cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

119
Views
0
Helpful
3
Replies
Highlighted
Beginner

Switch Config with two Load Balancer

I'm looking for a little help with Switch Configuration for ISE with 2 Data Centers each with a Load Balancer and 15 PSN's at each site. We'd like to point the NAD's to the LB's and from there the LB will distribute to the PSN's but having a little issue with what that will look like in the Switch template? Any tips? 

 

 

! Define the RADIUS servers and RADIUS group
radius server DC1-LB-VIP
address ipv4 10.1.1.1 auth-port 1812 acct-port 1813
automate-tester username ise-check probe-on
key <password>
!
radius server DC2-LB-VIP
address ipv4 10.2.2.2 auth-port 1812 acct-port 1813
automate-tester username ise-check probe-on
key <password>

 

aaa group server radius ISE-RADIUS
server name DC1-LB-VIP
server name DC2-LB-VIP

 

aaa server radius dynamic-author
client 10.1.1.1 server-key <password>
client 10.2.2.2 server-key <password>

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Engager

Re: Switch Config with two Load Balancer

Your config looks good for what you want to do, we use similar for our customers with load balancers.  The load balancer is going to the piece where the complicated pieces happen. Load balancing large environments works great, I wouldn't shy away from the set up and testing, in the long run it will be much easier with configs.  Start here with the load balancer guides.

https://community.cisco.com/t5/security-documents/ise-load-balancing/ta-p/3648759

 

One thing to note about your config, you have to make sure you use reverse NAT for your UDP 1700 COAs as well as for the RADIUS/TACACS communication.  

 

If you are using an F5 and plan to also use your VIPs for TACACS, check out my F5 TACACS amendment here
https://community.cisco.com/t5/security-blogs/how-to-tacacs-failover-with-f5-big-ip-virtual-servers/ba-p/3796384

 

If you are going to be using the netscaler guide and also leveraging TrustSec (or SDA) then you need to read my amendment around CTS request persistence too.
https://community.cisco.com/t5/identity-services-engine-ise/radius-persistence-with-load-balanced-ise/td-p/3694180

3 REPLIES 3
Beginner

Re: Switch Config with two Load Balancer

With your current config its basically active / standby, DC1-LB-VIP will always be hit if available, and DC2-LB-VIP is the backup.

 

Given you're using a named group, its just one command you need to add, though this may not be valid for all platforms.

 

To give you an example on 16.6.x

 

!

aaa group server radius ISE-RADIUS

server name DC1-LB-VIP
server name DC2-LB-VIP

load-balance method least-outstanding

!

 

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_rad/configuration/xe-16-6/sec-usr-rad-xe-16-6-book/sec-rad-load-bal.html

 

BTW if you can get access to some of the Cisco Live sessions for ISE, there is some really good content, and there is definitely coverage of load balancing in great detail, enjoy!

Beginner

Re: Switch Config with two Load Balancer

Hi ,

 

Which Load-balancing device you have?

 

If F5, there is a very detailed how-to document called:

 

How-To-95-Cisco_and_F5_Deployment_Guide-ISE_Load_Balancing_Using_BIG-IP

 

Check it on internet.

 

Also loab-balancing command under the radius-server is not advisable.

 

Please rate if this is helpfull.

VIP Engager

Re: Switch Config with two Load Balancer

Your config looks good for what you want to do, we use similar for our customers with load balancers.  The load balancer is going to the piece where the complicated pieces happen. Load balancing large environments works great, I wouldn't shy away from the set up and testing, in the long run it will be much easier with configs.  Start here with the load balancer guides.

https://community.cisco.com/t5/security-documents/ise-load-balancing/ta-p/3648759

 

One thing to note about your config, you have to make sure you use reverse NAT for your UDP 1700 COAs as well as for the RADIUS/TACACS communication.  

 

If you are using an F5 and plan to also use your VIPs for TACACS, check out my F5 TACACS amendment here
https://community.cisco.com/t5/security-blogs/how-to-tacacs-failover-with-f5-big-ip-virtual-servers/ba-p/3796384

 

If you are going to be using the netscaler guide and also leveraging TrustSec (or SDA) then you need to read my amendment around CTS request persistence too.
https://community.cisco.com/t5/identity-services-engine-ise/radius-persistence-with-load-balanced-ise/td-p/3694180