Terraform an HA-VPN between GCP and Cisco

Doing Infrastucture-as-Code (IaC) with Ansible has given me a headache – so I’ve recently been playing around with Terraform as an alternative to Ansible for certain tasks that require Cloud IaaS interactions.

The goal of this blog post is to build an HA-VPN solution between GCP and an on-premises Cisco IOS-XE device (CSR) using Terraform. BGP will be established over the VPN in order to exchange routes dynamically. GCE compute instances will be deployed in GCP for testing connectivity over the VPN.

Let’s get started.


802.11ac Wave 2, MGig and Cisco’s 2800 & 3800 Series Access Points

Several weeks ago I attended a presentation on Cisco’s new 2800 and 3800 Series access points.  I’m quite impressed with some of the new capabilities these APs bring to the market.  The presenters, Mark Denny and Brian Levin, were passionate regarding the implications this has for wireless networks.  I felt I needed to take a step back to really understand why some of these enhancements and new features are so important to wireless infrastructure.  I’ll run through a few of the capabilities that I personally feel are most significant.  I’ll attempt to keep it concise.


The roof, the roof, the roof is on IP

What is Digital Ceiling?

Looking back at the evolution of the network in the past decade, we see a constant trend of devices migrating to Ethernet, resulting in a migration to IP. IP telephony took off in 2005 and is now the de facto standard for any phone system. Coax-connected cameras migrated to IP surveillance in the late 2000s. Legacy building management systems using BACnet started migrating to low-voltage PoE systems in the early 2010s. Within the past year, we’ve seen a new trend of high-voltage systems like lighting start migrating towards low-voltage PoE, dubbed “Smart Lighting”. This move towards digitization makes sense on all fronts. It’s cheaper, scalable, extensible, can easily be managed and monitored, and opens the door for new experiences with intelligent buildings. (more…)

How to move a UCS Blade from one chassis to another

I’ve been in this situation a few times now, where I need to move a physical production UCS blade from one chassis to another.  It can make you nervous, worried that your server won’t come back up properly after the relocation.  What if the network configuration changes, what about storage, what about the OS?!  Rest assured, this is quite an easy procedure.  If you can bake a cake, you can relocate a UCS blade. (more…)

The Application-centric model of Cisco’s IWAN

I’ve been keeping the very corner of my eye on Cisco’s IWAN and it’s rapid evolution in the realm of SD-WAN.  At the recent Network Field Day event (NFD10), some light was shed on the application-centric aspects of IWAN under APIC-EM that I believe really sets it apart from some of the competing solutions out there. Sumanth Kakaraparthi, Principal Product Manager with Cisco, discussed the company’s approach to SD-WAN in a concise presentation to the NFD10 delegates and live viewers. Two key differences stand out to me – (more…)

FireSIGHT URL Filtering using Sourcefire User Agent and LDAP AD

No lie, this one took me a while to figure out.  First, if you haven’t done so already, check out this article which clearly explains (with pictures!) how to accomplish this basic URL filtering without user awareness:

URL Filtering on a FireSIGHT System Configuration Example

If you only desire to filter based on something basic like networks, you’re all set. However, if you want to get more granular and start creating policies based on AD/LDAP group membership, this post is for you.  I’ll go ahead and assume you already have the FirePOWER modules or appliances installed somewhere in your network and they’re being managed by FireSIGHT.  Follow the steps below: (more…)

ASA Clustering Multiple Context Transparent Mode

Some quick template-style notes on deploying clustered ASAs running multiple context mode with transparent contexts. There are some well-documented guides and a few blog posts out there already detailing clustering and transparent-mode firewalls. The purpose of this post is just to dive in to configuration. You may run into some caveats depending on which feature you want to run simultaneously, please refer to the ASA General Operations CLI guide for particulars before deploying clustering. (more…)

5 Reasons not to go to Cisco Live


Cisco Live US 2015, the largest networking conference in the world, is right around the corner, June 7th-11th in San Diego, CA. This year is promising to be ever larger, with more training sessions, bigger events, futurist keynotes, and a massive World of Solutions expo. But think about it – do you really want to go? Let us consider some reasons not to attend this year’s Cisco Live. (more…)

The Path to CCIE Data Center

It’s official!


If I can do this, so can you!  Some of you may be just starting out, some of you may be on the homestretch with a lab right around the corner.  Either way, this post may have some interest to you.  I’d like to share my story, how I prepared, what study methods worked best for me, how I picked myself back up after defeat, and what I did to prepare once more for ultimate victory. (more…)