Press "Enter" to skip to content

Posts published in “Cisco”

ISE Studying Notes


This post is to show some quick steps for regular operation on my home CyberArk lab:

On board CyberArk End User

If you CyberArk has AD integrated, you will need to add this user into proper CybreArk AD group. Usually, you will have three types of CyberArk AD user groups:

Configure Cisco Enterprise Access Point 1142N As Home AP


Early of 2018, I got a chance to buy a Cisco Wireless Access Point with only $30, which is a great deal for AIR-LAP1142N-x-K9 - Dual-band Controller-based 802.11a/g/n. It is not 802.11ac ready AP, but as a replacement for my home wireless router, it is already enough.

Since this device is enterprise product, the configuration is not that straightforward, even after read some Cisco documents, it is still quite cumbersome to understand.

After a couple of hours working on it, I managed to bring both 2.4G and 5G radio up and set up two SSID for both radios. Here are my steps (Simplest steps to follow) with screenshots and video:

Cisco Web Security Appliance S190 – Web GUI


Cisco® Web Security Appliance (WSA) offers malware protection, application visibility and control, acceptable use policy controls, insightful reporting and secure mobility to enterprise network. 

The Cisco WSA is a forward proxy that can be deployed in either Explicit mode (proxy automatic configuration [PAC] files, Web Proxy Auto-Discovery [WPAD], browser settings) or Transparent mode (Web Cache Communication Protocol [WCCP], Policy-Based Routing [PBR], load balancers). WCCP-compatible devices, such as Cisco Catalyst® 6000 Series Switches, Cisco ASR 1000 Series Aggregation Services Routers, Cisco Integrated Services Routers, and Cisco ASA 5500-X Series Next-Generation Firewalls, reroute web traffic to the Cisco WSA. The Cisco WSA can proxy HTTP, HTTPS, SOCKS, native FTP, and FTP over HTTP traffic to deliver additional capabilities such as data-loss prevention, mobile user security, and advanced visibility and control. Cisco provides hardware appliances (Cisco S690, Cisco S690X, Cisco S680, Cisco S390, Cisco S380, Cisco S190, Cisco S170) and virtual appliances WSAV (S000v, S100v, S300v) for different requirements. In this post, S190 will be used to show the how web gui looks like.
The Cisco S190 appliance is typically installed as an additional layer in the
network between clients and the Internet.

Disk Space
RAID Mirroring
SMB and Branch
(2x600 GB SAS)
Yes (RAID 1)
8 GB, DDR4
1 x 1.9 Ghz, 6C

Depending on how you deploy the
appliance, you may or may not need a Layer 4 (L4) switch or a WCCP router to
direct client traffic to the appliance.
Deployment options include:

  • Transparent Proxy—Web proxy with an L4 switch 
  • Transparent Proxy—Web proxy with a WCCP router 
  • Explicit Forward Proxy—Connection to a network switch 
  • L4 Traffic Monitor—Ethernet tap (simplex or duplex)

Cisco IOS Command Tips and Tricks – Part 2


Cisco IOS command list is getting longer , and it has been split into two posts:

    1. Auto secure

    Cisco also provides a One-step lockdown-like feature at the command line! This feature is called AutoSecure. It uses the command shown below:

    auto secure [management | forwarding] [no-interact | full] [ntp | login | ssh | firewall | tcp-intercept]

    Cisco ACI (Application Centric Infrastructure) Lab Test Drive



    • ACI is an open-source, centralized policy model that connects to all components of the data center and controls the network and information flow.
    • ACI is a principle of action by the business, synonymous with code and system.
    • A policy is a state of intent that is applied to the network, with the network being responsible for carrying out that intent.
    • Application logic through policy makes changes at any layer of the stack independent from each other.
    • Advantages of policy in the data center are abstraction, extensibility, and reusability.

    Unicast forwarding through the fabric occurs as follows:

    1.The packet is sourced from the VM attached to the ingress port group or directly from the physical server.
    2.The virtual switch (vSwitch) encapsulates the frame and forwards to the leaf.
    3.The leaf swaps ingress encapsulation with VXLAN and performs any required policy functions.
    4a. If the leaf has learned the inner [P to egress VTEP binding, the leaf will set the required VTEP address and forward directly to the egress leaf.
    4b. If the ingress leaf does not contain a cached entry of the IP to egress VTEP binding, the leaf will set the VTEP address as the anycast VTEP, which is in the spine. This setting will perform inline hardware lookup and perform egress VTEP rewrites. No additional latency or decrease in the throughput due to lookup will be realized assuming the packet was going through the spine anyway.
    5. The egress leaf will swap the outer VXLAN with the correct encapsulation and perform any required policy functions.
    6. The leaf then forwards the flame to the vSwitch.
    7. From there, the vSwitch will forward the flame or send directly to the physical server.

    1. Accessing the Remote Lab Environment

    Cisco 3850 Mgmt VRF Configuration


    Ethernet Management Interface VRF

    New Cisco Routers and Switches come with a dedicated Ethernet port which unique purpose is to provide management access to the device via SSH or Telnet. This interface is isolated in its own VRF called "Mgmt-vrf'. Placing the management Ethernet interface in its own VRF has the following effects on the Management Ethernet interface:

    1. Many features must be configured or used inside the VRF, so the CLI may be different for certain Management Ethernet functions on other routers.
    2. Prevents transit traffic from traversing the device. Because all of the SPA interfaces and the Management Ethernet interface are automatically in different VRFs, no transit traffic can enter the Management Ethernet interface and leave a SPA interface, or vice versa.
    3. Improved security of the interface. Because the Mgmt-intf VRF has its own routing table as a result of being in its own VRF, routes can only be added to the routing table of the Management Ethernet interface if explicitly entered by a user.
    4. The Management Ethernet interface VRF supports both IPv4 and IPv6 address families.