Author: Rob Rademakers

Cisco ISE 2.0 – Employee Authentication Based on 802.1x (User auth)

Leave a comment

This is a 4 part blog series about configuring Cisco ISE 2.0 for WLAN authentication and WLAN Guest authentication (split into two parts) on a Cisco Wireless LAN Controller (WLC).ISEimage
For more guides about configuring (previous) Cisco ISE, see this page.This is part 2, creating authentication and authorization policies.
Create authentication policy

  1. Navigate to Policy, Authentication
  2. Edit, Wired_802.1X to include Wireless_802.1X, and select “ehlo.lan” domain store.

Picture1
Read more

Cisco ISE 2.0 Active Directory & Radius

Leave a comment

This is a 4 part blog series about configuring Cisco ISE 2.0 for WLAN authentication and WLAN Guest authentication (split into two parts) on a Cisco Wireless LAN Controller (WLC).
ISEimageFor more guides about configuring (previous) Cisco ISE, see this page.This is part 1, the prerequisites before you can start configuring any authentication method.
Add ISE to Active Directory domain
Login into ISE and add ISE to the Active Directory domain by following these steps:
Read more

Cisco ACI Naming convention thoughts

Leave a comment

As you might know, Cisco ACI is a object related product. Every object you will create has to be named with a unique name so it can be identified later. Because of the simple fact that you cannot rename objects (it’s not implemented yet) it’s highly recommended to think of a good naming convention before you start creating the first one.
If you really want to rename an earlier created object, you have to remove and recreate the object and link it again to all other linked object.
To give you a head start on the naming convention, you have to think about the following objects:

Fabric naming

  • SPINE / LEAF switch naming
  • APIC Naming
  • VLAN-pools
  • Domains
  • Attachable Access Entity Profile
  • Link Level Policy
  • Interface policy group
  • Interface Selector
  • Switch Selector
  • Switch Profile

Creating a naming convention is network specific, but try to take the following tips in consideration:
Read more

Cisco ACI & Microsoft Hyper-V & L4 – L7 integration

2 comments

There are options to integrate L4 – L7 devices, like firewalls or load balancers (Cisco ASA, F5, Citrix Netscaler, etc), into Cisco ACI. These integrations can be done in a managed mode, with a device package, or unmanaged mode. Both modes are available if you are using Cisco ACI with VMware vCenter integration.
When you are using Cisco ACI with Microsoft Hyper-V, you cannot integrate any L4 – L7 device yet (Q1 2016). The options to integrate these devices are not available if you select an SCVMM domain.
More to come..
My thought
Cisco ACI is a great product, which I’ve implement at some customers already. I’ve seen the product grow in the last year from something “not production ready” to an stable product which can be used in production environments. But like all new products, there are still some limitations around which can be a struggle during implementations. The VMware integration into ACI is done and complete, the Hyper-V implementation is still pretty new and some features are missing. I’m sure that the Hyper-V implementation will be more complete in the next major ACI release, but at this point in time you need to know about the limitations which are still around.

Cisco Live Berlin 2016 thoughts

Leave a comment

Cisco Live Berlin 2016 was held last week, 15 – 19 February 2016. I was one of the 12000 attendees of the event and this blog post is a short review about my Cisco Live trip.
Venue
The Venue was huge. There are a lot of huge halls with a lot of connecting halls. It’s easimage7y to get lost, even easier then it was in Milan last year. But like every year, there are a lot of signs with directions placed all around the venue and a lot of Cisco people (this year in orange sweaters) are located on almost every corner to show you the direction.
Read more

Cisco ACI interesting multi site notes

Leave a comment

At Cisco Live Europe 2016, I’ve heard a few interesting things about Cisco ACI. Down here, a few notes about the things I’ve heard (Non-nda):

  • Stretched fabric design: 3 site deployment is coming in Q2 2016. Sites are connected in a triangle
  • Multi-pod deployment is coming in Q3 2016
  • Multipod config is not managed by APIC and configured manually
  • Multipod uses 40 or 100Gb/s links
  • Multipod requires a higher MTU if using a service provider to handle VXLAN headers of 50 bytes
  • OSPF peering with service provider required
  • If you’re using DWDM or dark fiber WAN connections, the maximum RTT can be 10 msec
  • QoS at service provider to prioritize APIC cluster communication

Cisco ACI Initial APIC configuration

Leave a comment

There are a lot of blog posts around about the Cisco ACI technology and design tips and tricks. If you want to know more about ACI, please read the Cisco ACI Fundamentials 
This post describes your first steps to create and installation of a ACI fabric. Our example design will look like this:
ACI network layout
Our network will exist in only one datacenter with two spine switches, two leaf switches and two  APIC controllers. The spine and leaf switches are connected with 40Gb/s, the APIC controllers are multihomed with 1Gb/s links.
Read more

SSH tunnel with PuTTY

Leave a comment

Imagine, you can SSH to a host / server and use this SSH server as a proxy to access any local webserver (or anything else) on the local network of the SSH server… This is easily possible with PuTTY (awesome SSH client!).
As a demo, lets say we have the following topology:
PuttySSHTunnel
We would like to manage the local firewall (192.168.1.254) from a pc on the internet. We assume   that we can SSH into the SSH server.
Read more

1 2 3 4 7