User Info

Welcome, Guest. Please login or register.
Did you miss your activation email?

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - MC

Pages: [1]
Routing and Switching / ISR G2 with AVC and NBAR2
« on: March 24, 2014, 10:54:47 AM »
I just had a chance to enable NBAR2 on a 2900 router and want to share my findings. I always thought it is a simple activation but it turned out to require a few things. Here are a few things I learnt.
  1. First you need a Data license otherwise only limit set of protocol will show up when you try to do "match protocol" (ie. NBAR1).
  2. The base image/license gives you Basic protocol pack. If you need the 2000+ protocol or to install protocol pack to support newer protocols, you need the Advance Protocol Pack. Data license will convert Basic to Advance protocol pack automatically.
  3. When I tried to install an advance protocol pack, the router was complaining about insufficient dynamic memory and stopped parsing the package. I had to upgrade the mem from 512 (default) to 1G to make the router happy so I would say always do minimum 1G of RAM when dealing with NBAR2.
  4. Both Data license and AVC are RTU now on the recent IOS. But for correct entitlement, AX license bundle should be purchased, which includes Data license, AVC, and WAAS sessions.
  5. AX license bundle by itself is not the same as if you buy it with the router bundle. The one with router bundle has Security license, which the standalone AX license does not have. That's why when you buy a standalone AX with a router separately, it is cheaper than the router-AX bundle.

Security / ISE Guest access Timeout on Behalf of danimax
« on: March 07, 2014, 12:17:34 PM »
I have a problem with ise guest access. whenever a guest user authenticate and he is permitted access. it will be timing the user out after every 5 minutes and asking the user to authenticate again. Please what do you think is the way out

Security / Changing ISE Hostname
« on: March 05, 2014, 04:43:50 PM »
I just had an opportunity to change ISE hostname after an install and found out that it can no longer join AD with the message "No Response from ISE Node". The fix is to make sure that you also update the DNS record with new name and replace the certificate unless you are using wildcard cert.

Figured I should share.

Hi All, Some of you might know this already but for the longest time, I couldn't figure out how to manually set TFTP server on a Cisco phone while having DHCP enabled whether or not you get the option 150.

The trick is to set "Alternate TFTP" option to "Yes" and this will let you edit the TFTP server right underneath.

This is useful when you deal with an environment where option 150 is not available like a VPN phone or phone proxy at a user home, or if you want to quickly force a phone to a different TFTP server.

I figured I would share my little discovery.

More elaborate steps here
You are not allowed to view links. Register or Login

Security / User Certificate Renewal for ISE BYOD
« on: November 21, 2013, 04:51:12 PM »
Does anyone know what happen after a certificate on an onboarded device expire?
How does the renewal process work?
Does the user have to delete the profile on their device and go through onboarding again to obtain a new certificate?

Routing and Switching / Device Tracking Issue on Catalyst Switches 15.2(1)E
« on: November 20, 2013, 10:00:54 AM »
I ran into issue where a switch complains about seeing duplicate source IP in ARP probe packet.

2013 Nov 19 16:18:09.498218 arp: Src 0023.445f.dfgc/ Dst 002a.23rf.fd2d/

It turns out this is the behavior of Device tracking feature which gets enabled by default when upgrading to 15.2(1)E on most Catalyst switches (2960,3850,4500,4900 etc.). But if you try to disable device tracking, you get

Switch(config)#no ip device tracking       
% IP device tracking is disabled at the interface level by removing the relevant configs

This seems to be a known issue (bug) and the current workarounds are the followings. Depending on the switch model, hopefully one of the options should work for you.

On switch interface,
Option 1:  enter "ip device tracking probe delay 10"
Option 2:  enter "ip device tracking max 0"
Option 3:  enter "nmsp attach suppress"

Security / Third Party CA Server
« on: November 15, 2013, 12:06:26 AM »
Anyone has any experience with non-Windows CA server (paid or free) and have successfully implement them in production especially with Cisco ISE?

Security / Better Way to Manage Windows CA Server
« on: November 15, 2013, 12:04:03 AM »
As you know, although Windows CA Server works well, it becomes difficult to manage (eg. find user/cert, revoke, renew) once you have a few hundreds certificate. Anyone has a working solution around this problem?
I did some research and it seems Microsoft has a product called Forefront Identity Manager and supposes to have a better Certificate Manager that addresses this problem. Anyone has any experience using this in production?
Any suggestions or feedbacks are appreciated.

Pages: [1]
SimplePortal 2.3.5 © 2008-2012, SimplePortal