Security PoC SXP ISE & ASAv 9.10 lab by UD
Moderator: mike
-
- Posts: 5148
- Joined: Wed Mar 15, 2017 4:44 pm
- Location: London
- Contact:
Security PoC SXP ISE & ASAv 9.10 lab by UD
Created another security EVE-NG Pro lab to test newest ASAv 9.10, ISE 2.3 for SXP TrustSec.
Task:
1. Configure ASAv in HA active/standby
2. Configure CTS SXP peering between SW1 and ASAv. ASAv and SW1 are ISE TrustSec clients
3. VLAN 11 (inside) is SXP trusted communication between ASAv and SW1
4. ISE is configured with SGT Corp_DOT1X and Guest_MAB, dACL and authorization profiles VLAN 11 tag.
5. Authenticate PC1-MAB with ISE (mab) and authorize it in security group Guest_MAB
6. Authorize PC2-DOT1X with ISE (dot1x) and authorize it in security group Corp_DOT1X
7. PC1-MAB are able to reach http dmz1.eve.lab server only
8. PC2-DOT1X are able to reach http dmz2.eve.lab server and internet (ping 8.8.8.8 lo0 on ISP)
And here is result:
In screen below PC1-MAM after successfully authorized with ISE, match policies on ASAv and can reach only http://dmz1.eve.lab
ISE Policies:
Task test result:
Images used:
IOL SW 15.2 (version with mab, dot1x, cts/sxp support)
IOL L3 15.4.2T
ASAv 9.10 (demo lic)
ISE 2.3 (eval lic)
Winserver 2008 as DNS and AD server
Windows 7 32 bit as MAB and DOT1X hosts
EVE-PRO Docker server-gui as dmz servers and Mgmnt host
NTP server, simple L3 IOL router 15.4.2T
Cloud (cloud5) Mgmt100 is used simple EVE free cloud network to stretch mgmt vlan across lab and for better looking.
Task:
1. Configure ASAv in HA active/standby
2. Configure CTS SXP peering between SW1 and ASAv. ASAv and SW1 are ISE TrustSec clients
3. VLAN 11 (inside) is SXP trusted communication between ASAv and SW1
4. ISE is configured with SGT Corp_DOT1X and Guest_MAB, dACL and authorization profiles VLAN 11 tag.
5. Authenticate PC1-MAB with ISE (mab) and authorize it in security group Guest_MAB
6. Authorize PC2-DOT1X with ISE (dot1x) and authorize it in security group Corp_DOT1X
7. PC1-MAB are able to reach http dmz1.eve.lab server only
8. PC2-DOT1X are able to reach http dmz2.eve.lab server and internet (ping 8.8.8.8 lo0 on ISP)
And here is result:
In screen below PC1-MAM after successfully authorized with ISE, match policies on ASAv and can reach only http://dmz1.eve.lab
ISE Policies:
Task test result:
Images used:
IOL SW 15.2 (version with mab, dot1x, cts/sxp support)
IOL L3 15.4.2T
ASAv 9.10 (demo lic)
ISE 2.3 (eval lic)
Winserver 2008 as DNS and AD server
Windows 7 32 bit as MAB and DOT1X hosts
EVE-PRO Docker server-gui as dmz servers and Mgmnt host
NTP server, simple L3 IOL router 15.4.2T
Cloud (cloud5) Mgmt100 is used simple EVE free cloud network to stretch mgmt vlan across lab and for better looking.
You do not have the required permissions to view the files attached to this post.
-
- Posts: 8
- Joined: Wed Aug 16, 2017 11:24 pm
Re: Security PoC SXP ISE & ASAv 9.10 lab by UD
thank you . You rock UD
-
- Posts: 2
- Joined: Thu Sep 21, 2017 10:35 am
Re: Security PoC SXP ISE & ASAv 9.10 lab by UD
Hi guys,
Which image is this exactly ? IOL SW 15.2 (version with mab, dot1x, cts/sxp support)
kindest regards,
John
Which image is this exactly ? IOL SW 15.2 (version with mab, dot1x, cts/sxp support)
kindest regards,
John
-
- Posts: 5148
- Joined: Wed Mar 15, 2017 4:44 pm
- Location: London
- Contact:
Re: Security PoC SXP ISE & ASAv 9.10 lab by UD
try to find this version:
vIOS
viosl2-adventerprisek9-m.cml.SSA.high_iron_20180510
IOL
i86bi_linux_l2-adventerprisek9-ms.SSA.high_iron_20180510
vIOS
viosl2-adventerprisek9-m.cml.SSA.high_iron_20180510
IOL
i86bi_linux_l2-adventerprisek9-ms.SSA.high_iron_20180510
-
- Posts: 6
- Joined: Wed Sep 20, 2017 11:16 am
Re: Security PoC SXP ISE & ASAv 9.10 lab by UD
Hi UD,
Thank You for the nice support to Security Candidates.
Do you have pre-configuration?
Thank You for the nice support to Security Candidates.
Do you have pre-configuration?
-
- Posts: 77
- Joined: Mon Mar 20, 2017 1:53 pm
Re: Security PoC SXP ISE & ASAv 9.10 lab by UD
the import doesnt include the top left dmz web servers. Anyone else have that issue?
-
- Posts: 5148
- Joined: Wed Mar 15, 2017 4:44 pm
- Location: London
- Contact:
Re: Security PoC SXP ISE & ASAv 9.10 lab by UD
Because this lab is created on EVE Pro. EVE Pro has docker nodes where Community has not.stevenjwilliams83 wrote: ↑Fri Mar 15, 2019 11:03 pmthe import doesnt include the top left dmz web servers. Anyone else have that issue?
Thats why DMZ server does not appear on topology
-
- Posts: 8
- Joined: Tue Apr 30, 2019 3:21 am
- Location: Norway
- Contact:
Security PoC SXP ISE ASAv 9 10 lab by UD
This seems to be changing for the better has already been passed the exam
It seems the future is dominated LAB3
It seems the future is dominated LAB3