Cisco ACI & Microsoft Hyper-V & L4 – L7 integration

There are options to integrate L4 – L7 devices, like firewalls or load balancers (Cisco ASA, F5, Citrix Netscaler, etc), into Cisco ACI. These integrations can be done in a managed mode, with a device package, or unmanaged mode. Both modes are available if you are using Cisco ACI with VMware vCenter integration.
When you are using Cisco ACI with Microsoft Hyper-V, you cannot integrate any L4 – L7 device yet (Q1 2016). The options to integrate these devices are not available if you select an SCVMM domain.
More to come..
My thought
Cisco ACI is a great product, which I’ve implement at some customers already. I’ve seen the product grow in the last year from something “not production ready” to an stable product which can be used in production environments. But like all new products, there are still some limitations around which can be a struggle during implementations. The VMware integration into ACI is done and complete, the Hyper-V implementation is still pretty new and some features are missing. I’m sure that the Hyper-V implementation will be more complete in the next major ACI release, but at this point in time you need to know about the limitations which are still around.

Cisco ISE Part 3: Active directory

This is a Cisco ISE blog post series with some how-to’s for configuring the ISE deployment, This blog post series exists of 10 parts.
The blogpost Agenda:
Part 1: introduction
Part 2: installation
Part 3: Active Directory
Part 4: High Availability
Part 5: Configuring wired network devices
Part 6: Policy enforcement and MAB
Part 7: Configuring wireless network devices
Part 8: Inline posture and VPN
Part 9: Guest and web authentication
Part 10: Profiling and posture
This week, part 3: Active Directory
Microsoft Active directory is the mostly used directory. Cisco ISE can get membership in only 1 AD forest in ISE 1.1.x.
Check the following requirements:

  • Correctly configured NTP
  • Firewall ports: tcp: 389, 636, 445, 88, 3268, 3289, 464
  • Firewall ports: udp: 389, 123
  • All firewall ports are needed for the policy nodes
  • NAT is not supported!!

A local identity store is desired as a fallback in the event that the external identity store cannot be contacted. This is optional.
Local Identity
Click Administration – Identity management – Groups and click Add to add a new group. (Bulk import is available)
newidentitygroup
Under Administration – Identity management – identities – users, users can be created and linked to the usergroup.
Read more