01-24-2020 10:39 AM
Any issues using same IP address (diff port for TACACS for f5 VIPs for both RADIUS functions and TACACS+ to the SAME PSN nodes? PSN nodes have ONE IP.
Example:
VIP1: 10.10.10.1 Radius VIP with all its settings for AUTH
VIP2: 10.10.10.1 Profiling VIP as needed.
VIP3: 10.10.10.1 TCP 49 - tacacs VIP with all its settings.
NOTE: Reading the Cisco's ISE/F5 deployment guides and looking at Cisco's live BRKSEC-3699 session I can not find answer.
Would this create issues in certain scenarios where for example outbound SNAT is used for traffic initiating from PSNs.
Thanks for input.
01-25-2020 09:34 AM
01-26-2020 03:29 PM
Thanks for your response - BUT now you're mixing UDP with TCP. For example: design document calls for the VIP on the F5 for RADIUS to be configured as UDP protocol. I'm afraid that TACACS traffic will then have issues.
With that said - let me ADD to this question to make it little bit more complicated:
The F5 is (F5 on a stick) design. BUT - it doesn't have external/internal - it actually has only ONE VLAN X that shares both VIPs and NODES. Example: VIP: 10.0.0.1/24 PS1 NODE: 10.0.0.2/24. With traffic such as HTTP I know this wouldn't be a problem - BUT will this create issues with any RADIUS/TACACS/PROFILING/PORTALS ..etc?
Basically you have L3 Router on VLAX that has the internal VLAX and external VLANY. This router will do /32 for VIPs to point to the F5 and PSNs will have DG to the F5. Now that I think of this - routes will probably NOT be enough, static MAC/ARP assignments will also be required to prevent the router from answering for the VIPs/NODEs.
Thanks for feedback.
01-26-2020 03:51 PM
OK - actually found a slide on this ( on the same VLAN/F5 on stick). Has ANYONE or is ANYONE doing this that can comment how its going or any issues?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: