https://community.cisco.com/t5/network-access-control/cisco-ise-ip-interfaces-configuration/m-p/4039699#M558547 <P>As of ISE 2.0, you can configure multiple default gateways via 'ip route' when you have multiple interfaces and it will use the correct gateway for outbound traffic.</P> <P>I would suggest reviewing the Load Balancing ISE Web Services section of the following CiscoLive deck:</P> <P><A href="https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2018/pdf/BRKSEC-3699-reference.pdf" target="_self">BRKSEC-3699: Designing ISE for Scale &amp; High Availability - 2018 Orlando (Session Reference deck)</A></P> <P><BR />Excerpt:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screen Shot 2020-03-04 at 9.04.50 am.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/68402iC8625B88695A9E87/image-size/medium?v=v2&amp;px=400" role="button" title="Screen Shot 2020-03-04 at 9.04.50 am.png" alt="Screen Shot 2020-03-04 at 9.04.50 am.png" /></span></P> Tue, 03 Mar 2020 22:15:30 GMT Greg Gibbs 2020-03-03T22:15:30Z https://community.cisco.com/t5/network-access-control/cisco-ise-ip-interfaces-configuration/m-p/4034493#M558266 <P>&nbsp;</P><P>Hello Team,</P><P>Need suggesion...</P><P>&nbsp;(We have 2 ISE hardware box SNS-3495) we are planning to connect 2x ISE (Active/Standby) with 3x interfaces.</P><P>&nbsp;</P><P>Please share if any supportive IP designing document is available.</P><P>&nbsp;</P> Wed, 26 Feb 2020 08:04:29 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-ip-interfaces-configuration/m-p/4034493#M558266 siddhesh.parab@orange.com1 2020-02-26T08:04:29Z https://community.cisco.com/t5/network-access-control/cisco-ise-ip-interfaces-configuration/m-p/4034540#M558270 Hi,<BR /><BR />One IP per NIC is good unless you expect high throughput or you want NIC<BR />bonding for redundancy.<BR /><BR />Its not necessary for PAN and PSN to be in same subnet. Just ensure that<BR />required ports are allowed to communication and latency is less than 200<BR />msec.<BR /><BR />***** Please remember to rate useful posts.<BR /> Mon, 24 Feb 2020 09:06:32 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-ip-interfaces-configuration/m-p/4034540#M558270 Mohammed al Baqari 2020-02-24T09:06:32Z https://community.cisco.com/t5/network-access-control/cisco-ise-ip-interfaces-configuration/m-p/4034580#M558273 <P>Hello Mohammed,</P><P>Thanks for your response.</P><P><BR />Is there any suppoting document which states that "<SPAN>Its not necessary for PAN and PSN to be in same subnet." ??</SPAN></P><P><SPAN>Also please suggest if IP assignement is correct or not.</SPAN></P><P>&nbsp;</P> Mon, 24 Feb 2020 10:10:57 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-ip-interfaces-configuration/m-p/4034580#M558273 siddhesh.parab@orange.com1 2020-02-24T10:10:57Z https://community.cisco.com/t5/network-access-control/cisco-ise-ip-interfaces-configuration/m-p/4034964#M558294 <P>The wording of the question is a bit vague, but it sounds like you have 2 total SNS-3495 appliances (you should be aware that End of Software Support on that platform was October 2019 - <A href="https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/eos-eol-notice-c51-737032.html" target="_self">34xx EoL Notice</A> ) you are using to deploy ISE.</P> <P>If this is the case, you would have all 4 Personas (PAN, MnT, PSN, Device Admin) running on both nodes. In this scenario, you would typically only use 2x IP addresses for ISE (Gig0 for management, RADIUS, TACACS, etc; Gig1 for Guest Portal) and 1x IP address for CIMC for each node.</P> <P>I would suggest reviewing the following collateral:</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/InstallGuide27/b_ise_InstallationGuide27/b_ise_InstallationGuide27_chapter_00.html" target="_self">Install Guide - Network Deployments in ISE</A>&nbsp;</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/InstallGuide27/b_ise_InstallationGuide27/b_ise_InstallationGuide27_chapter_0110.html" target="_self">Install Guide - ISE Ports Reference</A></P> <P>&nbsp;</P> <P>When using multiple interfaces for ISE services, you will also need to configure an interface alias for portal redirection. I would suggest reviewing the section on Load Balancing ISE Web Services in this Cisco Live presentation:</P> <P><A href="https://www.ciscolive.com/global/on-demand-library.html?search=ise%20scale&amp;ssoToken=pp51582577130912001ji8srem#/session/1564526712328001JTH3" target="_self">BRKSEC-3432 - Advanced ISEArchitect, Design and Scale ISE for your production networks</A>&nbsp;</P> <P>&nbsp;</P> <P>Cheers,</P> <P>Greg</P> Mon, 24 Feb 2020 21:08:07 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-ip-interfaces-configuration/m-p/4034964#M558294 Greg Gibbs 2020-02-24T21:08:07Z https://community.cisco.com/t5/network-access-control/cisco-ise-ip-interfaces-configuration/m-p/4035266#M558316 <P>Helo Greg,</P><P>&nbsp;</P><P>Thank for the information.</P><P>&nbsp;</P><P>Deployment scenario that you have mentioned is correct. We&nbsp;<SPAN>have 2 total SNS-3495 appliances and we are aware that it is EOS &amp; EOL.</SPAN></P><P>&nbsp;</P><P><SPAN>As you mentioned "you would typically only use 2x IP addresses for ISE (Gig0 for management, RADIUS, TACACS, etc; Gig1 for Guest Portal)"&nbsp; so cant we configure Gig 2 for TACACS ??</SPAN></P><P>&nbsp;</P> Tue, 25 Feb 2020 09:41:19 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-ip-interfaces-configuration/m-p/4035266#M558316 siddhesh.parab@orange.com1 2020-02-25T09:41:19Z https://community.cisco.com/t5/network-access-control/cisco-ise-ip-interfaces-configuration/m-p/4035755#M558335 <P>ISE will listen for TACACS+ on Gig2 if you prefer to use a separate interface. This is all dependent on your overall architecture and design (routing, security zones, etc).</P> <P>Both RADIUS and TACACS+ are lightweight protocols, so unless you expect to overload the interface bandwidth there may be no value in using separate interfaces if the same node will be processing both.</P> <P>I would suggest also reviewing the following:</P> <P><A href="https://community.cisco.com/t5/security-documents/ise-performance-amp-scale/ta-p/3642148" target="_self">ISE Performance &amp; Scale</A>&nbsp;</P> <P><A href="https://community.cisco.com/t5/security-documents/ise-tacacs-deployment-amp-sizing-guidance/ta-p/3612253" target="_self">ISE TACACS+ Deployment &amp; Sizing Guidance</A></P> Tue, 25 Feb 2020 22:23:00 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-ip-interfaces-configuration/m-p/4035755#M558335 Greg Gibbs 2020-02-25T22:23:00Z https://community.cisco.com/t5/network-access-control/cisco-ise-ip-interfaces-configuration/m-p/4038416#M558488 <P>Hello Gerg,</P><P>&nbsp;</P><P>Please find attached scenario.</P><P>&nbsp;</P><P>Is it possible to keep Gig 0 &amp; Gig 2 in same subnet. (Gig 0 for Mgmt &amp; Gig 2 for TACACS)</P><P>Or it is better to use one single IP for TACACS &amp; Mgmt.</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 02 Mar 2020 09:18:59 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-ip-interfaces-configuration/m-p/4038416#M558488 siddhesh.parab@orange.com1 2020-03-02T09:18:59Z https://community.cisco.com/t5/network-access-control/cisco-ise-ip-interfaces-configuration/m-p/4038858#M558511 <P>I would not see the value in using separate interfaces in the same subnet for the separate services. Using separate interfaces would typically involve those interfaces sitting on different subnets.</P> Mon, 02 Mar 2020 20:56:51 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-ip-interfaces-configuration/m-p/4038858#M558511 Greg Gibbs 2020-03-02T20:56:51Z https://community.cisco.com/t5/network-access-control/cisco-ise-ip-interfaces-configuration/m-p/4039069#M558524 <P>Yes you are correct.</P><P>&nbsp;</P><P>So if we use Gig 0 for Mgmt &amp; TACACS and Gig 1 for Guest then that will be a best approch.</P><P>however Gig 0 &amp; Gig 1 in different subnet and connected to different switch then what will be my gateway ??</P><P>&nbsp;</P> Tue, 03 Mar 2020 07:51:36 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-ip-interfaces-configuration/m-p/4039069#M558524 siddhesh.parab@orange.com1 2020-03-03T07:51:36Z https://community.cisco.com/t5/network-access-control/cisco-ise-ip-interfaces-configuration/m-p/4039699#M558547 <P>As of ISE 2.0, you can configure multiple default gateways via 'ip route' when you have multiple interfaces and it will use the correct gateway for outbound traffic.</P> <P>I would suggest reviewing the Load Balancing ISE Web Services section of the following CiscoLive deck:</P> <P><A href="https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2018/pdf/BRKSEC-3699-reference.pdf" target="_self">BRKSEC-3699: Designing ISE for Scale &amp; High Availability - 2018 Orlando (Session Reference deck)</A></P> <P><BR />Excerpt:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screen Shot 2020-03-04 at 9.04.50 am.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/68402iC8625B88695A9E87/image-size/medium?v=v2&amp;px=400" role="button" title="Screen Shot 2020-03-04 at 9.04.50 am.png" alt="Screen Shot 2020-03-04 at 9.04.50 am.png" /></span></P> Tue, 03 Mar 2020 22:15:30 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-ip-interfaces-configuration/m-p/4039699#M558547 Greg Gibbs 2020-03-03T22:15:30Z