My previous post “Python and ISE Monitor Mode” was about how to collect access-session information from the switch and use it for endpoint verification. Specifically for MAB-only devices – add in the proper Endpoint Group in the Cisco ISE. The result of the script was the file with “failed” devices: With this info, we had to log in to the ISE...
There are several ways to run ISE (wired) in monitor mode and AuthZ results: dACL, another VLAN, etc. It is always a good idea 🙂 to run ISE in monitor mode first to verify everything is working and then pull the trigger and change it to the production and actually enforce the policy. What We Need and What We Want Cisco...
It is not about range feature:) After my post about how to get into the switch with “not sure” credentials, let’s assume you fixed access and configured devices with TACACS and SSH. It’s time to drop the interface-level config for ISE NAC (as an example) to all user ports, servers/wireless/trunk must be excluded. With proper segmentation using VLANs, we should have...
I like the Cisco ISE GUI interface since 2.4, it’s pretty easy, maybe too many tabs and menus, but once you get the idea – you are good to go. I had a task of ISE migration – from one to another. We had set up 2 ISE deployments in parallel. The idea to keep everything working on ISE#1 while we...
Sometimes there is some mix in the configuration of the devices: some configured with TACACS, some are still with local username, but not sure with which one. I’ve created a script, that logs into the device (SSH first, if failed – Telnet), collects version and startup-config, saves it to the file and tracks the result file. I used threads in this...
CUBE 10.0.0 [IOS 15.4(2)T / IOS-XE 3.12] introduces the concept of Destination Server Group, which supports multiple session targets (up to 5) to be defined in a group and applied to a single outbound dial-peer. This feature configures a server group (group of server addresses) that can be referenced from an outbound dial peer. This reduces the need to configure multiple...
I can’t say how many times I had to configure SIP on Cisco voice gateways, troubleshoot SIP, enable SIP, etc. The second problem, after fear of loading and stuck the router using the “debug ccsip messages” command, is to filter and find the call in debugging turned on. If there is a way to collect all sip logs from the console...
Documentation A good point to start – Ansible User Guide. Network modules (ios/nxos/ios-xr, aci, junos etc) – Module Index – Network Modules IOS/NXOS Command Modules IOS NXOS IOS There is are a way to run multiple commands Very useful for debugging to show output in the terminal: – name: show output debug: var: output Some...
By default: underlay – default VRF overlay – “tenant” VRF, hosts in VXLAN are isolated Border Leafs are used to connect the internal fabric to external networks. Not necessary a box, just configuration on the Leaf. It maintains the following routing control planes: MP-BGP L2VPN EVPN – inside VXLAN fabric “tenant” VRF BGP or IGP to external routes MP-BGP to BGP/IGP...
VxLAN and vPC Anycast VTEP Problem with VXLAN and vPC: in a vPC both vPC peers duplicate EVPN MAC/IP routes to spine RRs with other attributes equal, one vPC peer is always preferred for dual attached hosts (based on the normal BGP Best path selection) Result: egress traffic from vPC Member is load-balanced, but return ingress traffic is polarized Solution: Anycast VTEP...
Recent Comments