join – InfraWorld

Configure your multicast WAN for OTV

February 10, 2015 Rob Rademakers Leave a comment

It is easy to find design and configuration guides about OTV implementations on Nexus 7000 switches, ASR and CSR routers. But it is much harder to find some information about the requirements for your WAN.
Please read my previous blog posts about OTV here, here, here and here. I’ll cover the OTV device configurations in those posts. But for now, lets start with the DCI WAN for OTV.
First of all, there are two OTV deployment options:

Unicast mode
Multicast mode

The WAN requirements in unicast mode are simple: deliver unicast connectivity between the join interfaces of all OTV edge devices. This is just a simple straight forward configuration, I will not cover this in this blog post.
The multicast deployment is a bit harder to configure and requirements are less easier to find. This blog post will cover the required WAN configuration in a multicast deployment. In this particular scenario, we use dark fiber / DWDM connections as DCI to get a more clear understanding about the requirements and configuration.
First, a drawing to get a view on this deployment scenario:

OTV WAN multicast layout

This blog will provide you with the most easiest way to get your OTV multicast deployment up and running. There are some more finetune options available, but that will not be covered in this blog.
Read more

Cisco ISE Part 3: Active directory

March 26, 2013 Rob Rademakers 10 comments

This is a Cisco ISE blog post series with some how-to’s for configuring the ISE deployment, This blog post series exists of 10 parts.
The blogpost Agenda:
Part 1: introduction
Part 2: installation
Part 3: Active Directory
Part 4: High Availability
Part 5: Configuring wired network devices
Part 6: Policy enforcement and MAB
Part 7: Configuring wireless network devices
Part 8: Inline posture and VPN
Part 9: Guest and web authentication
Part 10: Profiling and posture
This week, part 3: Active Directory
Microsoft Active directory is the mostly used directory. Cisco ISE can get membership in only 1 AD forest in ISE 1.1.x.
Check the following requirements:

Correctly configured NTP
Firewall ports: tcp: 389, 636, 445, 88, 3268, 3289, 464
Firewall ports: udp: 389, 123
All firewall ports are needed for the policy nodes
NAT is not supported!!

A local identity store is desired as a fallback in the event that the external identity store cannot be contacted. This is optional.
Local Identity
Click Administration – Identity management – Groups and click Add to add a new group. (Bulk import is available)

Under Administration – Identity management – identities – users, users can be created and linked to the usergroup.
Read more

ISE
Security