Cisco Tools Link

I regularly share useful links with customers and colleagues and often find that this page is a great starting point to explore some of the web tools Cisco has available

Some of these tools include the Cisco Power Calculator, Cisco Feature Navigator, Cisco IOS to NX-OS configuration converter, and many others. Give it a click and explore some tools you likely didn’t even know existed.

SSL Host Headers in IIS 7.x

In order to leverage host header capabilities with SSL enabled sites you need to use a command line tool as the IIS GUI management tool does not allow you to bind multiple SSL sites to the same IP.

The ‘appcmd’ executable is in the following path %windir%\system32\inetsrv

The syntax is:

appcmd set site /"Site Name" /+bindings.[protocol='https',bindingInformation='*']

macOS Sierra SSH Client

If you’ve upgraded to macOS Sierra you may have seen the following error message when attempting to use the builtin in SSH client to connect to certain SSH servers:

Mac:~ user$ ssh admin@
Unable to negotiate with port 22: no matching host key type found. Their offer: ssh-rsa

This issue is caused by a change introduced by the version of OpenSSH (version 7.2) that is included with macOS Sierra. In OpenSSH version 7.x certain older security algorithms are disabled by default which generates the error message above. The fix is to either update the SSH server settings or simply change the configuration on your computer to allow the less secure algorithms by editing /etc/ssh/ssh_config and adding the following two lines to the end:

HostkeyAlgorithms +ssh-dss
KexAlgorithms +diffie-hellman-group1-sha1

Thanks to for a quick write up on this!

After you save this file all should be well. I would recommend you research how to correct the underlying configuration the SSH server as more security is usually a good thing 🙂

Communications Manager 11.5 Deprecated Phones

With the release of Cisco Unified Communications Manager (CallManager) version 11.5 support was removed for some of the oldest IP phone models. Support was removed for these phones as they do not support the latest security features that Cisco is working to standardize.

The following models are prevented from registering in version 11.5:

  • Cisco IP Phone 12 S
  • Cisco IP Phone 12 SP
  • Cisco IP Phone 12 SP+
  • Cisco IP Phone 30 SP+
  • Cisco IP Phone 30 VIP
  • Cisco Unified IP Phone 7902G
  • Cisco Unified IP Phone 7905G
  • Cisco Unified IP Phone 7910
  • Cisco Unified IP Phone 7910G
  • Cisco Unified IP Phone 7910+SW
  • Cisco Unified IP Phone 7910G+SW
  • Cisco Unified IP Phone 7912G
  • Cisco Unified Wireless IP Phone 7920
  • Cisco Unified IP Conference Station 7935

For more background on this check out the following Cisco Field Notice

Cisco Cloud Web Security


Cisco acquired a company named ScanSafe in 2009 to provide cloud based web proxy services and this service was renamed to Cisco Cloud Web Security (CWS). Cloud Web Security offers an alternative to on premise proxy services by hosting proxy services in data centers around the world. There is a single management portal where an administrator can create policies and run reports. Once a policy is created it is available across all the proxy servers around the world which greatly decreases the burden of creating consistent policies.

There are a variety of ways to leverage CWS including:

  • Cisco AnyConnect
  • Connectors for Cisco ISR G2 routers (1900, 2900, and 3900 series)
  • Connectors for Cisco ISR 4000 routers (4300, 4400 series)
  • Connector for Cisco ASA firewalls
  • Integration with the on premise Web Security Appliance (WSA)
  • Direct integration via client proxy configuration (point your operating system to the CWS proxy)

The connectors for the routers and firewalls offer transparent redirection which makes deployment very straightforward. The integration with AnyConnect provides a very simply solution for securing internet access for users when they are outside of the corporate network without requiring all internet traffic to be backhauled.

More information on the service can be found here and information on the current proxy locations is available here

Wireshark Geolocation


Wireshark is the de facto packet analysis tool and it comes with a wealth of options beyond what is included in a default installation. One option I discovered recently was to leverage the free version of the MaxMind geolocation database to enhance the visibility of packet data within Wireshark to include BGP AS assignment information, cities, and countries. This allows you to create filters based on this geolocation data which can be incredibly useful to quickly include or exclude interesting traffic based upon country or origin for example.

The complete setup guide can be found here.

Network Traffic Generator

In the course of operating a network there are countless times when it’s incredibly useful to be able to generate very specific types of network traffic. Some examples I’ve personally encountered are:

  • QoS troubleshooting (the ability to generate DSCP or CoS tagged packets)
  • Reproducing specific traffic for troubleshooting purposes
  • Validating access lists and security policies
  • Testing how applications respond to unique traffic

A fantastic tool to accomplish these tasks, amongst many others, is Ostinato. Ostinato is cross-platform with API support so you can integrate it with existing tools and processes. In addition to browsing the web site I would highly recommend listening to the Packet Pushers Priority Queue episode 52. In this episode host Ethan Banks talks to one of the creators of Ostinato provides and provides great overview of the tool as well as how to put it to use.

Everything as a Service

Here’s a way I came up with to think about the differences between the different “as a service” offerings.

IaaS (Infrastructure as a Service) is like renting a kitchen full of ingredients and utensils

PaaS (Platform as a Service) is like buying an undecorated cake…you can do whatever you want with it, but you start with cake, it can’t become meatloaf or pancakes or anything else you could normally make in a kitchen

SaaS (Software as a Service) is like catering…you get the cake you want with some customizations delivered to you

IaaS is the most flexible and requires the most work

PaaS is in the middle between flexibility and effort

SaaS is the most rigid and requires the least effort

Windows Standalone FTP Server

There are times when it’s incredibly convenient to be able to stand up an FTP server without the need to actually install anything or reboot. I came across Xlight FTP for Windows and was pleasantly surprised to find that it didn’t require any installation and worked well with very little setup or configuration required. You basically double click the application and bind the FTP service to an IP address and TCP port and then you add a user account and assign directory permissions. Once done you click the “play” button and the server should start up.

Here’s a link to their page:

They offer 32-bit and 64-bit versions as well as a “traditional” installer based version.