topic No problem about the delayed in Network Access Control

ISE test environment

Evan Ray — Mon, 11 Mar 2019 07:05:13 GMT

I am attempting to create an ISE lab at home. But I wanted to access the ISE interface from my production network, but at the same time segregate the ISE virtual machine and switches in there own environment. So I was thinking I could create another VLAN, and put all the ISE test stuff in that VLAN.

But I am a little confused on how to get the routing working between the two environments, and if it's even possible to keep the ISE console in my production network too.

I have the ISE virtual machine running on an ESXi server. So I created another vSwitch and ran a dedicated cable to the production switch. I created the second VLAN and added both VLANs to that switchport. But I can no longer hit ISE. I'm wondering maybe it was the VLAN setup in the ISE initial setup that has to be changed.

What would be the best way to setup this ISE test environment?

Thanks,

Any thoughts on this? There

Evan Ray — Sat, 01 Oct 2016 07:44:10 GMT

Any thoughts on this? There has to be others working and labbing with ISE in a similar manner.

hello Evan-

nspasov — Mon, 03 Oct 2016 01:51:22 GMT

hello Evan-

- What you described here should work fine

- There shouldn't be any VLAN related settings in ISE

- Do you have an SVI created for the new VLAN that is required for routing

- Is the SVI on the same switch? If not, is the new VLAN allowed on the trunk links connecting the switches

- It would probably be helpful if you post a diagram of your setup

Thank you for rating helpful posts!

I do not have a specified SVI

Evan Ray — Sat, 22 Oct 2016 09:15:29 GMT

I do not have a specified SVI for the new VLAN that ISE will reside in. So everything resides on the same switch, does that mean I could create a VLAN and specify an SVI and assign 6 ports to that VLAN, all on the same switch? That would work?

My concern for this lab, is that it has it's own Active Directory server, and soon it's own firewall. So I wanted to keep it separate, but I also want to be able to manage it from my workstation on the production network. I'm starting to see that SVI's are my saving grace.

Sorry for the late reply, and thanks for responding and helping Neno!

No problem about the delayed

nspasov — Tue, 25 Oct 2016 17:05:38 GMT

No problem about the delayed reply. To answer your questions:

1. Yes, you can create a new VLAN with a new subnet that is different than your current one

2. If your switch is Layer 3 capable then you should be able to create an SVI for that VLAN to provide default-gateway/routing

3. You can then create an ACL and attach it to the SVI to restrict access

Does this make sense?

Thank you for rating helpful posts!

So I was able to configure an

Evan Ray — Sat, 29 Oct 2016 21:05:40 GMT

So I was able to configure an SVI on my switch, which is a 2960. At first I thought I had to upgrade the code to IOS version 12.2(55)SE to support the 'ip routing' command, but I think I'm okay.

Currently my test environment doesn't have an ASA in it. I have it powered up and ready, I just have to upgrade the code and get it connected.

Thanks for the help Neno! This definitely did help and make total sense!!

No problem! Glad I was able

nspasov — Sun, 30 Oct 2016 15:59:33 GMT

No problem! Glad I was able to help!

Now, if your issue is resolved, you should mark the thread as "answered" 🙂