Author: Rob Rademakers

Cisco WSA Defending Malware

Leave a comment

In this and other posts we’ll discuss the Cisco Web Security Appliance. This is the blog agenda:
Part 1: Introduction
Part 2: Installing
Part 3: Deploying Proxy Services
Part 4: Policies
Part 5: Acceptable use & HTTPS Inspection
Part 6: Authentication
Part 7: Defending malware
This is the last post in the series.
Malware.. we all know that we don’t want it. But how do we block it?
All websites have a Web based reputation number (WBRS). This is a number between -10 and +10. You can define what ranges are used for what action. Think about: -10 to -5 drop, -4 to +5 scan, +6 to +10 do not scan. The WSA receives regulary updates with new reputations.
Note: these features are licensed!
Read more

LISP Mobility with OTV

One comment

In previous posts we talked about implementing OTV with ASR routers. OTV is a overlay network to get end-to-end layer 2 connections over a layer 3 (WAN) network. In most implementations is FHRP (First Hop Redundancy Protocol, like HSRP/VRRP) filtering needed. These filters are needed to keep routing in the same datacenter where the traffic originates.
Let’s take another look at the high level design:
OTV Network layout
When FHRP filtering is active, the Virtual IP (aka.. default gateway for clients) is active in both datacenters. Which means: a packetflow from a server in DC1 is routed on the core switch/router in DC1. If you move (vMotion/ live migrate) that server to DC2, the packetflow is routed on the switch/router in DC2.
If you think this through, the datacenter outgoing trafficflows are efficient: routing will be done on the most nearby router. But… incoming traffic from branch offices is still not efficient: the WAN network does not know where the VM is hosted, so the packets are routed by the normal routing protocols. This could result in inefficient routing: if the IP range is routed to DC1 on the WAN and the VM is hosted in DC2, the Datacenter-Interconnect (OTV) will be used to get the packets to the VM.
This is where LISP mobility comes in.
Read more

OTV FHRP filtering on a ASR router

4 comments

We configured a OTV DCI in my previous post and it was working as expected and by design. But during testing of all the VLANs I discovered a problem with HSRP over OTV, but only for 1 specific VLAN. The test results:

  • A ping from a host in DC1 in VLAN 10 to the HSRP address gives random drops
  • A ping from a host in DC1 in any VLAN to the HSRP address pings without any problems
  • Shutdown the SVI of VLAN 10 in DC2, A ping from a host in DC1 in VLAN 10 to the HSRP address without any problems
  • VLAN 10 is still disabled in DC2, but a host can ping the HSRP address from DC2 to DC1. This should be impossible because of the FHRP filtering
  • Changing the standby group number (they are the same in DC1 and DC2 to keep the same MAC address) partially solved the problem, but some hosts in DC1 got the HSRP MAC of DC2 in the ARP table. This is not what we want.
  • Moving the SVI from a 6500 switch to a 3750 switch in DC1, none of the above problems

I still have no idea why this problem only exists for VLAN 10, all other VLANs work as expected but I’ve found a good workaround for this in the configuration guide:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/wan/command/wan-cr-book/wan-m1.html#wp3953249580
Read more

Configuring OTV on a Cisco ASR

63 comments

During a project I’ve been working on, we needed to configure OTV on a Cisco ASR. I did write a blog for configuring OTV on a Nexus 7000 before (click here) but the configuration on a Cisco ASR router is a bit different. The used technologies and basic configuration steps are equal, but the syntax is different for a few configuration steps .
Unfortunately, the documentation is not as good as for the Nexus 7000. I’ve found one good configuration guide (here) but this guide isn’t covering all. So, it’s a good reason to write a blog post about the basic OTV configuration on a Cisco ASR router.
For more information about OTV, check this website.
First, the network layout for this OTV network.
OTV Network layout
 
As you can see in the diagram, the ASR routers are back-to-back connected. There is no guideline how to connect these routers, as long as there is IP connectivity between them with multicast capabilities and a MTU of atleast 1542 btyes.
Read more

Cisco 3850 LAN Base license slow throughput

Leave a comment

I was working on a installation and configuration of a C3850 switch with LAN base license.
What is in the name with LAN Base license…  As we all know from previous licenses (like 3750-X licenses), there is no routing available but… there is basic routing functionality available in the LAN base license for C3850 switches!
There are some limitations for routing with LAN base license though:

  • Maximum of 15 static routes
  • no routing protocols, only static routing

During the test phase of our implementation, we encountered performance issues:

  • File transfers inside VLAN’s: no issues
  • Inter-VLAN file transfers: slow throughput with a maximum of ~10Mb/s

Read more

Cisco Champions

2 comments

I wrote a blog about Cisco Champion nominations a few weeks ago: this post. Today, november 15th, the first Cisco Champions are selected and I’m very honored and proud to let you know that I’m invited to the program!
I’ll keep you informed about the program and offcourse I keep blogging about the technologies and products I work with. This all to share the needed knowledge to everyone who needs it.
I want to thank everyone who nominated me for the program!

cisco_champions BADGE_200x200

Cisco Champion nominations

2 comments

Cisco started the Cisco Champion program for people who are passionate about (Cisco) Datacenter technologies and love to share their knowledge with the rest of the world by blogging, twittering and other social media.
The nominations are open until oct 31th and it’s possible to nominate me and all other great bloggers we all check out regularly.
How to nominate?
Send your nomination to cisco_champions@external.cisco.com and make sure the text “Data Center” is in the message body.
All nominations are appreciated!
More information about the Cisco Champion program can be found here:
http://www.cisco.com/web/about/facts_info/champions.html
http://blogs.cisco.com/datacenter/all-new-cisco-champions-for-data-center-nominations-now-open/
 

Cisco ISE Part 10: Profiling and posture

11 comments

This is a Cisco ISE blog post series with some how-to’s for configuring the ISE deployment, This blog post series exists of 10 parts.
The blogpost Agenda:
Part 1: introduction
Part 2: installation
Part 3: Active Directory
Part 4: High Availability
Part 5: Configuring wired network devices
Part 6: Policy enforcement and MAB
Part 7: Configuring wireless network devices
Part 8: Inline posture and VPN
Part 9: Guest and web authentication
Part 10: Profiling and posture
This week, the last post in the Cisco ISE blog post series: Profiling and posture. For both features is the Cisco ISE advanced license required.
Profiler is a functionality for discovering, locating and determing the capabilities of the attached endpoints. It will detect the network type and will authorize it.
A sensor in the network captures network packets by quering the NADs, it forwards the attributes to the analyzer. The analyzer checks the attributes using policies and identity groups. The results is stored in the ISE database with the corresponding device profile. The MAC address of the device will be linked to a existing endpoint identity group.
There are 9 availabled probes:

  • Netflow
  • DHCP
  • DHCP SPAN
  • HTTP
  • RADIUS
  • NMAP
  • DNS
  • SNMPQUERY
  • SNMPTRAP

Profiling uses CoA (change of authorization). There are 3 options:

  • No CoA: CoA is disabled
  • Port bounce: use this only of there is a single session on a switchport
  • Reauth: enforce reauthentication of a currently authenticated endpoint when it’s profiled

ISE creates three identity groups by default and two identity groups that are specific for Cisco IP phones. Creation of extra groups is optional.
An endpoint profiling policy contains a simple condition or a set of conditions (compound).
Configuring
Probe configuration
First, make sure the ISE appliance can SNMP to the switches (SNMPv2 or 3) with a read only community string. Also, configure a snmp trap destination to Cisco ISE policy node.

Switch(config)# snmp-server host 172.20.12.5 version 3 priv ISE
Switch(config)# snmp-server enable traps snmp linkdown linkup
Switch(config)# snmp-server enable traps mac-notification change move
On all interfaces:
Switch(config-if)# snmp trap mac-notification change added

For DHCP probing, configure an additional IP helper on the SVI to the policy node:

Switch(config-if)# ip helper-address 172.20.12.5

Cisco ISE configuration
Click Administration – System – Settings, click Profiling and configure the CoA.
profile5
Read more

Cisco ISE Part 9: Guest and web authentication

5 comments

This is a Cisco ISE blog post series with some how-to’s for configuring the ISE deployment, This blog post series exists of 10 parts.
The blogpost Agenda:
Part 1: introduction
Part 2: installation
Part 3: Active Directory
Part 4: High Availability
Part 5: Configuring wired network devices
Part 6: Policy enforcement and MAB
Part 7: Configuring wireless network devices
Part 8: Inline posture and VPN
Part 9: Guest and web authentication
Part 10: Profiling and posture
This week, part 9: Guest and web authentication
Webauthentication can be used for guest access. It can also being used for a last resort for authentication of normal users if the 802.1x supplicant is not working. Access to this portal can be done by a remediation VLAN with limited access to resources. The portal is using HTTP and HTTPS,  because of limited access, the NAD (or WLC) will intercept the HTTP request and redirects it to the web portal.
There are two portals: Guest user portal is a portal the guest is using for logging in. The Sponsor portal is a portal being used by company employees for creating and managing guest accounts. The guest portal is customizable in available options for guest users.
To manage the RADIUS requests, the portal is installed on all required policy nodes. The configuration of the portal (and users) are replicated to all nodes. So, there is a central deployment.
You can configure multiple authorization sources in one rule. So, you can use one SSID for all used: internal production use, BYOD, Guest, etc. This is a nice feature of Cisco ISE.
Configuration
Click Administration – Guest management – Settings, click the arrow and click Multi-portal configurations.
Edit the DefaultGuestPortal to your needs:

  • Password policies
  • Need of posture client
  • self service
  • device registration
  • DHCP settings
  • Policies
  • etc

guestportal1
guestportal2
Read more

Cisco ISE Part 8: Inline posture and VPN

Leave a comment

This is a Cisco ISE blog post series with some how-to’s for configuring the ISE deployment, This blog post series exists of 10 parts.
The blogpost Agenda:
Part 1: introduction
Part 2: installation
Part 3: Active Directory
Part 4: High Availability
Part 5: Configuring wired network devices
Part 6: Policy enforcement and MAB
Part 7: Configuring wireless network devices
Part 8: Inline posture and VPN
Part 9: Guest and web authentication
Part 10: Profiling and posture
This week, part 8: Inline posture and VPN
The fourth ISE node role is inline posture. This appliance can be placed in your network for devices which don’t support CoA (Change of authority). Cisco ASA doesn’t support CoA yet (but will come in the near future). This role is hardware appliance only, the VM is not supported.
This node is a gatekeeper that can enforce policies and handles CoA. After initial authentication of a client, the client still must go through posture assessment.
There are 3 possible modes:

  • Router mode: This is a L3 hop in your network. This node is default gateway for clients. Only static routes are available!
  • Bridge mode: is transparant in your network
  • Maintenance mode: takes node offline, traffic should be uninterupted, this is de default mode

Read more

1 2 3 4 5 6 7