Posts

Cisco IOS-XE Vrf Route Leaking In Single Router using VASI interfaces

Image
For a long time I missed one feature in Cisco IOS-XE routers while working with multiple Vrfs. If somehow I could have a logical/virtual point-to-point links connecting two Vrfs. The feature I am talking about exactly same as Fortigate firewalls offer - vdom-links; which connects two vdoms using a virtual p-to-p links. It looks like Cisco has already implemented such feature which is called - VASI (VRF-Aware Software Infrastructure ). With VASI-interfaces we can connect two vrfs (including global vrf); using a logical p-to-p link. One side of a VASI-link will called - vasileft (belongs to a vrf) and another side will be called vasiright (belongs to another vrf). If we assign an IP address to those left/right interfaces; we have connected the two Vrfs. After that we can easily implement route leaking between the vrfs using static routing, dynamic routing protocols (ospf, bgp) etc. Enough theory; lets start configuring our topology which looks like below - 01 - Network Topology Our topol...
Post a Comment
Read more

Convert Cisco IOS-XE router as switch (BDI - Bridge Domain Interface)

Image
I was trying to connect a firewall cluster (Active-Passive) with a Cisco IOS-XE based router. Then faced a problem - I cannot connect two different firewalls in a cluster to the router; because the router's interfaces operates in layer-3 mode. The interfaces in the router does not support layer-2 switching. Before going further - let's have a look on your topology -  01 - Network Topology If we look at the topology above - we can see the problem - if it was not a router; just a layer-3 switch; we can configure like below in the layer-3 switch - interface gi1   channel-group 1 mode active ! interface gi2   channel-group 1 mode active ! int port-channel 1   switchport   switchport mode trunk ! But the problem is - there is no "switchport" command to enable layer-2 vlan processing in a Cisco router. Also we have a firewall cluster - it is not possible to support the cluster when a failover happens from the router's perspective. Cisco IOS-XE routers solves this prob...
Post a Comment
Location: Täby, Sweden
Read more

Cisco Nexus Switch SSH login with YubiKey using X.509 certificate - Part II (two-factor and remote AAA TACACS+)

Image
This is the continuation of Part - I , where we have configured X.509 certificate based SSH login with a Cisco Nexus switch. In this part we will do the same configuration; but AAA will be implemented in Cisco ISE with TACACS+ protocol. But we have the same limitations on the client side - we must use SecureCRT or  Pragma Fortress SSH Client .  In this blog the main difference will be two things. Firstly - we will not define any local user in the switch for whom we have the certificate in the YubiKey. Secondly - we will configure TACACS+ in the switch and configure Cisco ISE as TACACS+ server to do AAA remotely . One important difference here with normal AAA with TACACS+ is that - with X.509 based SSH - Authentication will be done still locally in the switch by verifying the user's CA certificate (no need of local account creation in the switch). Authorization and Accounting will be done in the TACACS+ server. Also X.509 SSH login is not supported with Radius protocol and t...
Post a Comment
Location: Täby, Sweden
Read more