MAC addresses in a VSS cluster

As you might know, creating a VSS on Cisco Catalyst 4500-X switches is pretty easy and there are many many guides with information how to do this. I think THIS guide is one of the best to do this.

However, there is one additional note which is not mentioned on that (and other) blogs if you are planning to use multiple Catalyst 4500-X VSS clusters. This is related to the switch MAC address.

By default, all MAC addresses used by the Catalyst 4500-X VSS cluster is automatically generated and is based on the VSS domain ID. But what does this mean?

If you’re planning to use multiple VSS clusters in the same network and in the same VLAN(s), you’ll end up with duplicate MAC addresses. I’m sure I don’t have to tell you that this is something you don’t want: it brakes a lot of things in your network.

(more…)

Cisco ISE Part 6: Policy enforcement and MAB

This is a Cisco ISE blog post series with some how-to’s for configuring the ISE deployment, This blog post series exists of 10 parts.

The blogpost Agenda:

Part 1: introduction
Part 2: installation
Part 3: Active Directory
Part 4: High Availability
Part 5: Configuring wired network devices
Part 6: Policy enforcement and MAB
Part 7: Configuring wireless network devices
Part 8: Inline posture and VPN
Part 9: Guest and web authentication
Part 10: Profiling and posture

This week, part 6: Policy enforcement and MAB

Policy enforcement in Cisco ISE is based on authentication en authorization.

Some authentication protocols:

  • pap
  • chap
  • ms-chapv1/2
  • eap-md5
  • eap-tls
  • leap
  • peap
  • eap-fast

Authorization can exist of:

  • DACL
  • VLAN
  • webauth
  • smartport
  • MACsec
  • WLC ACL
  • NEAT
  • Filter-ID
  • reauth timer

Authentication policy: defines to protocols ISE is using to communicate with network devices
Policy: set of conditions
Condition: a rule with true of false as response

The result of an authentication policy is the identity method. It can be any one of the following:

(more…)