Blog

My Cisco Learning Network Free Documents & Guides

All my Cisco Learning Network Documents & Guides for free
Last Update 22-Apr-2020.

CCIEv5 R&S Documents & Guides
CCIEv5 IPv4 Multicast Study Guide
https://learningnetwork.cisco.com/s/article/cciev5-ipv4-multicast-study-guide
CCIEv5 BGP Attributes & Best Path Selection
https://learningnetwork.cisco.com/s/article/cciev5-bgp-attributes-amp-best-path-selection
Introduction to QoS
https://learningnetwork.cisco.com/s/article/introduction-to-qos
CCIEv5 MPLS (LDP,vrf lite,MPLS VPN) Study Guide
https://learningnetwork.cisco.com/s/article/cciev5-mpls-ldp-vrf-lite-mpls-vpn-study-guide
CCIEv5 BGP Load Sharing & Load Balancing
https://learningnetwork.cisco.com/s/article/cciev5-bgp-load-sharing-amp-load-balancing
CCIEv5 DHCP/DNS/DHCPv6 Labs
https://learningnetwork.cisco.com/s/article/cciev5-dhcp-dns-dhcpv6-labs
CCIEv5 IPv6 Over MPLS (6PE,6VPE) Labs.
https://learningnetwork.cisco.com/s/article/cciev5-ipv6-over-mpls-6pe-6vpe-labs-x
CCIEv5 BGPv6 (IPv6 Over BGP) Lab.
https://learningnetwork.cisco.com/s/article/cciev5-bgpv6-ipv6-over-bgp-lab-x
CCIEv5 PPP Mega Lab (IPCP,PPPOE,CHAP,PAP)
https://learningnetwork.cisco.com/s/article/cciev5-ppp-mega-lab-ipcp-pppoe-chap-pap-x
CCIEv5 VRF Lite Lab (BLUE,GREEN,YELLOW,RED VRFs)
https://learningnetwork.cisco.com/s/article/cciev5-vrf-lite-lab-blue-green-yellow-red-vrfs-x
CCIEv5 BGP AS 4bytes Lab
https://learningnetwork.cisco.com/s/article/cciev5-bgp-as-4bytes-lab
CCIEv5 BGP Dynamic Neighbor Lab
https://learningnetwork.cisco.com/docs/DOC-25025
CCIEv5 Bidirectional Forwarding Detection (BFD) Overview
https://learningnetwork.cisco.com/s/article/cciev5-bgp-dynamic-neighbor-lab
CCIEv5 IPv6 FHS (First Hop Security) Quick Guide
https://learningnetwork.cisco.com/s/article/cciev5-ipv6-fhs-first-hop-security-quick-guide
CCIEv5 EPC Overview
https://learningnetwork.cisco.com/s/article/cciev5-epc-overview
CCIEv5 VTPv3 Overview
https://learningnetwork.cisco.com/s/article/cciev5-vtpv3-overview
CCIEv5 Quick Guide For Redistribution & Path Control
https://learningnetwork.cisco.com/s/article/cciev5-quick-guide-for-redistribution-amp-path-control
CCIEv5 New Topics Workbook
https://learningnetwork.cisco.com/s/article/cciev5-new-topics-workbook
CCIEv5 New Lab Topics Resources
https://learningnetwork.cisco.com/s/article/cciev5-new-lab-topics-resources

CCIEv5 R&S & Security Documents & Guides
CCIEv5 Security IGP,EGP Authentication
https://learningnetwork.cisco.com/s/article/cciev5-security-igp-egp-authentication
CCIEv5 DMVPN Quick Guide
https://learningnetwork.cisco.com/s/article/cciev5-dmvpn-quick-guide
CCIEv5 DMVPN Labs Workbook
https://learningnetwork.cisco.com/s/article/cciev5-dmvpn-labs-workbook
CCIEv5 Unprotected GRE Tunnel , Protected GRE Tunnel with IPsec -VTI
https://learningnetwork.cisco.com/s/article/cciev5-unprotected-gre-tunnel-protected-gre-tunnel-with-ipsec-vti

CCIEv5 Security Documents & Guides
CCIE Security SSL VPN IOS & ASA
https://learningnetwork.cisco.com/s/article/ccie-security-ssl-vpn-ios-amp-asa
CCIE Security EASY VPN IOS & ASA
https://learningnetwork.cisco.com/s/article/ccie-security-easy-vpn-ios-amp-asa
CCIE Security DMVPN Dual Hub Workbook
https://learningnetwork.cisco.com/s/article/ccie-security-dmvpn-dual-hub-workbook
CCIE Security IKEv2 & FlexVPN Quick Overview
https://learningnetwork.cisco.com/s/article/ccie-security-ikev2-amp-flexvpn-quick-overview
CCIE Security GET VPN Quick Overview
https://learningnetwork.cisco.com/s/article/ccie-security-get-vpn-quick-overview
CCIE Security IOS/ASA PKI Quick Overview
https://learningnetwork.cisco.com/s/article/ccie-security-ios-asa-pki-quick-overview
CCIEv5 Security Introduction to Net Flow & StealthWatch System
https://learningnetwork.cisco.com/s/article/cciev5-security-introduction-to-net-flow-amp-stealthwatch-system
Introduction to FirePOWER & FireSIGHT Policies
https://learningnetwork.cisco.com/s/article/introduction-to-firepower-amp-firesight-policies
Cisco FirePOWER & FireSIGHT HA,Clustering and Staking
https://learningnetwork.cisco.com/s/article/cisco-firepower-amp-firesight-ha-clustering-and-staking
Introduction to ASA with FirePOWER
https://learningnetwork.cisco.com/s/article/introduction-to-asa-with-firepower
CCIE Security v5 & FTD
https://learningnetwork.cisco.com/s/article/ccie-security-v5-amp-ftd
Attacking Cisco R&S with Kali (Backtrack)
https://learningnetwork.cisco.com/s/article/attacking-cisco-r-amp-s-with-kali-backtrack-x
Configuring ASA for CWS
https://learningnetwork.cisco.com/s/article/configuring-asa-for-cws

Miscellaneous Topics
Introduction to SDN
https://learningnetwork.cisco.com/s/article/introduction-to-sdn
What is Cisco ACI?
https://learningnetwork.cisco.com/s/article/what-is-cisco-aci-x
Learn Python , Now!
https://learningnetwork.cisco.com/s/article/learn-python-now-x
IS-IS Study Guide Cisco IOS,IOS-XR
https://learningnetwork.cisco.com/s/article/is-is-study-guide-cisco-ios-ios-xr
Understating Cisco IOS v15 Licenses
https://learningnetwork.cisco.com/s/article/understating-cisco-ios-v15-licenses
CCNA Security Risk Quantitative Assessment
https://learningnetwork.cisco.com/s/article/ccna-security-risk-quantitative-assessment
Cisco Catalyst ME 3400 Overview & Configuration
https://learningnetwork.cisco.com/s/article/cisco-catalyst-me-3400-overview-amp-configuration
Understanding Cisco EEM by examples Part 1
https://learningnetwork.cisco.com/s/article/understanding-cisco-eem-by-examples-part-1
Understanding Cisco EEM by examples Part 2
https://learningnetwork.cisco.com/s/article/understanding-cisco-eem-by-examples-part-2
CCNA Workbook Lab 1
https://learningnetwork.cisco.com/s/article/ccna-workbook-lab-1
CCNA Workbook Lab 2
https://learningnetwork.cisco.com/s/article/ccna-workbook-lab-2
Zone Based Firewall Part 1
https://learningnetwork.cisco.com/s/article/zone-based-firewall-part-1
Introducing CCNA v3.0 New Topics
https://learningnetwork.cisco.com/s/article/introducing-ccna-v3-0-new-topics
Cisco Routers Password Types
https://learningnetwork.cisco.com/s/article/cisco-routers-password-types
Protection Techniques from Wardriving attack
https://learningnetwork.cisco.com/s/article/protection-techniques-nbsp-from-wardriving-attack
CCNP R&S (TSHOOT) MALLOCFAIL Errors and General Memory Problems
https://learningnetwork.cisco.com/s/article/ccnp-r-amp-s-tshoot-mallocfail-errors-and-general-memory-problems
MTU issues in CCIE R&S TS Section
https://learningnetwork.cisco.com/s/article/mtu-issues-in-ccie-r-amp-s-ts-section
PPP over Frame Relay (PPPoFR) Lab
https://learningnetwork.cisco.com/s/article/ppp-over-frame-relay-pppofr-lab
Load Sharing with HSRP Multigroup HSRP (MHSRP) Lab
https://learningnetwork.cisco.com/s/article/load-sharing-with-hsrp-multigroup-hsrp-mhsrp-lab
Frame Relay Lab without FR core or Back2Back.
https://learningnetwork.cisco.com/s/article/frame-relay-lab-without-fr-core-or-back2back-x
Cisco Router As Type 7 Decryptor
https://learningnetwork.cisco.com/s/article/cisco-router-as-type-7-decryptor
The Myth about Proctor
https://learningnetwork.cisco.com/s/article/the-myth-about-proctor
IGP Limitations
https://learningnetwork.cisco.com/s/article/igp-limitations
Creating Menu in Cisco Routers
https://learningnetwork.cisco.com/s/article/creating-menu-in-cisco-routers
How To Create Comm Access Server Router with ISR G2 ?
https://learningnetwork.cisco.com/s/article/how-to-create-comm-access-server-router-with-isr-g2-x
Cisco SD-WAN Introduction Part 1
https://learningnetwork.cisco.com/s/article/cisco-sd-wan-introduction-part-1
Introduction to Python [Free English Videos]
https://learningnetwork.cisco.com/s/article/introduction-to-python-free-english-videos-x
Introduction to AI & Machine Learning Part 1.
https://learningnetwork.cisco.com/s/article/introduction-to-ai-amp-machine-learning-part-1-x
The History of DevOps & NetDevOps
https://learningnetwork.cisco.com/s/article/the-history-of-devops-amp-nbsp-netdevops
ISE 2.4 & 2.6 Resources and prerequisites
https://learningnetwork.cisco.com/s/article/ise-2-4-amp-2-6-resources-and-prerequisites
Cisco SD-WAN Viptela Resources and prerequisites
https://learningnetwork.cisco.com/s/article/cisco-sd-wan-viptela-resources-and-prerequisites

 

Yasser Ramzy Auda

Cisco Champion 2016,2017,2020

CCIE# 45694|CCSI# 34215

Cisco Technical Excellence Award  July 2019

 

 

Cisco ISEv2.4 Deployment Methods

ISE Node is Physical device or VM  running installed ISE software

  • There are four major collections of ISE services that are categorized into personas.
  • These personas are responsible for different functions within ISE architecture.
  • You can collect them in a single node or distribute them across multiple nodes.

The four Personas are :

Administration persona:

This is the control Center, your user interface for licensing and policy configuration.

[if personas distributed in different nodes , we call it Admin node and will push out configurations out to other nodes] , PAN = Policy Administration Node

[Create config on it then it will Push config to PSN]

Policy Service persona:

The policy decision engine processes all ISE related network messaging: DHCP, CDP, NetFlow and RADIUS. It is the RADIUS server for NADs

[if personas distributed in different nodes , we call it Policy Service node = PSN ]

[Carry the config and act as AAA server , passive ID , SXP , Tacacs+ server]

Monitoring persona:

Is the engine for collecting and correlating logs and report data.

It generates reports and alarms for the ISE system.

[if personas distributed in different nodes , we call it Monitoring node] , MnT = Monitoring & Troubleshooting Node

pxGrid persona:

It will enable the sharing of contextual-based information from ISE session directory to other network systems such as ASA.

You can use pxGrid framework to exchange policy and configuration data between nodes.

This data include sharing tags & policy objects between ISE and thrid party vendors for non-ISE related information exchanges such as threat information.

An extra license is required for pxGrid services.

 

How to Implement Nodes , Personas and Roles?

  • Single Node Deployment

By default when we install ISE , it work in this deployment type.

All personas run on single ISE node.

The disadvantage is the lack of fault tolerance and limited scalability.

Support max 2000 endpoints.

  • Four Node Deployment [distributed deployment.]

This type provide fault tolerance and scalability.

Introduced the concept of Role.

For Redundancy :

Node 1

The primary role for Admin persona = Primary Administration Node (PAN)

Node 2

A secondary role for Admin persona

Cisco Required to minimize inter-node communication overhead to make sure primary admin [PAN] and monitoring personas  [MnT] run on the same node.

There is no concept of primary and secondary role for Policy service persona.

But you can have more than one node running Policy service persona.

Policy service persona plays the role of RADIUS server for NADs.

Inside NAD you can configure higher priority to use which Policy service node.

Admin node

In any ISE deployment, we must have at least one Admin node.

we can have one primary in one node and another secondary in another node.

ISE supports automatic failover between them.

 

Policy Service Node

Policy Service nodes make a real-time policy-based decisions and convey the polices directly to the NADs for policy enforcement.

Remember, The Admin Role governs policy and the endpoint attributes that it has acquired.

Policy Service node support runtime use cases such as user and endpoint access while other nodes support administrative, monitoring or troubleshooting use cases.

ISE deployment can have more than one Policy service nodes.

If administration and monitoring personas run of the same node or pair of nodes ,

we can have up to 5 Policy service nodes.

If administration and monitoring personas installed independently on their own nodes , we can have up to 50 Policy service nodes.

Monitoring Node

Each ISE Deployment need at least one Monitoring node.

You can deploy a second for fault tolerance,

in this case, both Active and Standby nodes will collect log messages,

each PSN forwards information to both nodes since monitoring nodes do not synchronize with each other.

Monitoring Node can forward the logged information to external databases which can act as sources for accounting and security related information that is useful as evidence and forensic data.

 

ISE Licences

Picture1

Any Connect Apex

This extra license you will need (with ISE Apex as well )when using AnyConnect for posture instead of Temporal agent.

So you will buy two :ISE Apex & AnyConnect Apex licenses

Picture2

You need VM license only if your ISE is ova (VM).

You can have a mixed environment: ISE physical nodes and ISE VM nodes together .

Cisco on-box automation tools

Cisco on-box automation tools are just tools already embedded in Cisco IOS or can be run through Cisco IOS CLI which helps you to automate many tasks.

Cisco on-box automation tools include:

Auto SmartPorts

AutoConf

Auto Security

AutoQoS

Smart Call Home

Tcl Shell

Embedded Event Manager (EEM)

Python Version 2.7

-Auto SmartPorts

-AutoConf

-Auto Security

-AutoQoS

-Smart Call Home

For above read chapter 7 “On-Box Automation and Operations Tools” in “Programming and Automating Cisco Networks” cisco press book

-Tcl Shell

For above read cisco press book ” TcL Scripting for Cisco IOS “

-Embedded Event Manager (EEM)

For above read my personal two parts article “Understanding Cisco EEM by examples”

https://lnkd.in/gbRtA58

https://lnkd.in/gHa_hFC

-Python Version 2.7

Yes, you can run python command in Cisco IOS XE in interactive and non-interactive modes

for more info about Python on-box capability read:

https://lnkd.in/ga6itBG

EDR VS EPP

Endpoint Detection and Response (EDR) platforms are security systems that combine elements of next-gen antivirus with additional tools to provide real-time anomaly detection and alerting, forensic analysis and endpoint remediation capabilities.

By recording every file execution and modification, registry change, network connection and binary execution across an organization’s endpoints, EDR enhances threat visibility beyond the scope of EPPs.

Top Endpoint Detection and Response (EDR) Solutions:

Cisco Advanced Malware Protection AMP for Endpoints
FireEye Endpoint Security
Carbon Black Cb Response
Guidance Software EnCase Endpoint Security
Cybereason Total Enterprise Protection
Symantec Endpoint Protection
RSA NetWitness Endpoint
Tanium
CrowdStrike Falcon Insight
CounterTack Endpoint Threat
SentinelOne

Gartner Top EDR

https://www.gartner.com/reviews/market/endpoint-detection-and-response-solutions

Endpoint Protection Platform (EPP) aka Next Generation Anti-Virus NGAV   is an integrated security solution designed to detect and block threats at the device level. Typically this includes antivirus, anti-malware, data encryption, personal firewalls, intrusion prevention (IPS) and data loss prevention (DLP).

Traditional EPP is inherently preventative, and most of its approaches are signature-based – identifying threats based on known file signatures for newly discovered threats. The latest EPP solutions have however evolved to utilize a broader range of detection techniques.

Top NGAV Vendors to Watch in 2019 Endpoint Protection platform (EPP)
Carbon Black
CrowdStrike
Kaspersky Lab
SentinelOne

Gartner Top EPP

https://www.gartner.com/reviews/market/endpoint-protection-platforms