Neue Ausgabe von “The Internet Protocol Journal”

Volume 19, Number 1, March 2016 des IPJ wurde vor einigen Tage veröffentlicht. Das von 1998 bis 2013 von Cisco getragene Magazin wird seit September 2014 von einer Liste von Firmen gestützt. Ganz voran die Internet Society und Cisco.

In This Issue:

  • From the Editor
  • What’s in a DNS Name?
  • QoS and QoE
  • Fragments
  • Call for Papers
  • Supporters and Sponsors

(PDF 1.2M)

Die aktuelle Ausgabe ist als PDF verfügbar.
Vorangegangene Ausgaben findet hier im IPJ Archiv.

About IPJ

The Internet Protocol Journal (IPJ) is a quarterly technical publication containing tutorial articles (“What is…?”), as well as implementation/ operation articles (“How to…”). The journal provides articles about all aspects of Internet technology. IPJ is not intended to promote any specific products or services, but rather is intended to serve as an informational and educational resource for engineering professionals involved in the design, development, and operation of public and private internets and intranets. In addition to feature-length articles, IPJ contains technical updates, book reviews, announcements, opinion columns, and letters to the Editor.

The journal is supported by the Internet Society and other organizations and individuals around the world dedicated to the design, growth, evolution, and operation of the global Internet and private networks built on the Internet Protocol. Previously published by Cisco Systems from 1998 until 2013, the journal was relaunched in September 2014 with the help of numerous supporters and sponsors.

Quelle: The Internet Protocol Journal

Cisco IronPort AsyncOS 7.6 for Email

Ironport has updated their operating system AsyncOS for Email to version 7.6

This is a overview of new features and enhancements which are also getting included in the new Cisco Ironport Email Security Channel Partner Trainings.


  • New Feature: IPv6 Support
  • New Feature: RSA Enterprise Manager Integration
  • Enhancement: DLP Message Tracking Privileges By User Group
  • Enhancement: RSA Email DLP’s “Quarantine a Copy and Deliver” Option
  • Enhancement: DLP Message Actions
  • Enhancement: New and Updated RSA Email DLP Policy Templates
  • Enhancement: SenderBase Reputation Service Requires an Anti-Spam Feature
  • New Feature: DKIM Verification Profiles
  • Enhancement: New Tags for DKIM Signing Profiles
  • New Feature: DKIM Signing of System-Generated Messages
  • Enhancement: Skip DKIM Signing Action
  • Enhancement: Rate Limiting and Enforced TLS for Envelope Senders in Mail Flow Policies
  • Enhancement: Separate Update Servers for AsyncOS Upgrades and Other Service Updates
  • Enhancement: Message Size for Encryption
  • Enhanced: Web User Interface Protection


  • IPv6 Support
    not available for: clustering, ESQ, SMA communication, DNS, LDAP, SNMP, FTP, Updates/ Upgrades, Sending Alerts, Remote Access
  • Reputation Engine
    now running directly on-box with database on-box as well – no communication with senderbase database necessary any more
    commands: listenerconfig / setup, fullsenderbaseconfig, repengupdate
  • Extended Header Editing in Content Filter
  • DKIM setup restructured
  • Rate Limit can now be based on “mail-from” within the envelope instead of IP/Domain combination
  • TLS settings based on “mail-from” are also possible using address-lists


The full documentation can be found at

FCOE. Can’t we all just get along?

A very nice article on the Cisco Blog from Seth Mashon starts with:

I was sitting in a room with a client the other day and normally in these conference rooms with the mahogany tables and high back leather chairs*, you have Cisco on one side of the table, and the client on the other. However, this wasn’t the case, as the table was formica and the chairs were folding.  Also, in the room was two groups that had never spoken before except in rare cases, “The network is down!” or “Our hosts can’t see their storage!”  Yes my friends, it was the LAN and SAN folks in the room.  The topic of FCoE was in front of us and the question was around their soon to be deployed Nexus 5000 switching infrastructure.    The discussion between the two parties over who would manage the Nexus 5000 reminded me of a scene from Ghostbusters…

The full article can be found here.

Debug AS number for EIGRP on Cisco Routers

If you have ever wondered how to find out an AS number of an existing EIGRP process, this is the article answering it. It is simple to get the information if you have access to the router – but what to do if you do not have access and want to join the EIGRP process with a new router.

  • First you need a direct connection with the router running the EIGRP process you want to join
  • Now we start an EIGRP process on our router (which we can control) and choose a random number for the process. Without that, our routers won’t start chatting with each other over EIGRP
  • Next step is to create an ACL to filter the packets – this creates less information overhead
    access-list 103 permit eigrp any host
  • Using the created ACL we start our debug
    debup ip packet 103
  • We do get the IP address of our EIGRP neighbour using the debug. This information is used to create a new ACL
    Note: that is done to do not overload the router with too much debug information
  • our second ACL to get more but filtered information by including the IP from before
    access-list 102 permit eigrp host x.x.x.x host
  • if everything is set-up properly we can start the next debug without killing our router (otherwise you are going to see a lot of information – which is forcing you to power cycling your router 😀 )
    debug ip packet 102 dump

Now we do get something like the sample output below:

CoreRouter#debug ip packet 102 dump
IP packet debugging is on (dump) for access list 102
CoreRouter#no debug all
*Mar 8 06:32:11.580: IP: s= (FastEthernet0/0.1), d=, len 60, rcvd 2
07DF1A00: 0100 5E00000A ..^…
07DF1A10: 001BD495 A8E80800 45C0003C 00000000 ..T.(h..E@.<….
07DF1A20: 015832FB 96960F0F E000000A 0205EE36 .X2{….`…..n6
07DF1A30: 00000000 00000000 00000000 00000096 ……………
07DF1A40: 0001000C 01000100 0000000F 00040008 ……………
07DF1A50: 0C040102 …

The line with the leading zeros is the one we need:
07DF1A30: 00000000 00000000 00000000 00000096 ……………

Take the value after the double point, start your on-board calculator and convert the number from HEX to Decimal and you do have the AS number of your neighbour – in this case it is 150.

Easy 😉

The OVF Descriptor File could not be parsed

It is not ending at all – the series of problems using Cisco OVAs within my VMWare Workstation installation. After solving some minor issues I found out that VMWare got shipped with a pretty old OVF-tool. Hitting to the VMWare site and downloading the new one took me one stop closer.

The OVA can be directly converted to a VMWare Virtual Appliance by using ovftool.exe (located in the program directory of ovftool). It is pretty straight forward

ovftool.exe <location of the ova file> <location and name of the VMX file>

After that, the ovftool starts creating and converting any OVA to a VMWare Virtual Appliance. In the meantime you can read through the ovftool documentation – it is a very amazing tool at all.

Proxy Auto-Configuration and its challenges

I was a fan of WCCP for setting up transparent proxy within a network – it always seemed the easiest way but all together it only seemed like that. A lot of problems came up in the past few month on customer sides and within my installation so I decided to give Proxy Auto-Configuration a try.

Biggest benefit of using PAC (Proxy Auto-Configuration) is: “You get rid of transparent proxy.” That makes life easier – but before I had to learn a lot of stuff the hard way.

Rollout the URL for the PAC File without touching the client

2 Options are available – DNS and Option 252 for DHCP

Easiest way is DHCP and the configuration therefore is straight forward. Extend your DHCP configuration with the option 252 and put the URL for the PAC file as a value into. The client fetches with the next renew of the DHCP settings also the proxy information.

DHCP has a higher priority than DNS: if DHCP provides the WPAD URL, no DNS lookup is performed. Notice that Firefox and Chrome do not support DHCP, only DNS.

Next step is to set up DNS for the browsers lacking DHCP support. It’s also straight forward – redirect any request for to the PAC file server. The browser is going to fetch the file wpad.dat (which is our PAC file) from the file server.

Verify your Clients

Very important for your client PCs and/or applications is that they are set to auto-detect proxy settings from your network. If this is not set up – you have to touch the client or use some kind of scripting to set that on your browsers.

PAC file hosting

One challenge could be the PAC file hosting. If you use a webserver – it is important that every PAC file (nevertheless if it is called proxy.pac or wpad.dat) sent to the client gets the right MIME type. The MIME type of the configuration file must be “application/x-ns-proxy-autoconfig”.

If you are using DNS to get the PAC file – every client is requesting the wpad.dat file from the URL mentioned above on port 80.

PAC file hosting with Cisco Ironport Web Appliance

If you are using a Cisco Ironport S-Series or Web Appliance – a lot of things get handled by the Ironport itself. MIME type is set right and a few other things which we are talking right now.

Ironports PAC file hosting lets you specify a port for the PAC file service – per default 9001. If you use DNS – the PAC file service has to listen on port 80 as well. That is not a problem as long as you are not using port 80 for your web proxy service and your AsyncOS Version is 7.x
Just add the port 80 to the PAC file service and submit the changes.

Next step is to upload your PAC file – the PAC File can have any name as long as you can remember it and use it right if you set up your DHCP settings. Ironport also supports multiple PAC files as long as they have a different name. That’s it if you can use DHCP – every DHCP pool within your network could fetch a different PAC file from the same Ironport Appliance.

Talking about DNS – you need to host wpad.dat files – Ironport is helping out. In the section “Hostnames for Serving PAC Files Directly” you can set up a GET hostname (the URL the client is using to access the PAC hoster) and choose a PAC file from your uploaded one and Ironport is renaming it on demand for the client requesting.

For example, if you enter in the Hostnames field and pacfile1.pac in the Default PAC File for “Get/” Request through Proxy Port field, then requests for fetch pacfile1.pac and requests for fetch default.pac.

Additional Information

Cisco Global Threat Report Quarter 1 2011

The Cisco Quarter 1 2011 Global Threat Report has been released. The Cisco Global Threat Report is a compilation of data collected across the four segments of Cisco Security: ScanSafe, IPS, RMS and IronPort.

A good summary was done by Brian Pennington

The original document can be found on