Cisco, ISE

Using Device Sensor with Cisco ISE Profiling

The Device Sensor feature on Cisco Catalyst switches can be used for profiling on ISE. It collects additional information about endpoints connected to the switch using LLDP, CDP and DHCP protocols which other ISE Probes may not collect. The endpoint information is encapsulated in a RADIUS accounting packet and then forwarded to ISE. The Device Sensor utilises the ISE RADIUS Probe that should be enabled as default, therefore no additional probes need enabling.
Continue reading

Advertisements
Cisco, ISE

Configuring Wired 802.1x/MAB Authentication with Cisco ISE

The purpose of this blog post is to document the configuration steps required to configure Wired 802.1x and MAB authentication on Cisco Catalyst switches using Cisco ISE 2.0 as the RADIUS server. ISE will be configured to use Microsoft AD as the External Identity Store to authenticate the users and computer onto the AD domain.

The switch is already configured for VLAN, Routing etc and any device plugged into the switch will be able to access the network. Basic ISE functionality has already been configured (integration with AD/PKI).

Software/Hardware Used:
Cisco Catalyst 3650 – IP Services 12.2(55)SE4
Cisco ISE 2.0 with patch 2
Microsoft Server 2008 R2 (Domain Controller, DNS, DHCP)
Continue reading

CCNP SWITCH, Cisco

CCNP SWITCH: VLAN Trunking Protocol (VTP)

 

  • VTP (VLAN Trunking Protocol) is a layer 2 protocol that maintains VLAN configurations, managing addition, deletions and changes of VLANs within a VTP domain.
  • A VTP domain is one switch or multiple connected switches (via a trunk link) that share the same VTP configuration.
  • Only 1 VTP Domain supported per switch.
  • VTP domain is “null” by default
  • The default VTP mode of a switch is SERVER, but Cisco switches do NOT propagate VTP information out trunk interfaces until a management domain name is specified or learned.
  • VTP has 3 modes: Server, Client and Transparent

    Continue reading

Cisco, ProCurve

Configuring RIP between HP ProCurve and Cisco Switches

 

I needed to distribute routes between an HP ProCurve and a Cisco Catalyst switch. The HP ProCurve switch mode used was a 3500-48yl without the premium license; therefore I was only able to use RIP and not OSPF. The Cisco switch used was a Catalyst 3560-8 IOS 12.2(55) IPBase. You will notice from the configuration below the difference in commands between the ProCurve and Cisco switches.

Continue reading

CCNP SWITCH, Cisco

CCNP SWITCH: VLAN Access Control Lists (VACL)

VLAN ACLs (VACLs) provide traffic filtering for all packets within the same VLAN or that are routed into or out of the VLAN, where as a normal ACL can only be applied to routed packets only. VACLs are also known as VLAN access-maps, they are similar to route maps and use route-map conventions in which sequences are checked in order. When traffic is matched the switch will process and take the required action (Forward, Redirect or Drop).

In the scenario below all computers in VLAN 10 will be blocked communicating on TCP 3389 (Remote Desktop) and TCP 80 (HTTP) and permit all other traffic to other computers within the same VLAN.

VACL Configuration

Define IP access list to identify ‘permit’ the source, destination and port(s)

3560-1(config)# ip access-list extended ACL-VLAN-10
3560-1(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255 eq 3389
3560-1(config-ext-nacl)# permit tcp 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255 eq 80
3560-1(config-ext-nacl)# exit

Continue reading

Cisco

Securing VTY lines on Cisco Router/Switches

It is best practice to not only control access to a Cisco Switch or Router VTY lines but encrypt the management traffic. This blog post describes how to enable SSH and configure a basic ACL to permit traffic from trusted source ip subnet.

Configure the Cisco device with a hostname and domain name

Switch (config)# hostname 3560-1
3560-1(config)# ip domain-name lab.net

Enable SSH and use a stronger key modulus greater than the default of 512. Configure the SSH version, SSH time out and retry settings

3560-1(config)# crypto key generate rsa
3560-1(config)# 1024
3560-1(config)# ip ssh version 2
3560-1(config)# ip ssh authentication-retries 3
3560-1(config)# ip ssh time-out 90

Continue reading