Cisco ISE 2.0 Active Directory & Radius

This is a 4 part blog series about configuring Cisco ISE 2.0 for WLAN authentication and WLAN Guest authentication (split into two parts) on a Cisco Wireless LAN Controller (WLC).

ISEimageFor more guides about configuring (previous) Cisco ISE, see this page.This is part 1, the prerequisites before you can start configuring any authentication method.

Add ISE to Active Directory domain

Login into ISE and add ISE to the Active Directory domain by following these steps:

(more…)

Cisco ACI Naming convention thoughts

As you might know, Cisco ACI is a object related product. Every object you will create has to be named with a unique name so it can be identified later. Because of the simple fact that you cannot rename objects (it’s not implemented yet) it’s highly recommended to think of a good naming convention before you start creating the first one.

If you really want to rename an earlier created object, you have to remove and recreate the object and link it again to all other linked object.

To give you a head start on the naming convention, you have to think about the following objects:

Fabric naming

  • SPINE / LEAF switch naming
  • APIC Naming
  • VLAN-pools
  • Domains
  • Attachable Access Entity Profile
  • Link Level Policy
  • Interface policy group
  • Interface Selector
  • Switch Selector
  • Switch Profile

Creating a naming convention is network specific, but try to take the following tips in consideration:

(more…)

Cisco ACI & Microsoft Hyper-V & L4 – L7 integration

There are options to integrate L4 – L7 devices, like firewalls or load balancers (Cisco ASA, F5, Citrix Netscaler, etc), into Cisco ACI. These integrations can be done in a managed mode, with a device package, or unmanaged mode. Both modes are available if you are using Cisco ACI with VMware vCenter integration.

When you are using Cisco ACI with Microsoft Hyper-V, you cannot integrate any L4 – L7 device yet (Q1 2016). The options to integrate these devices are not available if you select an SCVMM domain.

More to come..

My thought

Cisco ACI is a great product, which I’ve implement at some customers already. I’ve seen the product grow in the last year from something “not production ready” to an stable product which can be used in production environments. But like all new products, there are still some limitations around which can be a struggle during implementations. The VMware integration into ACI is done and complete, the Hyper-V implementation is still pretty new and some features are missing. I’m sure that the Hyper-V implementation will be more complete in the next major ACI release, but at this point in time you need to know about the limitations which are still around.

Cisco Live Berlin 2016 thoughts

Cisco Live Berlin 2016 was held last week, 15 – 19 February 2016. I was one of the 12000 attendees of the event and this blog post is a short review about my Cisco Live trip.

Venue

The Venue was huge. There are a lot of huge halls with a lot of connecting halls. It’s easimage7y to get lost, even easier then it was in Milan last year. But like every year, there are a lot of signs with directions placed all around the venue and a lot of Cisco people (this year in orange sweaters) are located on almost every corner to show you the direction.

(more…)

Cisco ACI interesting multi site notes

At Cisco Live Europe 2016, I’ve heard a few interesting things about Cisco ACI. Down here, a few notes about the things I’ve heard (Non-nda):

  • Stretched fabric design: 3 site deployment is coming in Q2 2016. Sites are connected in a triangle
  • Multi-pod deployment is coming in Q3 2016
  • Multipod config is not managed by APIC and configured manually
  • Multipod uses 40 or 100Gb/s links
  • Multipod requires a higher MTU if using a service provider to handle VXLAN headers of 50 bytes
  • OSPF peering with service provider required
  • If you’re using DWDM or dark fiber WAN connections, the maximum RTT can be 10 msec
  • QoS at service provider to prioritize APIC cluster communication