https://community.cisco.com/t5/network-access-control/ise-appliance-connected-to-nexus-switches/m-p/4067197#M559679 <P>Hi Community</P><P>&nbsp;</P><P>I'm not sure if this query belongs in the ISE discussion or the Switching area....</P><P>&nbsp;</P><P>I want to connect my ISE appliance with a Bond to two Nexus N9K switches for resilience.&nbsp; The N9K switches are configured as a VPC pair.&nbsp; I read from other discussions that 'vpc orphan-port suspend' should be configured on the switches to deal correctly with certain failure scenarios, but I can't find any more information.</P><P>&nbsp;</P><P>Do the two N9K switchports get configured as stand-alone orphan ports, or do I configure them as a proper vPC (switchports added to a static Port-channel on each switch, then linked together with the 'vpc x' command), and add the 'suspend' command to the port-channels on each switch?</P><P>&nbsp;</P><P>What should I expect to see when connected up - the N9K switchport connected to the active ISE port will be 'Up' and passing traffic, but will the switchport connected to the passive ISE port show in an 'up' or 'down' state?</P><P>&nbsp;</P><P>If I use the Bond interface for both Mangement and Runtime traffic, I understand that each function needs to have a different IP address.&nbsp; Should they be on the same vlan / subnet in this scenario?&nbsp; If different vlans, the switchport will need to be a trunk, so which vlan should be the Native vlan?&nbsp; Will the ISE appliance tag both vlans appropriately?</P><P>&nbsp;</P><P>&nbsp;</P><P>Thanks</P> Thu, 16 Apr 2020 13:30:04 GMT ianjgrant 2020-04-16T13:30:04Z https://community.cisco.com/t5/network-access-control/ise-appliance-connected-to-nexus-switches/m-p/4067197#M559679 <P>Hi Community</P><P>&nbsp;</P><P>I'm not sure if this query belongs in the ISE discussion or the Switching area....</P><P>&nbsp;</P><P>I want to connect my ISE appliance with a Bond to two Nexus N9K switches for resilience.&nbsp; The N9K switches are configured as a VPC pair.&nbsp; I read from other discussions that 'vpc orphan-port suspend' should be configured on the switches to deal correctly with certain failure scenarios, but I can't find any more information.</P><P>&nbsp;</P><P>Do the two N9K switchports get configured as stand-alone orphan ports, or do I configure them as a proper vPC (switchports added to a static Port-channel on each switch, then linked together with the 'vpc x' command), and add the 'suspend' command to the port-channels on each switch?</P><P>&nbsp;</P><P>What should I expect to see when connected up - the N9K switchport connected to the active ISE port will be 'Up' and passing traffic, but will the switchport connected to the passive ISE port show in an 'up' or 'down' state?</P><P>&nbsp;</P><P>If I use the Bond interface for both Mangement and Runtime traffic, I understand that each function needs to have a different IP address.&nbsp; Should they be on the same vlan / subnet in this scenario?&nbsp; If different vlans, the switchport will need to be a trunk, so which vlan should be the Native vlan?&nbsp; Will the ISE appliance tag both vlans appropriately?</P><P>&nbsp;</P><P>&nbsp;</P><P>Thanks</P> Thu, 16 Apr 2020 13:30:04 GMT https://community.cisco.com/t5/network-access-control/ise-appliance-connected-to-nexus-switches/m-p/4067197#M559679 ianjgrant 2020-04-16T13:30:04Z https://community.cisco.com/t5/network-access-control/ise-appliance-connected-to-nexus-switches/m-p/4081133#M560193 Through much trial and error, I have established the following:<BR /><BR />Although the interfaces are bound together at the appliance end, the switch end should not be configured as a bond - just treat them as two independent interfaces. For a N9K VPC pair, this means no VPC commands, and the 'vpc orphan-port suspend' command should be configured on both switches. Both switchports will show as UP, and Connected, but the MAC address will only be seen on the switchport attached to the Active ISE interface.<BR /><BR />I have decided to keep the CIMC traffic on the dedicated interface, so will not have to deal with vlans on the Bonded interfaces.<BR /><BR />Hopefully this may aid someone else in future. Thu, 07 May 2020 09:46:00 GMT https://community.cisco.com/t5/network-access-control/ise-appliance-connected-to-nexus-switches/m-p/4081133#M560193 ianjgrant 2020-05-07T09:46:00Z https://community.cisco.com/t5/network-access-control/ise-appliance-connected-to-nexus-switches/m-p/5128328#M589965 <P>Is it not so easy to get the information that you should have plain "switchport access" configuration on the connecting switchports to the ISE appliance. I started with portchannel configuration on the switchports and get severe connection problems.</P><P>Thanks</P> Tue, 11 Jun 2024 06:00:22 GMT https://community.cisco.com/t5/network-access-control/ise-appliance-connected-to-nexus-switches/m-p/5128328#M589965 MAGNUS SVENSSON 2024-06-11T06:00:22Z