Browsing articles in "Tutorial"
How to configure PassiveID in Cisco ISE

Starting from ISE 2.2, PassiveID is a feature to gather user-to-IP mapping information with or without having 802.1X deployed. PassiveID gathers information from the Microsoft Active Directory environment using the Microsoft Windows Management Interface or the Active Directory agent, or through a switched port analyzer (SPAN) port on a switch. It can also gather authentication information through syslogs, a Citrix terminal server agent, and a custom API. The configuration is very easy and requires just a few clicks of a mouse.

802.1x: Introduction and general principles

IEEE 802.1X is an IEEE Standard for port-based Network Access Control to prevent unauthorized devices from gaining access to the network. It defines the encapsulation of the Extensible Authentication Protocol (EAP) over IEEE 802, known as “EAP over LAN” or EAPOL. 802.1X authentication involves three parties: a supplicant, an authenticator, and an authentication server.

How to set up raid on Cisco ISE appliance

Recently, I have installed an ISE 2.6 cluster based by two SNS3615 appliances. After some months, the customer asked me to redundant each hard disk with RAID1. To accomplish this request, it is mandatory access to the CIMC interface (if you don’t know what is CIMC read this article). First of all, check that the appliance is power up, then go to “Storage -> Cisco 12G Modular Raid Controller with 2GB cache”:

StackWise Virtual on Catalyst 9500

During the Cisco Live 2016 in Las Vegas, Cisco presented the new feature named “StackWise virtual” supported by the IOS XE Denali in the 3850 switch series and later, in the new Cisco Catalyst 9500 family. Similarly to the old Virtual Switching System (VSS), the stackwise virtual allows the clustering of two chassis together into a single, logical entity, to allow high availability, scalability, management and maintenance.

Troubleshoot a DMVPN phase 3 architecture

In the last article, I explained how to configure DMVPN phase3, but what are the most useful commands to troubleshoot this type of network architecture? Five are the main group of commands used to troubleshoot a DMVPN topology: show dmvpn […] show ip nhrp […] show ip eigrp […] show crypto […] The “show dmvpn” and “show ip nhrp” commands permit to obtain the state of the tunnels. On hub router, all tunnels are dynamic (D attribute) because it waits the registration from spokes routers (“ip nhrp map multicast dynamic”).

DMVPN Phase 3: a complete guide

In a previous article, I explained what is and how it works DMVPN technology. In this article you see how to configure DMVPN phase3. This phase allows spokes to build a spoke-to-spoke tunnel and to overcomes the phase2 restriction using NHRP traffic indication messages from the hub to signal to the spokes that a better path exists to reach the target network. The phase3 configuration is based by 4 steps: Define Tunnel interface (mandatory) Define NHRP (mandatory) Define EIGRP Process (mandatory) Define IPSEC Profile (optional) In this example, there are 3 routers: one hub (Ciscozine) and two spokes.

Understanding Cisco DMVPN

In an old post, dated 2011, I explained various types of VPN technologies. In seven years several things have changed: SHA1 is deprecated, des and 3des are no more used for security issues, but some VPN technologies are still used with protocols more secure (SHA256, AES, …). In this article, I explain how DMVPN works and what are the key components of it. Cisco DMVPN uses a centralized architecture to provide easier implementation and management for deployments that require granular access controls for diverse user communities, including mobile workers, telecommuters, and extranet users.

Cisco EIGRP named, a better approach

The Enhanced Interior Gateway Routing Protocol can be configured using either the classic mode or the named mode. The classic mode is the old way of configuring EIGRP. In classic mode, EIGRP configurations are scattered across the router mode and the interface mode. The named mode is the new way of configuring EIGRP; this mode allows EIGRP configurations to be entered in a hierarchical manner under the router mode. Each named mode configuration can have multiple address families and autonomous system number combinations. In the named mode, you can have similar configurations across IPv4 and IPv6.

The power of prefix lists

Prefix lists are used in route maps and route filtering operations and can be used as an alternative to access lists in many route filtering commands. The most notable and important difference is that a prefix-list allows you to filter networks based on their subnet mask. ACLs used in distribute list filter networks only by network addresses but they do not perform matching on subnet mask; in other words, for an ACL used in distribute list, the networks and are indistinguishable. Moreover, the prefix-list also allows you to specify networks in much more natural format that ACLs.

How to install Cisco ISE using USB or CIMC interface

In one of my last job activities, the customer has requested to reinstall the Cisco ISE appliance (SNS-3495). The first option, a DVD reader, is not feasible due the large ISO image file; in fact, the Cisco ISE Software Version 2.2.0 full installation iso file requires more or less 8Gb. So, how can we install the software? There are two options: Using an USB pendrive(al least 16Gb) Using the Cisco Integrated Management Interface (CIMC)