topic ise trunking in Network Access Control

ise trunking

cisco8887 — Fri, 21 Feb 2020 18:32:46 GMT

Hi All,

Does ISE 3515 support trunking ?

If not what is the purpose of having 5-6 NICs for data only?

I know if has bond concept which is bond 0 using gig 0 as primary and 1 as backup .

bond 1 using 2 and 3 and bond 2.

Is Bond another word for switch independent port channeling which can not share load but act as redundancy

in that case, if you plug port 0 to 3 which is bond 0 and 1, then how does ise act or forward traffic if all of them are part of the same vlan ?

Re: ise trunking

Arne Bier — Thu, 24 Aug 2017 00:49:00 GMT

No VLAN concept on ISE. The hardware appliance has many GigE interfaces but none of them will process 802.1Q tagged traffic (i.e. Cisco calls this VLAN 'trunking').

The bonding concept is exactly as you described - it's called NIC Teaming in other parts of the world and essentially it's a layer 1 redundancy where the remote end will send traffic on the standby link if the primary link has an issue. The MAC address is the same for BOTH members of the Bond group - hence, the clients and the switch don't get involved at L2 upwards.

In most real world cases you can get away with using one GigE interface for all of your ISE needs. If you have the luxury and the means to create a Bond, then do it. And when would you use another interface (like Gig1 or Bond1) ? I have ony seen people talk about putting web portals into a DMZ network for security. But other than that, 1Gbps is more than enough bandwidth for a typical Radius PSN work load. ANd remember that all ISE management traffic (SSH, Admin GUI, etc.) HAS to go via Gig0 (it's hard coded that way).

Re: ise trunking

Marvin Rhoads — Thu, 24 Aug 2017 04:09:04 GMT

Amplifying Arne's correct answer, the additional NICs can also be used with static routes to present PSN services on different networks that may be administratively separated for one reason or another.

In all the small to medium size deployments I have done (up to 50k endpoints) I have always only used the single NIC. Generally speaking a PSN will run out of ability to support more sessions on a compute basis than it will based on network capacity.

Re: ise trunking

Francesco Molino — Tue, 29 Aug 2017 00:45:01 GMT

Just to add over Arne and Marvin very good answers.

I usually use a dedicated interface for guest and byod because in many deployments those zones are behind a firewall in the dmz.

When I've multiple PSN, i use a dedicated interface and setup an anycast design then you can just configure 1 IP on all your switches. Which one will answer to the switch will be based on routing path.

It's a simple solution for doing redundancy with no load balancer.

Thanks

PS: Please don't forget to rate and select as validated answer if this answered your question