The Device Sensor feature on Cisco Catalyst switches can be used for profiling on ISE. It collects additional information about endpoints connected to the switch using LLDP, CDP and DHCP protocols which other ISE Probes may not collect. The endpoint information is encapsulated in a RADIUS accounting packet and then forwarded to ISE. The Device Sensor utilises the ISE RADIUS Probe that should be enabled as default, therefore no additional probes need enabling.
Continue reading Using Device Sensor with Cisco ISE Profiling
The purpose of this blog post is to document the configuration steps required to configure Wired 802.1x and MAB authentication on Cisco Catalyst switches using Cisco ISE 2.0 as the RADIUS server. ISE will be configured to use Microsoft AD as the External Identity Store to authenticate the users and computer onto the AD domain.
The switch is already configured for VLAN, Routing etc and any device plugged into the switch will be able to access the network. Basic ISE functionality has already been configured (integration with AD/PKI).
Cisco Catalyst 3560 – IP Services 12.2(55)SE4
Cisco ISE 2.0 with patch 2
Microsoft Server 2008 R2 (Domain Controller, DNS, DHCP)
Continue reading Configuring Wired 802.1x/MAB Authentication with Cisco ISE
I needed to distribute routes between an HP ProCurve and a Cisco Catalyst switch. The HP ProCurve switch mode used was a 3500-48yl without the premium license; therefore I was only able to use RIP and not OSPF. The Cisco switch used was a Catalyst 3560-8 IOS 12.2(55) IPBase. You will notice from the configuration below the difference in commands between the ProCurve and Cisco switches.
Continue reading Configuring RIP between HP ProCurve and Cisco Switches
VLAN ACLs (VACLs) provide traffic filtering for all packets within the same VLAN or that are routed into or out of the VLAN, where as a normal ACL can only be applied to routed packets only. VACLs are also known as VLAN access-maps, they are similar to route maps and use route-map conventions in which sequences are checked in order. When traffic is matched the switch will process and take the required action (Forward, Redirect or Drop).
In the scenario below all computers in VLAN 10 will be blocked communicating on TCP 3389 (Remote Desktop) and TCP 80 (HTTP) and permit all other traffic to other computers within the same VLAN.
Define IP access list to identify ‘permit’ the source, destination and port(s)
3560-1(config)# ip access-list extended ACL-VLAN-10
3560-1(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255 eq 3389
3560-1(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255 eq 80
Continue reading CCNP SWITCH: VLAN Access Control Lists (VACL)
It is best practice to not only control access to a Cisco Switch or Router VTY lines but encrypt the management traffic. This blog post describes how to enable SSH and configure a basic ACL to permit traffic from trusted source ip subnet.
Configure the Cisco device with a hostname and domain name
Switch (config)# hostname 3560-1
3560-1(config)# ip domain-name lab.net
Enable SSH and use a stronger key modulus greater than the default of 512. Configure the SSH version, SSH time out and retry settings
3560-1(config)# crypto key generate rsa
3560-1(config)# ip ssh version 2
3560-1(config)# ip ssh authentication-retries 3
3560-1(config)# ip ssh time-out 90
Continue reading Securing VTY lines on Cisco Router/Switches
Additional Spanning Tree Protocol (STP) commands such as BPDU Protection, BPDU Filtering, Admin-Edge and Loop Protection exist to enhance implementations of STP and ensure a loop free network.
Continue reading Enhance Spanning Tree implementations on HP ProCurve switches