Cisco Administration Best Practice - TACACS+ or RADIUS

Similar Messages

• Cisco MSE Best Practice

  Hi there,
  I have two MSE 3355, MSE-1 for wIPS and MSE-2 for Location.
  In the PI (Prime Infrastructure) site maps reports I can't look the wIPS attackers from the MSE-2 Location. It is possible to do this without having the wIPS license in the same server? How can I interoperate the wIPS attacks reports from the MSE-1 to the MSE-2 location base server? What is the best practice for this scenario?
  Thanks

  Using TACACS+ with ACS especially gives you all of the AAA's - this is better/best practice for mgmt access to Cisco devices imho.
  Bilal

• Scheduled Tasks - Administrator Best Practices

  Hi all,
  I've gotten assistance this week with a couple scripts and scheduling them as tasks. I actually have well over a dozen running on our Exchange server using a special user with a complex password. This user is not used for logging into any machine, but it
  is a member of 'Administrators' group and can be used for tasks requiring elevated privileges.
  What I am interested in learning is what the best practice is for running scheduled tasks. We have several, such as querying AD for members of select OUs or users who meet certain criteria. We also have automated emails regarding certain mailbox metrics,
  etc. You get the idea.
  Despite the complex credentials, this account is still discoverable and could be used in nefarious ways. Is it possible be running tasks on Server 2008 R2 (2012 possibly) without administrator credentials? Are there certain restrictions for the tasks (like
  is a scheduled reboot allowed by a standard account, but not querying Active Directory?).
  I also have noticed a checkbox with 'Run with  highest privileges' and do not fully understand what this means.
  When I try to run the task as a regular user (no remote permissions) and it says 'Logon failure: the user has not been granted the requested logon type as this computer.'
  In short, can I safely remove our special user account from 'Administrators' and place into regular users without breaking all of our tasks?

  Hi KSI-IT,
  Firstly, based on my research, if you want to run the task scheduler with a user account, the user account must have the corresponding permission, in other words, you can also manually run the script with the user account.
  1.  For the error you posted 'Logon failure: the user has not been granted the requested logon type as this computer', please make sure the task account has "logon as a batch job" privilege.
  To add the privilege of the account, please go to
  [Local Security policy\Local Policies\User Rights Assignment]
  -Log on as a batch job.
  Add the domain\username account and any others you may need and retry.
  2.  For the setting 'Run with  highest privileges', this means that it runs with the highest privileges available to that user. This is different from the context menu's 'Run As Admin'.
  It generates the highest privilege token for the specific user, however, it cannot run as a different user, for a standard user with no elevated permissions, 'Run with highest privileges' does not do anything.
  Reference from:
  What
  effect does "run with highest priviledges" in task scheduler have on powershell scripts?
  I hope this helps.

• Database Administration - Best Practices

  Hello Gurus,
  I would like to know various best practices for managing and administering Oracle databases. To give you all an example what I am thinking about - for example, if you join a new company and would like to see if all the database conform to some kind of standard/best practices, what would you look for - for instance - are the control files multiplexed, are there more than one member for each redo log group, is the temp tablespace using TEMPFILE or otherwise...something of that nature.
  Do you guys have some thing in place which you use on a regular basis. If yes, I would like to get your thoughts and insights on this.
  Appreciate your time and help with this.
  Thanks
  SS

  I have a template that I use to gather preliminary information so that I can at least get a glimar of what is going on. I have posted the text below...it looks better as a spreedsheet.
  System Name               
  System Description               
       Name      Phone     Pager
  System Administrator               
  Security Administrator               
  Backup Administrator               
  Below This Line Filled Out for Each Server in The System               
  Server Name               
  Description (Application, Database, Infrastructure,..)               
  ORACLE version/patch level          CSI     
            Next Pwd Exp     
  Server Login               
  Application Schema Owner               
  SYS               
  SYSTEM               
       Location          
  ORACLE_HOME               
  ORACLE_BASE               
  Oracle User Home               
  Oracle SQL scripts               
  Oracle RMAN/backup scripts               
  Oracle BIN scripts               
  Oracle backup logs               
  Oracle audit logs               
  Oracle backup storage               
  Control File 1               
  Control File 2               
  Control File 3                    
  Archive Log Destination 1                    
  Archive Log Destination 2                    
  Datafiles Base Directory                    
  Backup Type     Day     Time     Est. Time to Comp.     Approx. Size
  archive log                    
  full backup                    
  incremental backup                    
  As for "Best" practices, well I think that you know the basics from your posting but a lot of it will also depend on the individual system and how it is integrated overall.
  Some thoughts I have for best practices:
  Backups ---
  1) Nightly if possible
  2) Tapes stored off site
  3) Archives backed up through out day
  4) To Disk then to Tape and leave backup on disk until next backup
  Datafiles ---
  1) Depending on hardware used.
  a) separate datafiles from indexes
  b) separate high I/O datafiles/indexes on dedicated disks/lungs/trays
  2) file names representative of usage (similar to its tablespace name)
  3) Keep them of reasonable size < 2 GB (again system architecture dependent)
  Security ---
  At least meet DOD - DISA standards where/when possible
  http://iase.disa.mil/stigs/stig/database-stig-v7r2.pdf
  Hope that gives you a start
  Regards
  tim

• Clone a Cisco router - best practices?

  Hello
  Recently I had a task to clone Cisco 881 router, I mean I had to transfer a config from one 881 to another.
  However, I faced some issues with this task:
  SSH doesn't work after the transfer, as I understand it is required to regenerate certificates, consequently it is mandatory to activate telnet before transfer, because I didn't have console access: routers are in the datacenter
  AAA wil not work, I had to delete all aaa strings from the config
  IOS images should be transfered first as well ass IPS signatures
  username password + service password encryption will result an impossibility to login, username secret should be used
  Probably, there are even more possible problems which I don't know. How do you guys clone routers? Maybe there are some best practises?
  I used TFTP for transfering config and I have a question concerning it: when I do copy tftp run it overwrites running config or append it?
  Thank you in advance.

  When working as a field engineer and swapping out a router I would always strip out all of the AAA config and just apply a simple "username cisco priv 15  password cisco" and then get the router operational. The last thing you want to be doing is trying to work out why you can't login when you are trying to restore service. Once it is up and running and you are happy with it then you can save the config.
  Next you would reapply the AAA config. Assuming nothing has changed  (IP addresses, TACAC+ shared secret etc.) then it should just work. And at this point if it does lock you out you can just reboot the box because you saved the config at the point that the router was operational but before you applied the AAA config.
  In order to generate the RSA key for SSH you would do "crypto key generate rsa"
  Once you have SSH configured you can use TFTP / FTP / SCP to transfer any files to flash. I like to use WINSCP.
  To my knowledge there is not an easy way to "clone" a router - there are always a few tasks that need doing manually.

• Cisco best practices on Channeling.

  All,
  Can anyone point me to a document that describes Cisco's best practices when it comes to channel settings in a Unified wireless infrastructure.  We know that AP's can be configured to communicate over a specific channel or they can be set to "global" ie auto.  Meaning that the AP will decide what channel is best to communicate over.
  Just looking for the best way to configure this, especially in a building that has hundreds of access points per floor.
  Thank you in advance
  izzy

  The best way to determine this is with a formal site survey...
  However take a look at this document.This is a really really good document!
  http://www.cisco.com/en/US/docs/solutions/Enterprise/Mobility/emob41dg/ch3_WLAN.html

• Best Practices for Integrating UC-5x0's with SBS 2003/8?

  Almost all of Cisco's SBCS market is the small and medium business space.  Most, if not all of these SMB's have a Microsoft Small Business Server 2003 or 2008. It will be critical, In order for Cisco to be considered as a purchase option, that the UC-5x0 integrates well into these networks.
  To that end, I see a  lot of talk here about how to implement parts and pieces of this, but no guidance from Cisco, no labs and no best practices or other documentation. If I am wrong, please correct me.
  I am currently stumbling through and validating these configurations myself, Once complete, I will post detailed recommendations. However, it would have been nice to have a lab to follow instead of having to learn from each mistake.
  Some of the challanges include;
  1. Where should the UC-540 be placed: As the gateway for QOS or behind a validated UC-5x0 router/security appliance combination
  2. Should the Microsoft Windows Small Business Server handle DCHP (as Microsoft's documentation says it must), or must the UC-540 handle DHCP to prevent loss of features? What about a DHCP relay scheme?
  3. Which device should handle DNS?
  My documentation (and I recommend that any Cisco Lab/Best Practice guidence include it as well) will assume the following real-world scenario, the same which applies to a majority of my SMB clients;
  1. A UC-540 device utilizing SIP for the cost savings
  2. High Speed Internet with 5 static routable IP addresses
  3. An existing Microsoft Small Business Server 2003/8
  4. An additional Line of Business Application or Terminal Server that utilizes the same ports (i.e. TCP 80/443/3389) as the UC-540 and the SBS, but on seperate routable IP's (Making up crazy non-standard port redirections is not an option).
  5. A employee who teleworks from various places that provide a seat and a network jack, which is not under our control (i.e. a employees home, a clients' office, or a telework center). This teleworker should use the built in VPN feature within the SPA or 7925G phones because we will not have administrative access to any third party's VPN/firewall.
  Your thoughs appreciated.

  Progress Report;
  The following changes have been made to the router in support of the previously detailed scenario. Everything appears to be working as intended.
  DHCP is still on the UC540 for now. DNS is being performed by the SBS 2008.
  Interestingly, the CCA still works. The NAT module even shows all the private mapped IP's, but no the corresponding public IP's. I wouldnt recommend trying to make any changes via the CCA in the NAT module.  
  To review, this configuration assumes the following;
  1. The UC540 has a public IP address of 4.2.2.2
  2. A Microsoft Small Business Server 2008 using an internal IP of 192.168.10.10 has an external IP of 4.2.2.3.
  3. A third line of business application server with www, https and RDP that has an internal IP of 192.168.10.11 and an external IP of 4.2.2.4
  First, backup your current configuration via the CCA,
  Next, telent into the UC540, login, edit, cut and paste the following to 1:1 NAT the 2 additional public IP addresses;
  ip nat inside source static tcp 192.168.10.10 25 4.2.2.3 25 extendable
  ip nat inside source static tcp 192.168.10.10 80 4.2.2.3 80 extendable
  ip nat inside source static tcp 192.168.10.10 443 4.2.2.3 443 extendable
  ip nat inside source static tcp 192.168.10.10 987 4.2.2.3 987 extendable
  ip nat inside source static tcp 192.168.10.10 1723 4.2.2.3 1723 extendable
  ip nat inside source static tcp 192.168.10.10 3389 4.2.2.3 3389 extendable
  ip nat inside source static tcp 192.168.10.11 80 4.2.2.4 80 extendable
  ip nat inside source static tcp 192.168.10.11 443 4.2.2.4 443 extendable
  ip nat inside source static tcp 192.168.10.11 3389 4.2.2.4 3389 extendable
  Next, you will need to amend your UC540's default ACL.
  First, copy what you have existing as I have done below (in bold), and paste them into a notepad.
  Then, im told the best practice is to delete the entire existing list first, finally adding the new rules back, along with the addition of rules for your SBS an LOB server (mine in bold) as follows;
  int fas 0/0
  no ip access-group 104 in
  no access-list 104
  access-list 104 remark auto generated by SDM firewall configuration##NO_ACES_24##
  access-list 104 remark SDM_ACL Category=1
  access-list 104 permit tcp any host 4.2.2.3 eq 25 log
  access-list 104 permit tcp any host 4.2.2.3 eq 80 log
  access-list 104 permit tcp any host 4.2.2.3 eq 443 log
  access-list 104 permit tcp any host 4.2.2.3 eq 987 log
  access-list 104 permit tcp any host 4.2.2.3 eq 1723 log
  access-list 104 permit tcp any host 4.2.2.3.35 eq 3389 log 
  access-list 104 permit tcp any host 4.2.2.4 eq 80 log
  access-list 104 permit tcp any host 4.2.2.4 eq 443 log
  access-list 104 permit tcp any host 4.2.2.4 eq 3389 log
  access-list 104 permit udp host 116.170.98.142 eq 5060 any
  access-list 104 permit udp host 116.170.98.143 any eq 5060
  access-list 104 deny   ip 10.1.10.0 0.0.0.3 any
  access-list 104 deny   ip 10.1.1.0 0.0.0.255 any
  access-list 104 deny   ip 192.168.10.0 0.0.0.255 any
  access-list 104 permit udp host 116.170.98.142 eq domain any
  access-list 104 permit udp host 116.170.98.143 eq domain any
  access-list 104 permit icmp any host 4.2.2.2 echo-reply
  access-list 104 permit icmp any host 4.2.2.2 time-exceeded
  access-list 104 permit icmp any host 4.2.2.2 unreachable
  access-list 104 permit udp host 192.168.10.1 eq 5060 any
  access-list 104 permit udp host 192.168.10.1 any eq 5060
  access-list 104 permit udp any any range 16384 32767
  access-list 104 deny   ip 10.0.0.0 0.255.255.255 any
  access-list 104 deny   ip 172.16.0.0 0.15.255.255 any
  access-list 104 deny   ip 192.168.0.0 0.0.255.255 any
  access-list 104 deny   ip 127.0.0.0 0.255.255.255 any
  access-list 104 deny   ip host 255.255.255.255 any
  access-list 104 deny   ip host 0.0.0.0 any
  access-list 104 deny   ip any any log
  int fas 0/0
  ip access-group 104 in
  Lastly, save to memory
  wr mem
  One final note - if you need to use the Microsoft Windows VPN client from a workstation behind the UC540 to connect to a VPN server outside your network, and you were getting Error 721 and/or Error 800...you will need to use the following commands to add to ACL 104;
  (config)#ip access-list extended 104
  (config-ext-nacl)#7 permit gre any any
  Im hoping there may be a better way to allowing VPN clients on the LAN with a much more specific and limited rule. I will update this post with that info when and if I discover one.
  Thanks to Vijay in Cisco Tac for the guidence.

• Best practices of BO/BW SSO SAP Authentication transports

  Hi Friends,
  We are going to integrate BW system with BO (SAP authentication). All the queries are built through BICS connections. And we have various reporting tools to implement SSO SAP authentication (Webi,Crystal,Dashboard.Design studio…etc)
  As per the process there are certain activities which has to be performed at BW level
  e.g -- BW Roles creation (PFCG---Crystal role enablement) and assigning to BO users
  Once it is created in BW , we have to do  integration at BO level( in CMC application) by selecting authentication and roles import followed by ……Groups..Users…folder and access level...
  My question here is
  Transports of BW objects for BO SSO (SAP) authentication (such as roles created for Users, Keystore certificate, uploads). Will these objects be transported by BW team or they will be separately downloading or uploading the certificate in different systems (like QAS  ...PROD….)
  And at BO level, once I integrate BO SSO, Do I need to do manual integration in QAS and Production system as well or it can be transported with promotion management of BO tool
  Will these SSO(SAP) authentication can be applied to all tools in BI Launchpad such as (Design studio,Webi,Web application,Crystal….etc)  as all users  are required to have SSO to all BO tool
  Regarding LUMIRA tool , Can we do SSO authentication
  Please share your thoughts and experience.
  I t would be great if I get BO administration best practices document for BW BO SSO and Users and Group management  in CMC for implementing
  Thanks in advance

  Hi ,
  Please find my answers below:
  1. The roles will be created in BW and should automatically appear in BO CMC Authentication SAP roles, if there is a connectivity setup between BO and BW irrespective of the SSO.The roles are transported by the BW security team.
  2. Every environement will have a unique connection to the corresponding SAP BW environment.For example SAP BW DEV will be mapped to BO DEV, SAP BW PROD will be mapped to BO PROD.So these settings cannot be migrated through Promotion Management.
  3.This authentication can be applied to all tools , the SSO does not depend on the tool ,it depends on the integration between two systems which in this case are BO and SAP BW
  As mentioned earlier, after integration all tools can have SSO
  You can refer to a lot of help documents on this site which will help you to setup the integration between SAP BW AND SAP BO.
  Kind Regards,
  Priyanka

• Cisco ISE with TACACS+ and RADIUS both?

  Hello,
  I am initiating wired authentication on an existing network using Cisco ISE. I have been studying the requirements for this. I know I have to turn on RADIUS on the Cisco switches on the network. The switches on the network are already programmed for TACACS+. Does anybody know if they can both operate on the same network at the same time?
  Bob

  Hello Robert,
  I believe NO, they both won't work together as both TACACS and Radius are different technologies.
  It's just because that TACACS encrypts the whole message and Radius just the password, so I believe it won't work.
  For your reference, I am sharing the link for the difference between TACACS and Radius.
  http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml
  Moreover, Please review the information as well.
  Compare TACACS+ and RADIUS
  These sections compare several features of TACACS+ and RADIUS.
  UDP and TCP
  RADIUS uses UDP while TACACS+ uses TCP. TCP offers several advantages over UDP. TCP offers a connection-oriented transport, while UDP offers best-effort delivery. RADIUS requires additional programmable variables such as re-transmit attempts and time-outs to compensate for best-effort transport, but it lacks the level of built-in support that a
  TCP transport offers:
  TCP usage provides a separate acknowledgment that a request has been received, within (approximately) a network round-trip time (RTT), regardless of how loaded and slow the backend authentication mechanism (a TCP acknowledgment) might be.
  TCP provides immediate indication of a crashed, or not running, server by a reset (RST). You can determine when a server crashes and returns to service if you use long-lived TCP connections. UDP cannot tell the difference between a server that is down, a slow server, and a non-existent server.
  Using TCP keepalives, server crashes can be detected out-of-band with actual requests. Connections to multiple servers can be maintained simultaneously, and you only need to send messages to the ones that are known to be up and running.
  TCP is more scalable and adapts to growing, as well as congested, networks.
  Packet Encryption
  RADIUS encrypts only the password in the access-request packet, from the client to the server. The remainder of the packet is unencrypted. Other information, such as username, authorized services, and accounting, can be captured by a third party.
  TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header. Within the header is a field that indicates whether the body is encrypted or not. For debugging purposes, it is useful to have the body of the packets unencrypted. However, during normal operation, the body of the packet is fully encrypted for more secure communications.
  Authentication and Authorization
  RADIUS combines authentication and authorization. The access-accept packets sent by the RADIUS server to the client contain authorization information. This makes it difficult to decouple authentication and authorization.
  TACACS+ uses the AAA architecture, which separates AAA. This allows separate authentication solutions that can still use TACACS+ for authorization and accounting. For example, with TACACS+, it is possible to use Kerberos authentication and TACACS+ authorization and accounting. After a NAS authenticates on a Kerberos server, it requests authorization information from a TACACS+ server without having to re-authenticate. The NAS informs the TACACS+ server that it has successfully authenticated on a Kerberos server, and the server then provides authorization information.
  During a session, if additional authorization checking is needed, the access server checks with a TACACS+ server to determine if the user is granted permission to use a particular command. This provides greater control over the commands that can be executed on the access server while decoupling from the authentication mechanism.
  Multiprotocol Support
  RADIUS does not support these protocols:
  AppleTalk Remote Access (ARA) protocol
  NetBIOS Frame Protocol Control protocol
  Novell Asynchronous Services Interface (NASI)
  X.25 PAD connection
  TACACS+ offers multiprotocol support.
  Router Management
  RADIUS does not allow users to control which commands can be executed on a router and which cannot. Therefore, RADIUS is not as useful for router management or as flexible for terminal services.
  TACACS+ provides two methods to control the authorization of router commands on a per-user or per-group basis. The first method is to assign privilege levels to commands and have the router verify with the TACACS+ server whether or not the user is authorized at the specified privilege level. The second method is to explicitly specify in the TACACS+ server, on a per-user or per-group basis, the commands that are allowed.
  Interoperability
  Due to various interpretations of the RADIUS Request for Comments (RFCs), compliance with the RADIUS RFCs does not guarantee interoperability. Even though several vendors implement RADIUS clients, this does not mean they are interoperable. Cisco implements most RADIUS attributes and consistently adds more. If customers use only the standard RADIUS attributes in their servers, they can interoperate between several vendors as long as these vendors implement the same attributes. However, many vendors implement extensions that are proprietary attributes. If a customer uses one of these vendor-specific extended attributes, interoperability is not possible.
  Traffic
  Due to the previously cited differences between TACACS+ and RADIUS, the amount of traffic generated between the client and server differs. These examples illustrate the traffic between the client and server for TACACS+ and RADIUS when used for router management with authentication, exec authorization, command authorization (which RADIUS cannot do), exec accounting, and command accounting (which RADIUS cannot do).

• Looking for some best practice regarding Content Administrator access

  Hi. I am looking for some best practice or rule of thumb from SAP or from different companies how they address Portal Content Administrator access in Production environment. Basically, our company is implementing portal to work with SAP BW.  We are on SP 9. Basically, I am trying to determine if we should have 1-2 Portal Content Administrator in Production with 24/7 access or we should limit them from NOT having this.  Can you share with me some ideas of what is right? and what is not?
  Should we have access in Production? Or Should we have this access but limited? By the way, our users are allow to Publish BI reports/queries into Production.

  Hello Michael,
  Refer to this guide about managing initial content in portal.
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/00bfbf7c-7aa1-2910-6b9e-94f4b1d320e1
  Regards
  Deb
  [Reward Points for helpful answers]

• Best Practices - VMware ESX 4.0 in a Cisco Environment?

  Hello,
  I'm presently designing a VMware ESX 4.0 deployment and integrating it with our Cisco environment.  I've found the following document:
  http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/vmware/VMware.html "VMware Infrastructure 3 in a Cisco Network Environment" and I was just wondering if there was a newer document applicable to ESX 4.x or if these best practices still applied?
  I'm particularly interested in proper vlan design for the various port-groups with in ESX and etherchannel configuration between ESX hosts and Cisco switches.
  Thanks,
  Rob

  Well, in that this is a Storage group, I'll answer froma storage noetworking point of view.
  ESX hosts are no different to any other host,  Just stick with the standard best practice of single initiator zoning and you'll be fine.
  As a slight aside, from an array point of view, I've tended to configure all the pWWN's of the whole cluster into one "host" definition, as this makes LUN mapping easier.
  Steven

• IPS Tech Tips: IPS Best Practices with Cisco Remote Management Services

  Hi Folks -
  Another IPS Tech Tip coming up and this time we will be hearing from some past and current Cisco Remote Services members on their best practice suggestions. As always these are about 30 minutes of content and then Q&A - a low cost high reward event.
  Hope to see you there.
  -Robert
  Cisco invites you to attend a 30-45 minute Web seminar on IPS Best   Practices delivered via WebEx. This event requires registration.
  Topic: Cisco IPS Tech Tips - IPS Best Practices with Cisco Remote Management   Services
  Host: Robert Albach
  Date and Time:
  Wednesday, October 10, 2012 10:00 am, Central Daylight Time (Chicago,   GMT-05:00)
  To register for the online event
  1. Go to https://cisco.webex.com/ciscosales/onstage/g.php?d=203590900&t=a&EA=ralbach%40cisco.com&ET=28f4bc362d7a05aac60acf105143e2bb&ETR=fdb3148ab8c8762602ea8ded5f2e6300&RT=MiM3&p
  2. Click "Register".
  3. On the registration form, enter your information and then click   "Submit".
  Once the host approves your registration, you will receive a confirmation   email message with instructions on how to join the event.
  For assistance
  http://www.webex.com
  IMPORTANT NOTICE: This WebEx service includes a feature that allows audio and   any documents and other materials exchanged or viewed during the session to   be recorded. By joining this session, you automatically consent to such   recordings. If you do not consent to the recording, discuss your concerns   with the meeting host prior to the start of the recording or do not join the   session. Please note that any such recordings may be subject to discovery in   the event of litigation. If you wish to be excluded from these invitations   then please let me know!

  Hi Marvin, thanks for the quick reply.
  It appears that we don't have Anyconnect Essentials.
  Licensed features for this platform:
  Maximum Physical Interfaces       : Unlimited      perpetual
  Maximum VLANs                     : 100            perpetual
  Inside Hosts                      : Unlimited      perpetual
  Failover                          : Active/Active  perpetual
  VPN-DES                           : Enabled        perpetual
  VPN-3DES-AES                      : Enabled        perpetual
  Security Contexts                 : 2              perpetual
  GTP/GPRS                          : Disabled       perpetual
  AnyConnect Premium Peers          : 2              perpetual
  AnyConnect Essentials             : Disabled       perpetual
  Other VPN Peers                   : 250            perpetual
  Total VPN Peers                   : 250            perpetual
  Shared License                    : Disabled       perpetual
  AnyConnect for Mobile             : Disabled       perpetual
  AnyConnect for Cisco VPN Phone    : Disabled       perpetual
  Advanced Endpoint Assessment      : Disabled       perpetual
  UC Phone Proxy Sessions           : 2              perpetual
  Total UC Proxy Sessions           : 2              perpetual
  Botnet Traffic Filter             : Disabled       perpetual
  Intercompany Media Engine         : Disabled       perpetual
  This platform has an ASA 5510 Security Plus license.
  So then what does this mean for us VPN-wise? Is there any way we can set up multiple VPNs with this license?

• IP Video conferencing best practice - Tanberg/Cisco hardware

  We are currently experiencing intermittant issues with our Video conferencing internal and external network with intermittant screen fragmentation. We have separate VLAN's configured on our internal network for the Video traffic only.   We use the movi client on the with the majority of our remote users.  I'm wondering what is the best practice based in setting up and support a Video conference network.

  Have you set up QoS policies for video?
  I have a very good network readiness document you are welcome to, if you want to ping me your email address?
  I can't seem to copy it properly into the tech support app on my iPad, drop me an email to [email protected] and I'll send over the info - should help!
  Sent from Cisco Technical Support iPad App

• What is the best practice to protect coldfusion administrator login page

  Hi all,
  Can someone suggest what is the best practice to protect the administrator login? At the moment, there is only the normal administrator page password to protect. It seems like not very secure especially when the application is on the internet.
  Regards,
  Bubblegum.

  You can protect the page with file system level privs.  Setup a new virtual server that maps to a seperate copy of /cfide (and remove /admin and /adminapi from the other cfide folder your internet sites use).  Limit what IP addresses can hit /cfide.
  We run multiple instances, so we connect directly to each instance to manage it.  And those ports aren't accessable on the internet.  To top it off, we have an ISAPI ReWrite rule that sends a 404 if you try /cfide/administrator or adminapi.
  If you're using CF8, you can set it up so it requires a specific username instead of a generic name.

• How often should the Cisco 6509 and 3750 switches be rebooted? Does Cisco have a best practice recommendation?

  How often should the 6509's and 3750's switches be rebooted?
  Does Cisco have a best practice document on this and recommendation how long the switch should be up before it gets rebooted?
  Why is a reboot needed if there are no indications of issues on the log?

  I'd agree with Larry here.
  If you're not seeing any issues with your IOS revision and there are no relevant PSIRTs (security notices applicalble to features and or exposure of your device requiring an IOS upgrade) then you can go a very long time without rebooting, if ever.
  I'm sure it's far from a record, but our corporate distribution router that supports >1000 downstream devices day in and day out has never been rebooted since installation just over 5 years ago. I have a top of rack Layer 2 switch (2900 series running CatOS) that's almost at 10 years.
  That said, you should have some monitoring scheme that assures you everything is healthy. But as long as memory and cpu are happy, the device will run forever.