Cisco ISE 2.0 Active Directory & Radius

This is a 4 part blog series about configuring Cisco ISE 2.0 for WLAN authentication and WLAN Guest authentication (split into two parts) on a Cisco Wireless LAN Controller (WLC).
ISEimageFor more guides about configuring (previous) Cisco ISE, see this page.This is part 1, the prerequisites before you can start configuring any authentication method.
Add ISE to Active Directory domain
Login into ISE and add ISE to the Active Directory domain by following these steps:
Read more

Cisco ACI Naming convention thoughts

As you might know, Cisco ACI is a object related product. Every object you will create has to be named with a unique name so it can be identified later. Because of the simple fact that you cannot rename objects (it’s not implemented yet) it’s highly recommended to think of a good naming convention before you start creating the first one.
If you really want to rename an earlier created object, you have to remove and recreate the object and link it again to all other linked object.
To give you a head start on the naming convention, you have to think about the following objects:

Fabric naming

  • SPINE / LEAF switch naming
  • APIC Naming
  • VLAN-pools
  • Domains
  • Attachable Access Entity Profile
  • Link Level Policy
  • Interface policy group
  • Interface Selector
  • Switch Selector
  • Switch Profile

Creating a naming convention is network specific, but try to take the following tips in consideration:
Read more

Cisco ACI & Microsoft Hyper-V & L4 – L7 integration

There are options to integrate L4 – L7 devices, like firewalls or load balancers (Cisco ASA, F5, Citrix Netscaler, etc), into Cisco ACI. These integrations can be done in a managed mode, with a device package, or unmanaged mode. Both modes are available if you are using Cisco ACI with VMware vCenter integration.
When you are using Cisco ACI with Microsoft Hyper-V, you cannot integrate any L4 – L7 device yet (Q1 2016). The options to integrate these devices are not available if you select an SCVMM domain.
More to come..
My thought
Cisco ACI is a great product, which I’ve implement at some customers already. I’ve seen the product grow in the last year from something “not production ready” to an stable product which can be used in production environments. But like all new products, there are still some limitations around which can be a struggle during implementations. The VMware integration into ACI is done and complete, the Hyper-V implementation is still pretty new and some features are missing. I’m sure that the Hyper-V implementation will be more complete in the next major ACI release, but at this point in time you need to know about the limitations which are still around.

Cisco Live Berlin 2016 thoughts

Cisco Live Berlin 2016 was held last week, 15 – 19 February 2016. I was one of the 12000 attendees of the event and this blog post is a short review about my Cisco Live trip.
The Venue was huge. There are a lot of huge halls with a lot of connecting halls. It’s easimage7y to get lost, even easier then it was in Milan last year. But like every year, there are a lot of signs with directions placed all around the venue and a lot of Cisco people (this year in orange sweaters) are located on almost every corner to show you the direction.
Read more

Cisco ACI interesting multi site notes

At Cisco Live Europe 2016, I’ve heard a few interesting things about Cisco ACI. Down here, a few notes about the things I’ve heard (Non-nda):

  • Stretched fabric design: 3 site deployment is coming in Q2 2016. Sites are connected in a triangle
  • Multi-pod deployment is coming in Q3 2016
  • Multipod config is not managed by APIC and configured manually
  • Multipod uses 40 or 100Gb/s links
  • Multipod requires a higher MTU if using a service provider to handle VXLAN headers of 50 bytes
  • OSPF peering with service provider required
  • If you’re using DWDM or dark fiber WAN connections, the maximum RTT can be 10 msec
  • QoS at service provider to prioritize APIC cluster communication

Cisco ACI Initial APIC configuration

There are a lot of blog posts around about the Cisco ACI technology and design tips and tricks. If you want to know more about ACI, please read the Cisco ACI Fundamentials 
This post describes your first steps to create and installation of a ACI fabric. Our example design will look like this:
ACI network layout
Our network will exist in only one datacenter with two spine switches, two leaf switches and two  APIC controllers. The spine and leaf switches are connected with 40Gb/s, the APIC controllers are multihomed with 1Gb/s links.
Read more

Configure your multicast WAN for OTV

It is easy to find design and configuration guides about OTV implementations on Nexus 7000 switches, ASR and CSR routers. But it is much harder to find some information about the requirements for your WAN.
Please read my previous blog posts about OTV here, here, here and here. I’ll cover the OTV device configurations in those posts. But for now, lets start with the DCI WAN for OTV.
First of all, there are two OTV deployment options:

  • Unicast mode
  • Multicast mode

The WAN requirements in unicast mode are simple: deliver unicast connectivity between the join interfaces of all OTV edge devices. This is just a simple straight forward configuration, I will not cover this in this blog post.
The multicast deployment is a bit harder to configure and requirements are less easier to find. This blog post will cover the required WAN configuration in a multicast deployment. In this particular scenario, we use dark fiber / DWDM connections as DCI to get a more clear understanding about the requirements and configuration.
First, a drawing to get a view on this deployment scenario:

OTV WAN multicast  layout

OTV WAN multicast layout

This blog will provide you with the most easiest way to get your OTV multicast deployment up and running. There are some more finetune options available, but that will not be covered in this blog.
Read more

Cisco Live Milan 2015

Planning to visit Cisco Live Berlin 2016? Click here


Photo 26-01-15 13 30 14That’s my first word if someone asks me about my trip to Cisco Live Milan 2015 last week. It was my first Cisco Live ever and I really should have been there years and years ago! All those great sessions, a lot of awesome people to have great conversations, meeting a lot of people you know from the community… Cisco Live is the place to be for every Cisco engineer / consultant.
This edition of Cisco Live Europe was in MiCo, Milano. I was really impressed by the size of the event: a lot of people recommend to bring your best walking shoes and I can only confirm this. There are 30 minutes in between sessions and if you’re unlucky, you really need thesPhoto 26-01-15 13 22 33e 30 minutes to find, walk and locate the room of your next session. Another very good impression was the amount of attandees and everything Cisco is doing to make the event as much as comfortable for everyone. You will find Cisco employees on every floor, on every corner to help you with all your questions: where is room x? At what time is lunch? Where is lunch?
Read more

Cisco WSA Authentication

In this and other posts we’ll discuss the Cisco Web Security Appliance. This is the blog agenda:
Part 1: Introduction
Part 2: Installing
Part 3: Deploying Proxy Services
Part 4: Policies
Part 5: Acceptable use & HTTPS Inspection
Part 6: Authentication
Part 7: Defending malware
This is the 6th part of the series.
A proxy is no real proxy without user authentication. That’s what I’m going to discuss in this post. Authentication is needed for logging and user tracking.
Authentication options:

  • Basic (local accounts)
  • NTLMSSP (for Microsoft Active Directory)

In explicit forwarding mode you can use straightforward proxy authentication. In transparant mode you have to fool the WSA.
In case all authentication services are unavailable, you can choose to permit or block all traffic. You can find this setting in Network > Authentication, click Edit Global Settings.
Read more

Cisco WSA Acceptable Use and HTTPS inspection

In this and other posts we’ll discuss the Cisco Web Security Appliance. This is the blog agenda:
Part 1: Introduction
Part 2: Installing
Part 3: Deploying Proxy Services
Part 4: Policies
Part 5: Acceptable use & HTTPS Inspection
Part 6: Authentication
Part 7: Defending malware
This is the 5th part of the series
How can you enforce the Acceptable use?
Acceptable use is mostly defined by Application Visibility Control (AVC). Websites are classified by a URL lookup in the cisco database, based on the URL itself, or a dynamic scan of the website.
To configure this, click Security Services > Acceptable Use Controls
AVC is enabled by default.
HTTPS Inspection (HTTPS Proxy)
It’s getting more important to decrypt HTTPS sessions to check against your policies. You can receive a lot of nasty stuff inside your HTTPS session. But there is one major drawback: the WSA shows the user a SSL certificate of the WSA appliance. In almost all circumstances this certificate wouldn’t match all requirements, so the users receive SSL certificate errors. Make sure your users are familiar with your HTTPS inspection!
How does it works? It’s pretty simple: the WSA creates the HTTPS session to the webserver and creates a new HTTPS session to the user. The responses from the webserver are checked and scanned and deliverd over the new HTTPS session to the user.
Read more

1 2 3 4 5