Tag: Cisco

Cisco Champion 2015 Datacenter

Leave a comment

Today is a big day in Cisco social networks: the Cisco Champions for 2015 are selected and I’m proud, honored and excited to announce that I’m elected as a Cisco Champion 2015 for datacenter 2015.
As you might now, I was a Cisco Champion too in 2014, that was the first year the program existed. The second year started today!
For more information about the Cisco Champion program, click here.
As another bonus this year, my colleague Rob Heygele is selected as Cisco Champion in Enterprise networks! Congrats to him and offcourse to all other fellow Champions of 2015!

Cisco WSA Policies

Leave a comment

In this and other posts we’ll discuss the Cisco Web Security Appliance. This is the blog agenda:
Part 1: Introduction
Part 2: Installing
Part 3: Deploying Proxy Services
Part 4: Policies
Part 5: Acceptable use & HTTPS Inspection
Part 6: Authentication
Part 7: Defending malware
This is the 4th part of the series.
Creating policies is one the major (en most fun) part of the WSA. In this blog I’ll cover the configuration of access policies and identities.
Click  Web Security Manager > Access Policies
access policy default
Only one policy can be applied. This is based on first match (top-down). If no policy matches, the Global Policy will be used.
First, you have to create a identity. An identity doesn’t identify a user, but it identifies a client or transaction that may require authentication. Identity membership is determined before authentication is done. Policy group membership is determined after authentication is performed.
Click  Web Security Manager > Identities > add identity and create the identity, based on IP’s ip ranges or IP subnets. Possible identities are:

  • Kiosk users
  • Update agents
  • Company users

Read more

Cisco WSA Deploying Proxy Services

Leave a comment

In this and other posts we’ll discuss the Cisco Web Security Appliance. This is the blog agenda:
Part 1: Introduction
Part 2: Installing
Part 3: Deploying Proxy Services
Part 4: Policies
Part 5: Acceptable use & HTTPS Inspection
Part 6: Authentication
Part 7: Defending malware
This is the 3th blog in the series about the proxy configuration.
There are a two proxy modes:

  • Explicit Forward Mode
  • Transparent Mode

In Explicit Forward Mode the client does have an Proxy configuration. There is no configuration needed on the network infrastructure (routers/switches). Authentication is easy and there are three methods for providing the proxy information:

  • Automatic Proxy script
  • Enter the proxy server IP address
  • Automatic detect settings using WPAD protocol

In transparent mode, there is no configuration needed on the clients. The network infrastructure redirects the traffic (WCCP). Authentication could be an issue.
Redirection options are:

  • Web Cache control protocol (WCCP, used in Cisco ASA, ASR and Catalyst switches)
  • Policy based routing
  • Layer 4 switch
  • Layer 7 switch (like a Citrix Netscaler)

WCCP is the most used redirection option for transparant proxies. For more information about WCCP and the configuration, check this link.
PAC files
PAC files are used in Explicit Forward Mode. The PAC file link is configured on the clients’ proxy settings. If you need help with creating PAC files, check this link.
You can host the PAC file on any webserver, but hosting on the WSA is possible too. Click Security Services > PAC File Hosting  and upload your PAC file. It’s recommended to host the PAC file on a seperate web server.
Read more

Installing Cisco WSA

Leave a comment

In this and other posts we’ll discuss the Cisco Web Security Appliance. This is the blog agenda:
Part 1: Introduction
Part 2: Installing
Part 3: Deploying Proxy Services
Part 4: Policies
Part 5: Acceptable use & HTTPS Inspection
Part 6: Authentication
Part 7: Defending malware
This is the 2nd post in the series.
Installation of the (virtual) WSA is straight forward. I’ll cover the most important and critical steps in a basic installation.
Hardware appliance
A hardware appliances has 5 interfaces, connect the required interface to your network:

  • T1 + T2 (used for L4TM only)
  • P1 + P2  (used for web proxy)
  • M1 (management or web proxy)

Virtual appliance
The virtual appliance is downloadable as a OVF file. Import the OVF file into you VMWare servers with the specifications as described in the previous blog post.
Configuration
Your first basic installation starts with connecting to the M1 port and browse to: http://192.168.42.42:8080 and login with these default credentials:

  • username: admin
  • password: ironport

You can also connect with SSH with the same login credentials. Start the interface config with the interfaceonfig command:

  • Run edit command
  • enter number 1
  • Enter IP address, netmaks and hostname.

Run  Setgateway
Select the M1 interface and enter the IP of the default gateway.
Don’t forget to commit the changes with the commit command. This is only needed for CLI configuration.
And the WSA appliance is up and running!
installation done
Read more

Cisco Web Security Appliance introduction

Leave a comment

In this and upcoming posts we’ll discuss the Cisco Web Security Appliance. This is the blog agenda for the upcoming weeks:
Part 1: Introduction
Part 2: Installing
Part 3: Deploying Proxy Services
Part 4: Policies
Part 5: Acceptable use & HTTPS Inspection
Part 6: Authentication
Part 7: Defending malware
In this blog we’ll talk about the product introduction.
The Cisco Web Security Appliance (WSA) is an appliance for securing http, https and ftp traffic from (and to) the internet.
The WSA replaces all, or most of these devices in your network:
Firewall
Webproxy
Anti spyware
Antivirus
URL Filtering
Policy management
As you can see, it’s more than just a regular proxy server.
The internet provides a lot of websites, good websites and bad websites. There are a lot of websites which are not work related for a lot of companies. If you want to limit or block those websites for users, the WSA is the product for you. Limitation can be time based, bandwidth based, user based or category based (79 categories). Road warriors (remote users) can be protected too by Anyconnect security or Web cloud Security, also known as Scansafe.
Read more

Cisco WSA Defending Malware

Leave a comment

In this and other posts we’ll discuss the Cisco Web Security Appliance. This is the blog agenda:
Part 1: Introduction
Part 2: Installing
Part 3: Deploying Proxy Services
Part 4: Policies
Part 5: Acceptable use & HTTPS Inspection
Part 6: Authentication
Part 7: Defending malware
This is the last post in the series.
Malware.. we all know that we don’t want it. But how do we block it?
All websites have a Web based reputation number (WBRS). This is a number between -10 and +10. You can define what ranges are used for what action. Think about: -10 to -5 drop, -4 to +5 scan, +6 to +10 do not scan. The WSA receives regulary updates with new reputations.
Note: these features are licensed!
Read more

LISP Mobility with OTV

One comment

In previous posts we talked about implementing OTV with ASR routers. OTV is a overlay network to get end-to-end layer 2 connections over a layer 3 (WAN) network. In most implementations is FHRP (First Hop Redundancy Protocol, like HSRP/VRRP) filtering needed. These filters are needed to keep routing in the same datacenter where the traffic originates.
Let’s take another look at the high level design:
OTV Network layout
When FHRP filtering is active, the Virtual IP (aka.. default gateway for clients) is active in both datacenters. Which means: a packetflow from a server in DC1 is routed on the core switch/router in DC1. If you move (vMotion/ live migrate) that server to DC2, the packetflow is routed on the switch/router in DC2.
If you think this through, the datacenter outgoing trafficflows are efficient: routing will be done on the most nearby router. But… incoming traffic from branch offices is still not efficient: the WAN network does not know where the VM is hosted, so the packets are routed by the normal routing protocols. This could result in inefficient routing: if the IP range is routed to DC1 on the WAN and the VM is hosted in DC2, the Datacenter-Interconnect (OTV) will be used to get the packets to the VM.
This is where LISP mobility comes in.
Read more

Configuring OTV on a Cisco ASR

63 comments

During a project I’ve been working on, we needed to configure OTV on a Cisco ASR. I did write a blog for configuring OTV on a Nexus 7000 before (click here) but the configuration on a Cisco ASR router is a bit different. The used technologies and basic configuration steps are equal, but the syntax is different for a few configuration steps .
Unfortunately, the documentation is not as good as for the Nexus 7000. I’ve found one good configuration guide (here) but this guide isn’t covering all. So, it’s a good reason to write a blog post about the basic OTV configuration on a Cisco ASR router.
For more information about OTV, check this website.
First, the network layout for this OTV network.
OTV Network layout
 
As you can see in the diagram, the ASR routers are back-to-back connected. There is no guideline how to connect these routers, as long as there is IP connectivity between them with multicast capabilities and a MTU of atleast 1542 btyes.
Read more

Cisco Champion nominations

2 comments

Cisco started the Cisco Champion program for people who are passionate about (Cisco) Datacenter technologies and love to share their knowledge with the rest of the world by blogging, twittering and other social media.
The nominations are open until oct 31th and it’s possible to nominate me and all other great bloggers we all check out regularly.
How to nominate?
Send your nomination to cisco_champions@external.cisco.com and make sure the text “Data Center” is in the message body.
All nominations are appreciated!
More information about the Cisco Champion program can be found here:
http://www.cisco.com/web/about/facts_info/champions.html
http://blogs.cisco.com/datacenter/all-new-cisco-champions-for-data-center-nominations-now-open/
 

Cisco ISE Part 10: Profiling and posture

11 comments

This is a Cisco ISE blog post series with some how-to’s for configuring the ISE deployment, This blog post series exists of 10 parts.
The blogpost Agenda:
Part 1: introduction
Part 2: installation
Part 3: Active Directory
Part 4: High Availability
Part 5: Configuring wired network devices
Part 6: Policy enforcement and MAB
Part 7: Configuring wireless network devices
Part 8: Inline posture and VPN
Part 9: Guest and web authentication
Part 10: Profiling and posture
This week, the last post in the Cisco ISE blog post series: Profiling and posture. For both features is the Cisco ISE advanced license required.
Profiler is a functionality for discovering, locating and determing the capabilities of the attached endpoints. It will detect the network type and will authorize it.
A sensor in the network captures network packets by quering the NADs, it forwards the attributes to the analyzer. The analyzer checks the attributes using policies and identity groups. The results is stored in the ISE database with the corresponding device profile. The MAC address of the device will be linked to a existing endpoint identity group.
There are 9 availabled probes:

  • Netflow
  • DHCP
  • DHCP SPAN
  • HTTP
  • RADIUS
  • NMAP
  • DNS
  • SNMPQUERY
  • SNMPTRAP

Profiling uses CoA (change of authorization). There are 3 options:

  • No CoA: CoA is disabled
  • Port bounce: use this only of there is a single session on a switchport
  • Reauth: enforce reauthentication of a currently authenticated endpoint when it’s profiled

ISE creates three identity groups by default and two identity groups that are specific for Cisco IP phones. Creation of extra groups is optional.
An endpoint profiling policy contains a simple condition or a set of conditions (compound).
Configuring
Probe configuration
First, make sure the ISE appliance can SNMP to the switches (SNMPv2 or 3) with a read only community string. Also, configure a snmp trap destination to Cisco ISE policy node.

Switch(config)# snmp-server host 172.20.12.5 version 3 priv ISE
Switch(config)# snmp-server enable traps snmp linkdown linkup
Switch(config)# snmp-server enable traps mac-notification change move
On all interfaces:
Switch(config-if)# snmp trap mac-notification change added

For DHCP probing, configure an additional IP helper on the SVI to the policy node:

Switch(config-if)# ip helper-address 172.20.12.5

Cisco ISE configuration
Click Administration – System – Settings, click Profiling and configure the CoA.
profile5
Read more

1 2 3 4 5