cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

128
Views
5
Helpful
4
Replies
Cisco Employee

TAC supported F5 Design?

I need to confirm whether the following scenarios are supported or whether there are any potential issues in one. I don't believe so, but a sanity check would be greatly appreciated.

Both scenarios are about avoiding the need to readdress F5 VIPs or change NAD configs when migrating from ACS to new ISE deployments (separate Device Admin and Radius Deployments).

Scenario 1:

Using a single F5 VIP address for both TACACS and RADIUS deployments (since today the ACS and it's VIP handles both). The VIP would leverage the DST port to distinguish between TACACS and RADIUS requests so that the F5 will send TACACS requests to the ISE server pool and keep RADIUS requests sent to their existing ACS (or future ISE deployment).

Scenario 2:

Today we currently have Wireless auth NADs and VPN auth NADs using two different F5 VIPs. In order to avoid readdressing on the NADs we would like to keep the two F5 VIPs, but leverage identical ISE server pools on the F5 behind each VIP.

Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions
Advocate

Re: TAC supported F5 Design?

Although not officially QA'ed by Cisco, I do cover T+ load balancing in Cisco Live session (BRKSEC-3699 - Reference version) available on ciscolive.com.

Yes, LB based on port TCP/49 and source IP-based LB should be sufficient.  T+ does not have the same session restraints like RADIUS auth and no CoA to contend with.

Craig

4 REPLIES 4
VIP Engager

Re: TAC supported F5 Design?

Both scenarios should work just fine.  I have done scenario 1 in almost all of my F5 ISE deployments when doing both RADIUS and TACACS, although in my case I am usually load balancing to different PSNs in the same ISE deployment.  These are all different virtual servers on the F5s so you can assign them to whatever pools (or the same pools) you want.

Advocate

Re: TAC supported F5 Design?

Although not officially QA'ed by Cisco, I do cover T+ load balancing in Cisco Live session (BRKSEC-3699 - Reference version) available on ciscolive.com.

Yes, LB based on port TCP/49 and source IP-based LB should be sufficient.  T+ does not have the same session restraints like RADIUS auth and no CoA to contend with.

Craig

Highlighted
Cisco Employee

Re: TAC supported F5 Design?

Craig,

Thanks for the reply, your presentations are always the best! Sounds like Question 1 is covered for T+, what about for RADIUS? When consulting your slides it looks like both RADIUS and COA ports need to be accounted for?


Lastly, can you confirm that scenario 2 is supported as well.

Thanks!

Advocate

Re: TAC supported F5 Design?

Yes, #2 could work but need to make sure the load across pools is evenly distributed.