0

Cisco ISE and ip http server

We're all hardcore network engineers here right? We all sling packets using nothing but the CLI on our gear? We've all got the “CLI OR DIE” bumper sticker? OK. We're all on the same page then. So, when you're configuring Cisco Identity Services Engine (ISE) and the documentation says it's mandatory to enable “ip http server” on your switches in order to do central web authentication (CWA) (ie, the captive portal for authenticating users on guest devices) that probably makes you uncomfortable right?

Fear not. It's not as bad as it sounds. I'll explain why.

0

NX-OS Virtual PortChannels and Best Practices

Port-Channels, are a way of aggregating physical links together so that you can load balance traffic over each link to increase bandwidth, and create more redundancy. You might commonly see this configured between two switches, as shown below: Each link works together to form a logical, loop-free interface. These are relatively commonplace, and in this scenario highly useful because it prohibits spanning tree from blocking one of these ports, allowing the switch to utilize each link.

0

NX-OS Virtual PortChannels and Best Practices

Port-Channels, are a way of aggregating physical links together so that you can load balance traffic over each link to increase bandwidth, and create more redundancy. You might commonly see this configured between two switches, as shown below: Each link works together to form a logical, loop-free interface. These are relatively commonplace, and in this scenario highly useful because it prohibits spanning tree from blocking one of these ports, allowing the switch to utilize each link.

0

VRFs and Shared Services Cheating with Junos

The shared services area of the network is meant to provide common services — such as DNS, DHCP, and Internet access — to multiple logical networks/VRFs/customers. Cisco publishes a validated design for shared services that describes the use of multiple virtual firewalls and routers to provide connectivity between the shared services module and the VRFs in the network. I'm going to describe a method of collapsing the shared services firewalls and virtual routers into a single instance running on a single box using some of the features found in Juniper's Junos platform.

0

BYOD

BYOD (Bring Your Own Device) - There are security concerns when allowing employees, customers, and business partners to bring in there own device and plug it into the corporate network. Cisco has consolidated its ACS and NAC platform into a new product called ISE (Identity Services Engine). This new platform centralizes and simplifies the administration and empowers security groups the ability to make automated decisions. Have a look at the video below:



Terry: this one is for you as I am sure this challenge has come up many times.

0

Additional Interface Statistics

Sometimes you may need to have some additional interface statistics, for example the amount of packets per range of sizes. You can use netflow to collect some stats like these. But if you don't have netflow on all your router interfaces or for troubleshooting...

0

Additional Interface Statistics

Sometimes you may need to have some additional interface statistics, for example the amount of packets per range of sizes. You can use netflow to collect some stats like these. But if you don't have netflow on all your router interfaces or for troubleshooting...

0

Some Out-of-Box NetApp Tweak Suggestions

It’s interesting to me to see the differences in infrastructure products as it pertains to out of the box, or default configuration. Take for instance, the relationship between a firewall and a switch. Your average firewall is configured “closed”, meaning that if you want to allow anything, you have to explicitly allow that certain type of traffic. If you do not, it is not allowed. A switch, on the other hand, is configured to be functional above all, out of the box.

0

Some Out-of-Box NetApp Tweak Suggestions

It’s interesting to me to see the differences in infrastructure products as it pertains to out of the box, or default configuration. Take for instance, the relationship between a firewall and a switch. Your average firewall is configured “closed”, meaning that if you want to allow anything, you have to explicitly allow that certain type of traffic. If you do not, it is not allowed. A switch, on the other hand, is configured to be functional above all, out of the box.

0

MX960 and E-SCB: Full Power

The aim of this post is to provide the detailed procedure for upgrading the Switch Control Boards (SCB) of an MX960 chassis in order to overcome some limitations of the old SCB that are : - Unable to use the full load of the 16x10GE card and to keep fabric...

0

Cisco and their inconsistencies

Cisco is known for the inconsistencies between platforms and different IOS versions. I came across another that was rather annoying. Now between linecards. Trying to configuring the following standard sub-interface Ethernet AToM tunnel on a Cisco 7606 with a ES+ linecard: Yields the following misleading error… This is enough to annoy you for some time. […]

0

Calculating IPv4 Summary Prefixes

Given a list of IPv4 prefixes of the same length, how do you find the summary address (or addresses) for them? This post describes a method and uses some worked examples to illustrate. The post draws deeply from the CCIE … Continue reading →

0

Port Monitoring/Mirroring on NX-OS: SPAN Profiles

Port mirroring is a very valuable troubleshooting tool. Cisco calls this SPAN, and it’s pretty easy to do. Cisco’s NX-OS platform does it a little differently than traditional IOS, so I wanted to briefly post a walkthrough. First, you have to set up the monitor session and configure source and destination interfaces: switch(config)# monitor session 1 switch(config-monitor)# source int port-channel 2 both switch(config-monitor)# source int port-channel 3 both switch(config-monitor)# destination interface ethernet 1⁄7 switch(config-monitor)# no shut switch(config-monitor)#

0

Port Monitoring/Mirroring on NX-OS: SPAN Profiles

Port mirroring is a very valuable troubleshooting tool. Cisco calls this SPAN, and it’s pretty easy to do. Cisco’s NX-OS platform does it a little differently than traditional IOS, so I wanted to briefly post a walkthrough. First, you have to set up the monitor session and configure source and destination interfaces: switch(config)# monitor session 1 switch(config-monitor)# source int port-channel 2 both switch(config-monitor)# source int port-channel 3 both switch(config-monitor)# destination interface ethernet 1⁄7 switch(config-monitor)# no shut switch(config-monitor)#

0

KIClet: Cisco UCS vHBA Template Bug

I found a bug in the vHBA Template creation screen on Cisco UCS 2.0. It’s not too bad, but still a little annoying, and can cause you to have some problems depending on how you have your VSANs set up. If you notice, the default VSAN is selected for my vHBA template. I have named my VSANs “fabric-a” and “fabric-b”. If I drop down the VSAN selector, I have the ability to select the VSAN I have associated with fabric A:

0

KIClet: Cisco UCS vHBA Template Bug

I found a bug in the vHBA Template creation screen on Cisco UCS 2.0. It’s not too bad, but still a little annoying, and can cause you to have some problems depending on how you have your VSANs set up. If you notice, the default VSAN is selected for my vHBA template. I have named my VSANs “fabric-a” and “fabric-b”. If I drop down the VSAN selector, I have the ability to select the VSAN I have associated with fabric A:

0

Future residential INET users, I’m so sorry

I never believed IPv6 will be NAT free, but as idealist I hoped there is good chance there will be mostly only 1:1 NAT and each and every connection will get own routable network, /56 or so, residential DSL, mobile data, everything

Unfortunately that ship has sailed, it's almost certain majority of residential/non-business products will only contain single directly connected network, since we (as a community, I don't want to put all the blame to IPv6 kooks) failed produce feasible technical way to do it and spent too much time arguing on irrelevant matters. I'm reviewing two ways to provide INET access on DSL, no PPPoX, as it's not done in my corner of the world, and show why it's not practical to provide the end customer routable network

Statically configure per customer interface

At DSLAM (or other access device) customer would be placed in unique virtual-circuit (Q, QinQ...) all would terminated on unique L3 logical interface in PE router. Interface would have static /64 ipv6 address and ipv6/56 network routed to say ::c/64. IPv4 could continue to be shared subnet via 'unnumbered' interface.

This is by far my favorite way of doing residential IPv6 it, it supports customer Continue reading

0

Log only protocol events

Sometimes it may be very useful to monitor only protocol and link events especialy during maintenance windows. Hereafter, I monitor : - Link UP/DOWN - ISIS adj UP/DOWN - OSPF neighbor UP/DOWN - LDP neighbor/session UP/DOWN - MPLS LSP UP/DOWN - RSVP neighbor...

0

KIClet: NX-OS Default Switchport State

Cisco switches (and the vast majority of other vendors) ship their switches with all ports in the enabled state. This allows someone with no networking background to plug stuff in, the switch starts learning MAC addresses, and everything works just fine. Sometimes it’s necessary from a security perspective to change this default behavior, so the network engineer is forced to “no shut” every port he or she wishes to use.

0

New Post Type: KIClets

My time lately has been just blasted. I’m being placed into new projects with a large company that involves just about every technology found in a datacenter, and as a result, my spare time is….nonexistent. My knowledge levels in many areas continues to increase, and my need to spew some of it onto the internet in the form of helpful posts, or opinions is not quenched, but unfortunately I do not have a ton of time to dedicate to full-on blog posts during the week.