topic Not in a Link Aggregation in Network Access Control

ISE (SNS-3415-K9) redundant NIC's

sifathmirza — Mon, 11 Mar 2019 06:21:35 GMT

Hi all.

can we connect one SNS-3415-K9 (ISE) to VSS switches . we have one ise (SNS-3415-K9) server can we connect one interface(g1) to switch1 and another interface(g2) to switch2 for Redundant and load balancing ..

Not in a Link Aggregation

Marvin Rhoads — Tue, 29 Dec 2015 12:17:54 GMT

Not in a Link Aggregation Group (LAG) or multichassis etherchannel such as your question implies.

You can use the other Gigabit Ethernet ports beyond Gi0 but they each have to have a distinct IP address. There are various ways you can use these and some restrictions as well (i.e. Admin access to the PAN is restricted to Gi0).

The details are laid out in a table here:

http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/installation_guide/b_ise_InstallationGuide20/Cisco_SNS_3400_Series_Appliance_Ports_Reference.html

There are some Cisco Live presentations you can refer to for some design scenarios. I highly recommend Craig Hyps' BRKSEC-3699 Designing ISE for Scale and High Availability

https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=83705&backBtn=true

Hi .

sifathmirza — Mon, 04 Jan 2016 04:46:42 GMT

Hi .

Cisco ISE management is restricted to Gigabit Ethernet 0.
RADIUS listens on all network interface cards (NICs).
All NICs can be configured with IP addresses.

That means can we connect Gi0 ,Gi1 to VSS switch1 and Gi2 to VSS switch2 . if switch1 goes down we can't access ISE but still ISE listens RADIUS from Gi2(switch2). Please suggest me the connectivity of standalone ISE in VSS environment ..

If you have a single node

Marvin Rhoads — Mon, 04 Jan 2016 12:56:25 GMT

If you have a single node currently and want ISE high availability the recommended solution is a two node deployment. You need only deploy a second VM and join it to the deployment. Then node one connects to switch 1 and likewise node two connects to switch 2.

The use of the various NICs is not part of ISE's high availability scheme. Most single node deployments simply use only the Gi0 NIC.

Thank You Marvin Rhoads .

sifathmirza — Wed, 13 Jan 2016 11:55:07 GMT

Thank You Marvin Rhoads .

if i have a single node (SNS-3415-K9 ISE Appliance) i use Gi0 NIC , can you please tell me the use of the remaining three NIC's . if i want to use that NIC's for assigning particular services, can i assign ? if we can assign , HOW .

Thank you ...

For basic RADIUS connectivity

Marvin Rhoads — Wed, 13 Jan 2016 13:48:43 GMT

For basic RADIUS connectivity, you can just assign an IP address to the interface from the cli. If you need to reach remote subnets via that interface, you also need to add static route(s). The syntax for both is defined in the ISE Command Line Interface Reference guide:

http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/cli_ref_guide/b_ise_CLIReferenceGuide_20/Cisco_ISE_CLI_Commands_in_Configuration_Mode.html#wp3087188604

You can also assign your portals to use the various NICs via the portal configuration page (assuming you've already setup IP addresses and/or routes as noted above). See screenshot below (from an ISE 2.0 standalone deployment on a VM).