing.

As you would guess, there is a solution for every single one of these exploits, but is your network protected against them?  If I was a betting person–and based on experience–my answer would be, “Probably not.”  The good news is that securing your internal network can generally be done by leveraging the functionality built into your current hardware.

Now let me counter these three attacks with three solutions that can be used to protect your Layer 2 domain. It should be noted that most vendors support their own iteration of this feature but may go by slightly different names, so as always, consult documentation.

SOLUTION 1 – DHCP Snooping: This strategy, generally used in conjunction with DARP (Dynamic Arp Inspection) will keep connected workstations honest. Think of this as the ultraviolet light used to spot counterfeit money.

SOLUTION 2 – Port Security: This feature limits a connected host to a specific MAC address entry. In the case of MAC flooding, the port can discard source addresses above an allocated limit. This feature is easy to set up and very effective.

SOLUTION 3 – Static VLAN membership: I can’t emphasize how important it is to remove ALL traces of dynamic trunking/tagging negotiation on your network. Tagged frames should never have the possibility to be on user facing ports. (There is one exception to this in the instance of voice VLANs, but when done properly, it does not create the security dilemma at issue.)

Obviously this list is only the tip of the iceberg. NAC, 802.1X, VMPS and RADIUS are a few of the more robust methods being used. But I wanted to emphasize solutions that likely require no additional hardware. What strategies have you used to secure your internal resources?

If you’re in the Information Technology field, you’re familiar with industry certification. Some may question the neeed for certification for in-house IT professionals or consultants, but I believe there is a distinct value to working with certified professionals.

Generally, “certified professionals” refers to an organization that has achieved partner level status with the vendor. For example, to be a Microsoft Gold Partner, the company must meet certain criteria, including having multiple Microsoft certified professionals on staff. Cisco, Symantec and HP have similar programs.

Some people (like myself) are “cert” junkies with a road map of certifications planned out for the next several years; others are adamant that they add no real value to their profession. Here are three outdated myths about industry certification that I hear most often:

Myth #1: Certification doesn’t measure “real world” skills.
I hear this a lot! But don’t be fooled: vendors have made big strides in testing “real world” knowledge on their exams. For example, both Microsoft and Cisco certification exams now contain robust simulations that mimic live environments. If you can’t fix it at the console, you won’t pass.

This is essential because technology changes so fast. Certification is a vendor-specific “seal of approval” that ensures IT professionals are on top of the technology and the changes. IT professionals often seek certification in their core competencies, so certs help them build deeper expertise.  

Myth #2: Certification only benefits the vendor.
It’s no secret that vendors need to make a profit. However, they accomplish this by having the widest adoption rate of their product, not by creating certifications. To have the widest adoption rate, the product must be a cost-effective, manageable and viable solution for whatever technology need the solution fills.

I would argue that the higher saturation of a particular certification is indicative of high product adoption—so the product creates the certification not vice-versa. A larger pool of skilled individuals, via proxy of IT service providers, creates a competitive market for support options. A competitive market benefits everybody.

Myth #3: Certification = Higher support costs.
While hiring a highly skilled, credentialed IT professional to perform work may seem to cost more up front, the back end costs are ALWAYS much lower. Why?  If the planning, design and implementation phases are not done strategically or correctly, the project will inevitably generate higher costs in the long run from rework and change orders. I’ve seen many projects scrapped altogether or a complete “rip and replace” of a system that failed to get off the ground due to poor planning.

What’s your perspective on certifications for IT professionals?

Today I reached a new milestone in my analysis of Excel 2010 PowerPivot (Beta). I’m ready to share my experiences with the product and get our customers excited about Microsoft BI! Before I go into the details on PowerPivot, I think it’s useful to look back on the past year. It was nearly a year ago that Microsoft made dramatic changes in the technology roadmap for BI. Those changes included rolling PerformancePoint M&A into the SharePoint SKU and killing PPS Planning. Over the last 12 or so months I’ve experienced a lot of different emotions from our customers out in the field. Some were disappointed and borderline angry, while others were glad to see that a new strategy was on the horizon. That horizon is nearly here and looks to be coming in the June timeframe. Don’t hold me to this date though, I’m just assuming the late May rumors for RTM are true. So here is a short list of major products getting close to launch that will change BI in positive ways:

• SQL Server 2008 R2 – Includes BI enhancements to support PowerPivot, better SharePoint SSRS integration, and an improved version of SSRS report builder as well as a host of other new features and upgrades that build on the success of SQL Server 2008
• SharePoint 2010 – As far as BI features, the notable ones are PowerPivot service, BI Gallery for PowerPivots, Better integration with SSRS, and a new BI search feature for finding analytic content published to SharePoint.
• Office 2010 – Office 2010 and specifically Excel 2010 have been significantly improved as far as BI features go. I’ve invested a lot of time into Excel 2010 research and the big wins I see so far for BI include the following:
  • PowerPivot – This add-on integrates with Excel 2010 (Formerly Project Gemini) and provides the ability to create local in-memory analytic solutions that are very similar to Analysis Services cubes. This morning I experimented with a data set from http://www.data.gov It was some Medicare data in a CSV file format with about 10 million records. Normally, I’d have to load that data into a table on SQL server to analyze it. With PowerPivot, the 10 million rows imported just fine and only took a few minutes to load.
  • Pivot Table Slicers – I can’t say enough good things about the slicers. They give the user a visually appealing way to filter a pivot and they aren’t bound to a single pivot or chart. In fact I created some samples where a single slicer was controlling the outcomes of three pivot tables and three charts.
  • Custom Calculated Measures – This feature is using DAX (Data Analysis Expressions). Basically, it’s an extension to the Excel formulas. I find these expressions extremely simple to create and there is a handy interface for checking syntax and offering a template for all of the parameters the expression needs. This is many times simpler than writing MDX (Multi Dimensional Expressions).
  • Sharing Content to SharePoint 2010 – Seems like a minor feature but it’s importance supersedes the rest. SharePoint provides the security, workflow, navigation, and data governance for all the PowerPivots people will want to publish. Without SharePoint, I think I’d be writing some criticisms on how PowerPivot is just another way to create unmanageable data islands all over the enterprise. SharePoint brings order to the BI universe and is the perfect mechanism for delivering the content. It also addresses the concerns of how to share the rich content with users who don’t use PowerPivot but want read access to the analysis. And finally, SharePoint provides the mechanism for data updates/refreshes. The PowerPivots are great but if they are stale they’re completely worthless the day after creation. Having a well thought out tool for data refreshes that is controlled in one place is extremely useful and important to insuring the success of the analysis asset.

Here’s a link to my next webinar on February 9th 2010. If you haven’t guessed it already, I’ll be talking about and demonstrating: PowerPivot, Microsoft BI, and SWC’s “Extreme BI” approach.