+ Reply to Thread
Page 2 of 5 First 12 345 Last
Results 26 to 50 of 121
  1. ABL - Always Be Labbin' Iristheangel's Avatar
    Join Date
    Dec 2009
    Location
    Pasadena, CA
    Posts
    3,716

    Certifications
    CISSP, CCIE DC, CCNP R&S/DC, CCDP, CCNA:RS/S/V/DC, CCDA, BCVRE, BCEFP, BCNE, CEH, CHFI, MCSE:S, MCDST, A/S/L/P/N+, some useless Citrix and CIW certs
    #26
    Quote Originally Posted by ccnpninja View Post
    Iris, which study techniques -from your first CCIE experience- are you going to use?
    Read a lot of books and lab a whole lot more? It's pretty much an endurance game along with knowing that you need to commit a LOT of time to it. I didn't learn any short cuts beyond slogging through it the first go around. I think the only improvement is that I realize how much of a commitment it is going into it and it's helping. I'm also further along on security than I was at DC when I started so that helps. I didn't blog a lot during the CCIE DC but definitely doing a lot of posts now with security. I think it's easier for me to dive into on a blog and less time consuming than when I first tried with DC (early on in the process)
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
    Bonus TE Fun: Nerd Photos
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member sucanushie's Avatar
    Join Date
    Apr 2013
    Location
    Canada
    Posts
    159

    Certifications
    MCTS, Windows 7, MCITP: EDA Win7,CCNA Security,CCNA Voice, CCNP R&S
    #27
    Hey Iristheangel,

    Have you labbed pxGRID with ISE and firepower? I have 2 ISE nodes and I thought they would both act as primary pxGrid servers like the PSN. However only one will stay active while the other disables pxGRID.

    So in FPM when I enter both servers only one works because the other is disabled and when the node is back up it pxGrid doesn't fail back.



    ISE PROCESS NAME STATE PROCESS ID
    --------------------------------------------------------------------
    Database Listener running 19174
    Database Server running 108 PROCESSES
    Application Server running 29668
    Profiler Database running 29773
    AD Connector running 23841
    M&T Session Database running 26568
    M&T Log Collector running 29893
    M&T Log Processor running 30047
    Certificate Authority Service running 30367
    SXP Engine Service disabled
    pxGrid Infrastructure Service disabled
    pxGrid Publisher Subscriber Service disabled
    pxGrid Connection Manager disabled
    pxGrid Controller disabled
    Identity Mapping Service running 30813
    Reply With Quote Quote  

  4. ABL - Always Be Labbin' Iristheangel's Avatar
    Join Date
    Dec 2009
    Location
    Pasadena, CA
    Posts
    3,716

    Certifications
    CISSP, CCIE DC, CCNP R&S/DC, CCDP, CCNA:RS/S/V/DC, CCDA, BCVRE, BCEFP, BCNE, CEH, CHFI, MCSE:S, MCDST, A/S/L/P/N+, some useless Citrix and CIW certs
    #28
    I have labbed pxGrid with pretty much everything.

    Your two ISE nodes - what are their roles? Also what version of ISE are you on? Is this lab or prod?

    Also what version of FP are you on? With FP 5.4 you have the remediation capability and with 6.0, you have just contextual sharing. In 6.1, you'll see remediation come back and be a LOT easier to deploy.
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
    Bonus TE Fun: Nerd Photos
    Reply With Quote Quote  

  5. Senior Member sucanushie's Avatar
    Join Date
    Apr 2013
    Location
    Canada
    Posts
    159

    Certifications
    MCTS, Windows 7, MCITP: EDA Win7,CCNA Security,CCNA Voice, CCNP R&S
    #29
    ISE 2.0
    Node-1 Primary Admin, Seconday M&T, Active PSN, Profiling Service,Identity Services,pxGRID
    Node-2
    Secondary Admin, Primary M&T, Active PSN, Profiling Service,Identity Services,pxGRID

    Running FPM 6.0

    This is running Prod but it's net new and we are in the test phase.

    When it works it's awesome and I can't wait to use ISE for identity in WSA and get rid of the CDA.

    Each node is in a different city so I would like the pxGrid to be active active, but it doesn't look like it will work that way.

    Sorry to fill your CCIE with a question heh
    Reply With Quote Quote  

  6. ABL - Always Be Labbin' Iristheangel's Avatar
    Join Date
    Dec 2009
    Location
    Pasadena, CA
    Posts
    3,716

    Certifications
    CISSP, CCIE DC, CCNP R&S/DC, CCDP, CCNA:RS/S/V/DC, CCDA, BCVRE, BCEFP, BCNE, CEH, CHFI, MCSE:S, MCDST, A/S/L/P/N+, some useless Citrix and CIW certs
    #30
    Ok... first thing I'm going to say to do: Go upgrade to ISE 2.1

    No. Seriously, I know it's newer but it's much better.

    As far as "active-standby," it not going to affect usability. it's not "active-standby" in terms of PSN functions or anything. It's the Monitoring and PAN nodes that are active-standby. It doesn't affect the usability - you don't have to point your NADS towards only one PSN because of this so it's not going to limit your deployment at all.

    Here's some more info if you want to read up on it: http://www.cisco.com/c/dam/en/us/td/...nvironment.pdf
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
    Bonus TE Fun: Nerd Photos
    Reply With Quote Quote  

  7. Senior Member sucanushie's Avatar
    Join Date
    Apr 2013
    Location
    Canada
    Posts
    159

    Certifications
    MCTS, Windows 7, MCITP: EDA Win7,CCNA Security,CCNA Voice, CCNP R&S
    #31
    Yeah we are upgrading next week

    I guess my issue is that I want my FPM to use the node that is in the same DC. When that node goes down the pxGrid services flip to the node in the other DC which is great! However they don't seem to flip back once the node comes back up. Then all the pxGrid traffic is going across the WAN.

    From the GUI I can't see how to promote node that pxGrid is not running. Maybe a CLI but still annoying.

    From that doc...

    In this section, we cover pxGrid Active-Standby. In an ISE distributed deployment, there can be only (2) pxGridnodes. One handling the pxGrid client connections controlling the pxGrid services and the other one, for fail-over.One pxGrid node can be active at a time.

    Last edited by sucanushie; 06-02-2016 at 07:20 PM.
    Reply With Quote Quote  

  8. ABL - Always Be Labbin' Iristheangel's Avatar
    Join Date
    Dec 2009
    Location
    Pasadena, CA
    Posts
    3,716

    Certifications
    CISSP, CCIE DC, CCNP R&S/DC, CCDP, CCNA:RS/S/V/DC, CCDA, BCVRE, BCEFP, BCNE, CEH, CHFI, MCSE:S, MCDST, A/S/L/P/N+, some useless Citrix and CIW certs
    #32
    Right. In any deployment, you can have only 2 Admin nodes and 2 MnT nodes - and they're active/standby.

    You can still have 40 Policy service nodes and they're active all the time. They're truly the ones doing all the work. In your case, you have them down to 2 nodes - so the MnT/Admin functions are only active on one node at a time (the other standby node is sychronizing data with the active) and the Policy Services Node functions are active-active on both.

    So even tho one is "active" in terms of pxGrid, you can still point your network devices to both since they're both functioning as active PSNs as well.
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
    Bonus TE Fun: Nerd Photos
    Reply With Quote Quote  

  9. ABL - Always Be Labbin' Iristheangel's Avatar
    Join Date
    Dec 2009
    Location
    Pasadena, CA
    Posts
    3,716

    Certifications
    CISSP, CCIE DC, CCNP R&S/DC, CCDP, CCNA:RS/S/V/DC, CCDA, BCVRE, BCEFP, BCNE, CEH, CHFI, MCSE:S, MCDST, A/S/L/P/N+, some useless Citrix and CIW certs
    #33
    Let me explain it a little better - ISE can have only three different types of "personas:"

    Policy Administration Node (PAN):
    - This is where you write all your policies and manage the deployment and it'll push the policy down to the PSNs
    - There can only be 2 of these in a deployment in an active/standby fashion. Why? Because beyond administrative tasks, they're not actually taking the requests from your network access devices so you don't need a ton of these deployed at every site
    - If there are two PANs, they're replicating their data between each other

    Monitoring Node (MnT):
    - This is where you logs, historical data, reports, etc go to live
    - Only 2 of these in a deployment and they are deployed in an active/standby fashion
    - The active-standby replicates data between each other

    Policy Services Node (PSN):
    - These are the true workhorses of the deployment and there can be 40+ of these in any given deployment
    - These are where your network access devices send their actual requests
    - When you create a policy, the PAN will push it down to these guys and the PSNs won't have much more need for the PAN except for things like guest creation and certain services. For other services like dot1x, both your PANs could die and as long as your PSNs were still up, you could not notice any issue.
    - The PSNs don't replicate in the way you think. Older versions used to share attributes but that's been trimmed down a great deal. Most of the information from the PSNs is sent to the PAN and MnT
    - They are always active. Making your NADs go to these is as simple as adding another RADIUS server in the config. If you have a really large deployment, my recommendation is to have a local VM PSN at bigger sites and have the NADs fail over to another PSN in a central site (i.e. data center). I've even seen 2 for failover (DC and DR). It all depends on your deployment and what you want to do....


    Now that I've gotten that out of the way, these different personas can live on the same box or separate as a distributed deployment. It doesn't change the functions or whether their active/standby. So let me give you a few scenarios to draw this out (YaY Surface 4 Pro!):

    Lets say you have 3 ISE nodes sitting in each data center. This is similar to what the traffic will look like:
    ISEnodes.jpg

    The Active-Standby MnT and Admin nodes will replicate between each other and the PSNs will take all the requests and your NADs in your environment can send the requests to either of them - they're both active and sharing reporting information to the MnT which is replicated to the secondary. Awesome, right?

    Now in your deployment, you have three personas on the same appliance. Do you want to know what that changes? Nothing. This is literally how it looks:
    ISenodes2.jpg


    So the different "personas" in the same appliance carry on their duties and do the same thing they would be doing if they were on separate appliances. So in terms of pxGrid, your pxGrid clients will be talking to the PAN and MnT nodes. Those don't need to be active-active because they're not the true "workhorses" of the ISE deployment and they're replicating data between them to keep synced if one were to die suddenly. If one were to die and it failed over and then host 1 comes back up, host 1 can take RADIUS requests IMMEDIATELY regardless of whether you fail anything over. It'll just be syncing up with the active MnT node over the WAN which isn't huge huge amounts of traffic or all your RADIUS requests going that direction. Your local PSN can still do the work.

    If you had active-active Admins, you'd have two points where people might be trying to configure and you'd be doing 2-way syncing of traffic. Same with the MnT nodes - if two were active and PSNs were reporting to separate ones, you'd have more traffic trying to sync the difference between the two.

    Does that make sense?
    Last edited by Iristheangel; 06-02-2016 at 08:20 PM.
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
    Bonus TE Fun: Nerd Photos
    Reply With Quote Quote  

  10. Senior Member sucanushie's Avatar
    Join Date
    Apr 2013
    Location
    Canada
    Posts
    159

    Certifications
    MCTS, Windows 7, MCITP: EDA Win7,CCNA Security,CCNA Voice, CCNP R&S
    #34
    I understand when it comes do the PAN and MNT. They work how I wish PxGrid would work.

    If the PAN goes down the secondary get's promoted to the primary. When the primary PAN comes back up it takes back the primary role.

    This does not happen when it comes to pxGrid.

    If node 1 is currently running the pxGrid service and it goes down. Node 2 will take over and run the pxGrid service. That's great and want we want. But when node 1 comes back online it doesn't take back over running pxGrid services. They will continue to run on node 2. They only way I can see to fail them back to node 1 is when node 2 goes down.
    Reply With Quote Quote  

  11. ABL - Always Be Labbin' Iristheangel's Avatar
    Join Date
    Dec 2009
    Location
    Pasadena, CA
    Posts
    3,716

    Certifications
    CISSP, CCIE DC, CCNP R&S/DC, CCDP, CCNA:RS/S/V/DC, CCDA, BCVRE, BCEFP, BCNE, CEH, CHFI, MCSE:S, MCDST, A/S/L/P/N+, some useless Citrix and CIW certs
    #35
    This week's update is a non-update. Didn't get much done this week. My 16 year old cat got sick and I had to put he down this week Wasn't really feeling in the mood to study during all that.
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
    Bonus TE Fun: Nerd Photos
    Reply With Quote Quote  

  12. ABL - Always Be Labbin' Iristheangel's Avatar
    Join Date
    Dec 2009
    Location
    Pasadena, CA
    Posts
    3,716

    Certifications
    CISSP, CCIE DC, CCNP R&S/DC, CCDP, CCNA:RS/S/V/DC, CCDA, BCVRE, BCEFP, BCNE, CEH, CHFI, MCSE:S, MCDST, A/S/L/P/N+, some useless Citrix and CIW certs
    #36
    Meh... mini-update. Finally got some stuff up and running today. I need to find a place where my gear can live of it's going to get pretty expensive with electricity. Spent the day building the virtual/physical lab:
    13335629_725321734272988_8006841948565266715_n.jpg

    There's some things I can virtualize (ISE, ACS, Firepower, AD, etc) and some things not as easy like the switch itself. I have a spare 2504 from years ago that I'm thinking I'll use for the wireless portion given that if they decide to throw TrustSec on the exam, vWLCs don't support SXP so I have to go physical if I want to lab it out.

    This week I'm going in with the goal of getting the AMP reading/labbing done. Hopefully I'll get through a lot and no other catastrophes or otherwise horribly sad things happen
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
    Bonus TE Fun: Nerd Photos
    Reply With Quote Quote  

  13. Senior Member sucanushie's Avatar
    Join Date
    Apr 2013
    Location
    Canada
    Posts
    159

    Certifications
    MCTS, Windows 7, MCITP: EDA Win7,CCNA Security,CCNA Voice, CCNP R&S
    #37
    Look forward to your updates. Going to finish NP Security this year then tackle CCIE.

    Thankfully we have most of the technologies and I work on them every day.

    P.S ISE 2.1 UI looks fancy! Even a new login screen, and the Work Center menu has 10X as many things
    Reply With Quote Quote  

  14. ABL - Always Be Labbin' Iristheangel's Avatar
    Join Date
    Dec 2009
    Location
    Pasadena, CA
    Posts
    3,716

    Certifications
    CISSP, CCIE DC, CCNP R&S/DC, CCDP, CCNA:RS/S/V/DC, CCDA, BCVRE, BCEFP, BCNE, CEH, CHFI, MCSE:S, MCDST, A/S/L/P/N+, some useless Citrix and CIW certs
    #38
    Ok, kicked some butt last week. Got through all the SSFAMP coursework. This week I plan on going through the following book: https://www.amazon.com/Practical-Dep...ords=Cisco+ISE

    I also have a meetup this week on Firepower and rebuilding my lab at home. Pretty good stuff. Keeping busy
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
    Bonus TE Fun: Nerd Photos
    Reply With Quote Quote  

  15. Senior Member broli720's Avatar
    Join Date
    Oct 2012
    Location
    Merica
    Posts
    377

    Certifications
    CISSP, CCNA, CCNA:S
    #39
    Do you think the Zero-to-Hero course was helpful in preparation for your IE attempt?
    Reply With Quote Quote  

  16. ABL - Always Be Labbin' Iristheangel's Avatar
    Join Date
    Dec 2009
    Location
    Pasadena, CA
    Posts
    3,716

    Certifications
    CISSP, CCIE DC, CCNP R&S/DC, CCDP, CCNA:RS/S/V/DC, CCDA, BCVRE, BCEFP, BCNE, CEH, CHFI, MCSE:S, MCDST, A/S/L/P/N+, some useless Citrix and CIW certs
    #40
    Yes it was. At least for CCIE Security v5.... Which might become very relevant
    Last edited by Iristheangel; 06-13-2016 at 05:42 PM.
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
    Bonus TE Fun: Nerd Photos
    Reply With Quote Quote  

  17. Senior Member broli720's Avatar
    Join Date
    Oct 2012
    Location
    Merica
    Posts
    377

    Certifications
    CISSP, CCNA, CCNA:S
    #41
    Good to hear. I'd say I'm really comfortable with the CCNA material right now. I'm just hoping I won't get lost during that course. Are you making any notes like you did for data center? Would be really nice to see a second set in addition to what I get from that course.
    Reply With Quote Quote  

  18. ABL - Always Be Labbin' Iristheangel's Avatar
    Join Date
    Dec 2009
    Location
    Pasadena, CA
    Posts
    3,716

    Certifications
    CISSP, CCIE DC, CCNP R&S/DC, CCDP, CCNA:RS/S/V/DC, CCDA, BCVRE, BCEFP, BCNE, CEH, CHFI, MCSE:S, MCDST, A/S/L/P/N+, some useless Citrix and CIW certs
    #42
    Something has changed....
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
    Bonus TE Fun: Nerd Photos
    Reply With Quote Quote  

  19. ABL - Always Be Labbin' Iristheangel's Avatar
    Join Date
    Dec 2009
    Location
    Pasadena, CA
    Posts
    3,716

    Certifications
    CISSP, CCIE DC, CCNP R&S/DC, CCDP, CCNA:RS/S/V/DC, CCDA, BCVRE, BCEFP, BCNE, CEH, CHFI, MCSE:S, MCDST, A/S/L/P/N+, some useless Citrix and CIW certs
    #43
    Well, at least I know what to study now. I knew this was coming from internal rumblings but I had to bite my tongue since I didn't have details.

    Anyways, Jan 31st is the official date they swing over the lab but that's a pretty soft date. They have to typically get the new labs ready so there's going to be an amount of time where they spend staging it where I won't be able to book a lab date.

    The only crappy thing? Ugh... The new written is only available available when the new lab is. I'm not going to wait 7 months to take the written so somewhere along the lines, i need to cram the old crap in my head at least enough to pass the written.. Ugh. I guess I'll find that old CCIE Security v4 book and read a chapter a day...
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
    Bonus TE Fun: Nerd Photos
    Reply With Quote Quote  

  20. Canadian Cisco Wannabe
    Join Date
    Sep 2014
    Location
    Manitoba, Canada
    Posts
    265

    Certifications
    Strata IT Fundamentals, MTA: OS, CompTIA A+
    #44
    Reading your threads Iris makes me wonder how you can balance work, labbing/studying, sleep, and family time on a daily basis. Very impressive and inspiring though.
    Reply With Quote Quote  

  21. Senior Member
    Join Date
    Jan 2015
    Location
    England
    Posts
    322

    Certifications
    CCNP: R&S, CCNA: Sec
    #45
    The higher level security track interests me so much. I've just started my CCNA security, although pretty dull i'm looking forward to doing the NP and above topics.

    Reading through this/doing my own research the ISE looks awesome, a whole new world I am yet to be exposed to.

    Keep the CCIE grind going
    Reply With Quote Quote  

  22. ABL - Always Be Labbin' Iristheangel's Avatar
    Join Date
    Dec 2009
    Location
    Pasadena, CA
    Posts
    3,716

    Certifications
    CISSP, CCIE DC, CCNP R&S/DC, CCDP, CCNA:RS/S/V/DC, CCDA, BCVRE, BCEFP, BCNE, CEH, CHFI, MCSE:S, MCDST, A/S/L/P/N+, some useless Citrix and CIW certs
    #46
    Quote Originally Posted by Nafe92014 View Post
    Reading your threads Iris makes me wonder how you can balance work, labbing/studying, sleep, and family time on a daily basis. Very impressive and inspiring though.
    One of those things doesn't happen as often and that's sleep :P
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
    Bonus TE Fun: Nerd Photos
    Reply With Quote Quote  

  23. ABL - Always Be Labbin' Iristheangel's Avatar
    Join Date
    Dec 2009
    Location
    Pasadena, CA
    Posts
    3,716

    Certifications
    CISSP, CCIE DC, CCNP R&S/DC, CCDP, CCNA:RS/S/V/DC, CCDA, BCVRE, BCEFP, BCNE, CEH, CHFI, MCSE:S, MCDST, A/S/L/P/N+, some useless Citrix and CIW certs
    #47
    Last week I was in StealthWatch training most of the week and was doing some AMP for Endpoints laabing so I didn't really get to start on the ISE book until Friday. I ended up busting my tail this weekend and am happy to report that I'm on Chapter 9 of 18 since Friday so I should get done with the book at some point this week. I'll probably try to get through that book and then get through the SISAS book. I know both are a little outdated since ISE 2.1 but 90-95% of the books should be valid. A lot of the core hasn't changed.
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
    Bonus TE Fun: Nerd Photos
    Reply With Quote Quote  

  24. Senior Member
    Join Date
    Jan 2015
    Location
    England
    Posts
    322

    Certifications
    CCNP: R&S, CCNA: Sec
    #48
    Interesting, I see you're going straight for CCIE: Security and bypassing the NA and NP exams. Out of interest, what is the justification for this? I can see that you did each step for Data Center (I think).

    I am currently studying for CCNA: Security and i'm not sure if I should go for CCIE: Security or work through the NP exams.
    Reply With Quote Quote  

  25. ABL - Always Be Labbin' Iristheangel's Avatar
    Join Date
    Dec 2009
    Location
    Pasadena, CA
    Posts
    3,716

    Certifications
    CISSP, CCIE DC, CCNP R&S/DC, CCDP, CCNA:RS/S/V/DC, CCDA, BCVRE, BCEFP, BCNE, CEH, CHFI, MCSE:S, MCDST, A/S/L/P/N+, some useless Citrix and CIW certs
    #49
    I was starting from scratch with data center so it benefited me to learn incrementally. I already have a CCNA Security and besides some info I might learn on the VPN side, I don't see a lot of benefit studying for the CCNP Security - the IPS test is old, I'm already strong in ISE, and I'm pretty good with ESA, WSA, etc. It's easier for me to go right for the updated CCIE Security v5 and ignore the rest so I don't have to learn outdated info or waste time on it I also work with a lot of this stuff in my day-to-day work, been doing a ton of hands-on for over a year and attended a 4-month long bootcamp for CCIE Security so it just seems counterproductive to shoot for lower than the CCIE Security at this point
    Last edited by Iristheangel; 06-27-2016 at 01:26 PM.
    BS, MS, and CCIE #50931
    Blog: www.network-node.com
    Bonus TE Fun: Nerd Photos
    Reply With Quote Quote  

  26. Senior Member
    Join Date
    Jan 2015
    Location
    England
    Posts
    322

    Certifications
    CCNP: R&S, CCNA: Sec
    #50
    Oh wow, I guess that makes sense, seems like you're certainly well on your way. I only really touch ASA's at work, so I reckon CCNP would still be the way to go for me. Do you know when they plan on refreshing the IPS test?
    Last edited by Simrid; 06-27-2016 at 02:13 PM.
    Reply With Quote Quote  

+ Reply to Thread
Page 2 of 5 First 12 345 Last

Social Networking & Bookmarks