Cisco ISE Dynamic VLAN assignment

Dynamic VLAN assignment by a RADIUS server (e.g. Cisco ISE) can be useful when you want to assign a specific VLAN to a user or group of users. In order to achieve this the VLANS configured on the switches must be configured with a name, this name must be consistent across multiple switches. However the VLAN number does not necessarily need to be the same across the switches.The scenario in this blog post will simply define 2 VLANS (ADMIN and USERS), members of the AD group Domain Admins will be assigned to a VLAN called ADMIN and members of the AD group Domain Users will be assigned to a VLAN called USERS.

The configuration of ISE in this post only describes the steps in order to configure Dynamic VLAN assignment. Refer to this previous post on how to configure Cisco ISE for 802.1x authentication.

Continue reading “Cisco ISE Dynamic VLAN assignment”


Cisco ISE Profiling using Device Sensor

The Device Sensor feature on Cisco Catalyst switches can be used for profiling on ISE. It collects additional information about endpoints connected to the switch using LLDP, CDP and DHCP protocols which other ISE Probes may not collect. The endpoint information is encapsulated in a RADIUS accounting packet and then forwarded to ISE. The Device Sensor utilises the ISE RADIUS Probe that should be enabled as default, therefore no additional probes need enabling.
Continue reading “Cisco ISE Profiling using Device Sensor”

Configuring Wired 802.1x/MAB Authentication with Cisco ISE

The purpose of this blog post is to document the configuration steps required to configure Wired 802.1x and MAB authentication on Cisco Catalyst switches using Cisco ISE 2.0 as the RADIUS server. ISE will be configured to use Microsoft AD as the External Identity Store to authenticate the users and computer onto the AD domain.

The switch is already configured for VLAN, Routing etc and any device plugged into the switch will be able to access the network. Basic ISE functionality has already been configured (integration with AD/PKI).

Software/Hardware Used:
Cisco Catalyst 3650 – IP Services 12.2(55)SE4
Cisco ISE 2.0 with patch 2
Microsoft Server 2008 R2 (Domain Controller, DNS, DHCP)
Continue reading “Configuring Wired 802.1x/MAB Authentication with Cisco ISE”

CCNP SWITCH: VLAN Trunking Protocol (VTP)


  • VTP (VLAN Trunking Protocol) is a layer 2 protocol that maintains VLAN configurations, managing addition, deletions and changes of VLANs within a VTP domain.
  • A VTP domain is one switch or multiple connected switches (via a trunk link) that share the same VTP configuration.
  • Only 1 VTP Domain supported per switch.
  • VTP domain is “null” by default
  • The default VTP mode of a switch is SERVER, but Cisco switches do NOT propagate VTP information out trunk interfaces until a management domain name is specified or learned.
  • VTP has 3 modes: Server, Client and Transparent

    Continue reading “CCNP SWITCH: VLAN Trunking Protocol (VTP)”

Configuring RIP between HP ProCurve and Cisco Switches


I needed to distribute routes between an HP ProCurve and a Cisco Catalyst switch. The HP ProCurve switch mode used was a 3500-48yl without the premium license; therefore I was only able to use RIP and not OSPF. The Cisco switch used was a Catalyst 3560-8 IOS 12.2(55) IPBase. You will notice from the configuration below the difference in commands between the ProCurve and Cisco switches.

Continue reading “Configuring RIP between HP ProCurve and Cisco Switches”

CCNP SWITCH: VLAN Access Control Lists (VACL)

VLAN ACLs (VACLs) provide traffic filtering for all packets within the same VLAN or that are routed into or out of the VLAN, where as a normal ACL can only be applied to routed packets only. VACLs are also known as VLAN access-maps, they are similar to route maps and use route-map conventions in which sequences are checked in order. When traffic is matched the switch will process and take the required action (Forward, Redirect or Drop).

In the scenario below all computers in VLAN 10 will be blocked communicating on TCP 3389 (Remote Desktop) and TCP 80 (HTTP) and permit all other traffic to other computers within the same VLAN.

VACL Configuration

Define IP access list to identify ‘permit’ the source, destination and port(s)

3560-1(config)# ip access-list extended ACL-VLAN-10
3560-1(config-ext-nacl)# permit tcp eq 3389
3560-1(config-ext-nacl)# permit tcp eq 80
3560-1(config-ext-nacl)# exit

Continue reading “CCNP SWITCH: VLAN Access Control Lists (VACL)”

Securing VTY lines on Cisco Router/Switches

It is best practice to not only control access to a Cisco Switch or Router VTY lines but encrypt the management traffic. This blog post describes how to enable SSH and configure a basic ACL to permit traffic from trusted source ip subnet.

Configure the Cisco device with a hostname and domain name

Switch (config)# hostname 3560-1
3560-1(config)# ip domain-name

Enable SSH and use a stronger key modulus greater than the default of 512. Configure the SSH version, SSH time out and retry settings

3560-1(config)# crypto key generate rsa
3560-1(config)# 1024
3560-1(config)# ip ssh version 2
3560-1(config)# ip ssh authentication-retries 3
3560-1(config)# ip ssh time-out 90

Continue reading “Securing VTY lines on Cisco Router/Switches”