Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1549
Views
1
Helpful
4
Replies

ISE distributed deployment: what is the best-practice in connecting PSNs as dual-homing

Go to solution
el-hamras
Level 1
Level 1

‎11-16-2016 07:48 AM

Hello Cisco ISE community,

We are conducting ISE pilot (some 300 endpoints with combination of dot1x and profiling authd and authz policies) and currently wrapping it up and ready for distributed deployment to support 60k endpoints (approx. half of them will be profiled).

Our deployment planning will involve 2xPAN (primary/secondary), 2 MnT (act/standby) and 4xPSNs (will be utilizing F5 load-balancer); all will be virtual appliances (VM sizing based on SNS-3495).

PAN and MnT will be deployed in management network (firewalled) and will have single interface.

For PSNs, we are thinking of having dedicated interface in order to achieve the following:

1. For management traffic (HTTPS, Syslog, secure syslog) with PAN and MnT (e.g. on Gig0 interface)

2. For production traffic (RADIUS, LDAP, NTP, profiling traffic towards endpoints, NADs and ADs); e.g. Gig1 interface

I have been trying to look for information in Cisco partner community for ISE but haven't been able to find these type of details. The only information I could find is on some deployment to have dedicated PSN interface (different segment than the rest of RADIUS, profiling and management traffic) for user/endpoints web authentication traffic.

But what we'd like to achieve here is to separate RADIUS/profiling traffic towards endpoints, NADs and ADs with those towards PAN and MnT.

I'd like to hear some field deployment experience and Cisco expert views on this subject.

Thanks,

Hamra

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10

‎11-17-2016 12:19 AM

I recommend reviewing the reference presentation provided for Cisco Live session BRKSEC-3699 here.  In that session I cover the use of other interfaces and more detail given in the reference deck.

The challenge is typically the traffic initiated by the PSN since it must take a specific path based on the routing table and these are static only.  Therefore, you would need a static route that allows traffic to take a specific path for PAN/MNT traffic and default the rest to GE1.  This way any traffic traffic sent to PSN from external sources can be sent back to that source through symmetric communication, but only traffic initiated by PSN towards PAN and MNT addresses will be sent out GE0 and remainder out GE1.

In current ISE versions, you will need to set static routes to 0.0.0.0 for each interface as well as set the overall default gateway from CLI to be the next hop for GE1.

Regards,

Craig

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Craig Hyps
Level 10
Level 10

‎11-17-2016 12:19 AM

I recommend reviewing the reference presentation provided for Cisco Live session BRKSEC-3699 here.  In that session I cover the use of other interfaces and more detail given in the reference deck.

The challenge is typically the traffic initiated by the PSN since it must take a specific path based on the routing table and these are static only.  Therefore, you would need a static route that allows traffic to take a specific path for PAN/MNT traffic and default the rest to GE1.  This way any traffic traffic sent to PSN from external sources can be sent back to that source through symmetric communication, but only traffic initiated by PSN towards PAN and MNT addresses will be sent out GE0 and remainder out GE1.

In current ISE versions, you will need to set static routes to 0.0.0.0 for each interface as well as set the overall default gateway from CLI to be the next hop for GE1.

Regards,

Craig

0 Helpful

Go to solution
kthiruve
Cisco Employee
Cisco Employee
In response to Craig Hyps

‎11-18-2016 02:08 PM

For Load Balancing with F5, please see another post on caveats how to use SNAT.

Radius Network Access Device IP Field for Identification

Here is a port/NIC reference document for ISE 2.1 for all types of communication from and to ISE node.

Cisco Identity Services Engine Installation Guide, Release 2.1 - Cisco ISE Ports Reference [Cisco Identity Services En…

Thanks

Krishnan

Go to solution
el-hamras
Level 1
Level 1
In response to kthiruve

‎11-22-2016 10:31 AM

Hi Krishnan,

Thanks for the link. Good reference information for our ISE2.1 production deployment.

Regards,

Hamra

0 Helpful

Go to solution
el-hamras
Level 1
Level 1
In response to Craig Hyps

‎11-22-2016 10:27 AM

Craig,

Many thanks for the feedback. Definitely the info I'm looking for. Great Cisco Live session that BRKSEC-3699! A lot of field deployment aspects in an interactive session.

Regards,

Hamra

0 Helpful
Customers Also Viewed These Support Documents