Cisco Champion 2018

The Cisco Champions for 2018 are announced and I am proud an very honoured to be selected as a Cisco Champion for the 5th year in a row!
For more information about the Cisco Champion program, click here.
As another bonus this year, my colleague Rob Heygele is selected as Cisco Champion for the 4th year in a row! Congrats to him and offcourse to all other fellow Champions of 2018! See you soon at Cisco Live Barcelona and/or online!
 

Cisco ACI interesting multi site notes

At Cisco Live Europe 2016, I’ve heard a few interesting things about Cisco ACI. Down here, a few notes about the things I’ve heard (Non-nda):

  • Stretched fabric design: 3 site deployment is coming in Q2 2016. Sites are connected in a triangle
  • Multi-pod deployment is coming in Q3 2016
  • Multipod config is not managed by APIC and configured manually
  • Multipod uses 40 or 100Gb/s links
  • Multipod requires a higher MTU if using a service provider to handle VXLAN headers of 50 bytes
  • OSPF peering with service provider required
  • If you’re using DWDM or dark fiber WAN connections, the maximum RTT can be 10 msec
  • QoS at service provider to prioritize APIC cluster communication

SSH tunnel with PuTTY

Imagine, you can SSH to a host / server and use this SSH server as a proxy to access any local webserver (or anything else) on the local network of the SSH server… This is easily possible with PuTTY (awesome SSH client!).
As a demo, lets say we have the following topology:
PuttySSHTunnel
We would like to manage the local firewall (192.168.1.254) from a pc on the internet. We assume   that we can SSH into the SSH server.
Read more

Cisco WSA Authentication

In this and other posts we’ll discuss the Cisco Web Security Appliance. This is the blog agenda:
Part 1: Introduction
Part 2: Installing
Part 3: Deploying Proxy Services
Part 4: Policies
Part 5: Acceptable use & HTTPS Inspection
Part 6: Authentication
Part 7: Defending malware
This is the 6th part of the series.
A proxy is no real proxy without user authentication. That’s what I’m going to discuss in this post. Authentication is needed for logging and user tracking.
Authentication options:

  • Basic (local accounts)
  • NTLMSSP (for Microsoft Active Directory)

In explicit forwarding mode you can use straightforward proxy authentication. In transparant mode you have to fool the WSA.
In case all authentication services are unavailable, you can choose to permit or block all traffic. You can find this setting in Network > Authentication, click Edit Global Settings.
Read more

Cisco Champion 2015 Datacenter

Today is a big day in Cisco social networks: the Cisco Champions for 2015 are selected and I’m proud, honored and excited to announce that I’m elected as a Cisco Champion 2015 for datacenter 2015.
As you might now, I was a Cisco Champion too in 2014, that was the first year the program existed. The second year started today!
For more information about the Cisco Champion program, click here.
As another bonus this year, my colleague Rob Heygele is selected as Cisco Champion in Enterprise networks! Congrats to him and offcourse to all other fellow Champions of 2015!

Installing Cisco WSA

In this and other posts we’ll discuss the Cisco Web Security Appliance. This is the blog agenda:
Part 1: Introduction
Part 2: Installing
Part 3: Deploying Proxy Services
Part 4: Policies
Part 5: Acceptable use & HTTPS Inspection
Part 6: Authentication
Part 7: Defending malware
This is the 2nd post in the series.
Installation of the (virtual) WSA is straight forward. I’ll cover the most important and critical steps in a basic installation.
Hardware appliance
A hardware appliances has 5 interfaces, connect the required interface to your network:

  • T1 + T2 (used for L4TM only)
  • P1 + P2  (used for web proxy)
  • M1 (management or web proxy)

Virtual appliance
The virtual appliance is downloadable as a OVF file. Import the OVF file into you VMWare servers with the specifications as described in the previous blog post.
Configuration
Your first basic installation starts with connecting to the M1 port and browse to: http://192.168.42.42:8080 and login with these default credentials:

  • username: admin
  • password: ironport

You can also connect with SSH with the same login credentials. Start the interface config with the interfaceonfig command:

  • Run edit command
  • enter number 1
  • Enter IP address, netmaks and hostname.

Run  Setgateway
Select the M1 interface and enter the IP of the default gateway.
Don’t forget to commit the changes with the commit command. This is only needed for CLI configuration.
And the WSA appliance is up and running!
installation done
Read more

OTV FHRP filtering on a ASR router

We configured a OTV DCI in my previous post and it was working as expected and by design. But during testing of all the VLANs I discovered a problem with HSRP over OTV, but only for 1 specific VLAN. The test results:

  • A ping from a host in DC1 in VLAN 10 to the HSRP address gives random drops
  • A ping from a host in DC1 in any VLAN to the HSRP address pings without any problems
  • Shutdown the SVI of VLAN 10 in DC2, A ping from a host in DC1 in VLAN 10 to the HSRP address without any problems
  • VLAN 10 is still disabled in DC2, but a host can ping the HSRP address from DC2 to DC1. This should be impossible because of the FHRP filtering
  • Changing the standby group number (they are the same in DC1 and DC2 to keep the same MAC address) partially solved the problem, but some hosts in DC1 got the HSRP MAC of DC2 in the ARP table. This is not what we want.
  • Moving the SVI from a 6500 switch to a 3750 switch in DC1, none of the above problems

I still have no idea why this problem only exists for VLAN 10, all other VLANs work as expected but I’ve found a good workaround for this in the configuration guide:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/wan/command/wan-cr-book/wan-m1.html#wp3953249580
Read more

1 2