cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

719
Views
1
Helpful
4
Replies
Highlighted
Beginner

ISE distributed deployment: what is the best-practice in connecting PSNs as dual-homing

Hello Cisco ISE community,

We are conducting ISE pilot (some 300 endpoints with combination of dot1x and profiling authd and authz policies) and currently wrapping it up and ready for distributed deployment to support 60k endpoints (approx. half of them will be profiled).

Our deployment planning will involve 2xPAN (primary/secondary), 2 MnT (act/standby) and 4xPSNs (will be utilizing F5 load-balancer); all will be virtual appliances (VM sizing based on SNS-3495).

PAN and MnT will be deployed in management network (firewalled) and will have single interface.

For PSNs, we are thinking of having dedicated interface in order to achieve the following:

1. For management traffic (HTTPS, Syslog, secure syslog) with PAN and MnT (e.g. on Gig0 interface)

2. For production traffic (RADIUS, LDAP, NTP, profiling traffic towards endpoints, NADs and ADs); e.g. Gig1 interface

I have been trying to look for information in Cisco partner community for ISE but haven't been able to find these type of details. The only information I could find is on some deployment to have dedicated PSN interface (different segment than the rest of RADIUS, profiling and management traffic) for user/endpoints web authentication traffic.

But what we'd like to achieve here is to separate RADIUS/profiling traffic towards endpoints, NADs and ADs with those towards PAN and MnT.

I'd like to hear some field deployment experience and Cisco expert views on this subject.

Thanks,

Hamra

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Advocate

Re: ISE distributed deployment: what is the best-practice in connecting PSNs as dual-homing

I recommend reviewing the reference presentation provided for Cisco Live session BRKSEC-3699 here.  In that session I cover the use of other interfaces and more detail given in the reference deck.

The challenge is typically the traffic initiated by the PSN since it must take a specific path based on the routing table and these are static only.  Therefore, you would need a static route that allows traffic to take a specific path for PAN/MNT traffic and default the rest to GE1.  This way any traffic traffic sent to PSN from external sources can be sent back to that source through symmetric communication, but only traffic initiated by PSN towards PAN and MNT addresses will be sent out GE0 and remainder out GE1.

In current ISE versions, you will need to set static routes to 0.0.0.0 for each interface as well as set the overall default gateway from CLI to be the next hop for GE1.

Regards,

Craig

View solution in original post

4 REPLIES 4
Advocate

Re: ISE distributed deployment: what is the best-practice in connecting PSNs as dual-homing

I recommend reviewing the reference presentation provided for Cisco Live session BRKSEC-3699 here.  In that session I cover the use of other interfaces and more detail given in the reference deck.

The challenge is typically the traffic initiated by the PSN since it must take a specific path based on the routing table and these are static only.  Therefore, you would need a static route that allows traffic to take a specific path for PAN/MNT traffic and default the rest to GE1.  This way any traffic traffic sent to PSN from external sources can be sent back to that source through symmetric communication, but only traffic initiated by PSN towards PAN and MNT addresses will be sent out GE0 and remainder out GE1.

In current ISE versions, you will need to set static routes to 0.0.0.0 for each interface as well as set the overall default gateway from CLI to be the next hop for GE1.

Regards,

Craig

View solution in original post

Cisco Employee

Re: ISE distributed deployment: what is the best-practice in connecting PSNs as dual-homing

For Load Balancing with F5, please see another post on caveats how to use SNAT.

Radius Network Access Device IP Field for Identification

Here is a port/NIC reference document for ISE 2.1 for all types of communication from and to ISE node.

Cisco Identity Services Engine Installation Guide, Release 2.1 - Cisco ISE Ports Reference [Cisco Identity Services En…

Thanks

Krishnan

Beginner

Re: ISE distributed deployment: what is the best-practice in connecting PSNs as dual-homing

Hi Krishnan,

Thanks for the link. Good reference information for our ISE2.1 production deployment.

Regards,

Hamra

Beginner

Re: ISE distributed deployment: what is the best-practice in connecting PSNs as dual-homing

Craig,

Many thanks for the feedback. Definitely the info I'm looking for. Great Cisco Live session that BRKSEC-3699! A lot of field deployment aspects in an interactive session.

Regards,

Hamra