cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

146
Views
5
Helpful
11
Replies
Beginner

WS-C3560-48PS-S compatible with ISE 2.6?

Hey guys,

I examine if I can replace my ACS 5.8 for ISE 2.6

I have a lot of WS-C3560-48PS-S with IOS version 12.2(55)SE11.

Are those compatible with ISE?

I use tacacs for admin user login and radius for mac based authentication (Printers, Phones) and certificate authentication (Domain Computers).

When I take a look at the ISE compatibility matrix:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/compatibility/b_ise_sdt_26.html

I can't find my switch version.

Can you help me?

Thank you!

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Engager

Re: WS-C3560-48PS-S compatible with ISE 2.6?

The switch has been end of life for 4 years, I know it works fine with 2.4, I expect it to work fine with 2.6. There is no replacement for testing and certifying your configuration and software version for every primary device type. Looking back at ISE 1.1 documentation, the 3560 was tested with 12.2(52)SE, so anything newer than that should have software support for the primary 802.1x features.

For example, if my customer want's dot1x functionality on "X" platform. I do not take Cisco's word that it will work. I do a bug scrub, pick a potential version of code, test the use cases in a lab "certifying" the platform and IOS, then implement a limited production roll out which acts as a pilot.
11 REPLIES 11
Cisco Employee

Re: WS-C3560-48PS-S compatible with ISE 2.6?

Beginner

Re: WS-C3560-48PS-S compatible with ISE 2.6?

okay, but that doesn't help me.

I understand that it would perhaps work.

But my question was rather if someone can confirm it.

VIP Engager

Re: WS-C3560-48PS-S compatible with ISE 2.6?

The switch has been end of life for 4 years, I know it works fine with 2.4, I expect it to work fine with 2.6. There is no replacement for testing and certifying your configuration and software version for every primary device type. Looking back at ISE 1.1 documentation, the 3560 was tested with 12.2(52)SE, so anything newer than that should have software support for the primary 802.1x features.

For example, if my customer want's dot1x functionality on "X" platform. I do not take Cisco's word that it will work. I do a bug scrub, pick a potential version of code, test the use cases in a lab "certifying" the platform and IOS, then implement a limited production roll out which acts as a pilot.
Highlighted
Beginner

Re: WS-C3560-48PS-S compatible with ISE 2.6?

Hi Damien,

thanks for that answer!

What about tacacs admin user login? Is that supported, too?

Cisco Employee

Re: WS-C3560-48PS-S compatible with ISE 2.6?

Yes.
Beginner

Re: WS-C3560-48PS-S compatible with ISE 2.6?

@Damien Miller 

@Surendra 

I want to buy the ISE appliance as VM. There is a highly redundant virtualization environment so the probablity of a shutdown of a VM is tiny.

But what about having two ISE VMs in case of one ISE has a system failure or something like that.

Does it make sense to buy two ISE VMs?

Cisco Employee

Re: WS-C3560-48PS-S compatible with ISE 2.6?

Well.. There technically is no such thing as ISE VM as a product but yeah, it makes sense to have 2 VMs on which ISE is installed with HA for redundancy by purchasing two ISE VM licenses based on the sizing of the nodes.
Beginner

Re: WS-C3560-48PS-S compatible with ISE 2.6?

what do you mean by "based on the sizing of the nodes" ?

 

Furthermore, I'm wondering how much base licenses and plus license are necessary.

With one ISE VM, we need 1500 base licenses and 1500 plus licenses.

But what do we need with two VMs ?

Or are these licenses just CALs like in Microsoft: They are not installed, you just need to have them on "paper" ?

Cisco Employee

Re: WS-C3560-48PS-S compatible with ISE 2.6?

In ISE they need to be installed. Base/Plus/Apex licenses are per deployment and not per node. If you have a deployment of 2 nodes, you would still only need 1500 base and 1500 plus in total. When I said Sizing, there are 3 types of VM licenses and these are per node. Small/Medium/Large depending on the specs of the VM on which ISE will be installed. Look for the section “Licenses for VM nodes” in https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_0110.html

Beginner

Re: WS-C3560-48PS-S compatible with ISE 2.6?

Thank you for that helpful answer!

So it's possible to install the base and plus licenses on both nodes? There is no message like "this license is already in use" or something like that.

VIP Engager

Re: WS-C3560-48PS-S compatible with ISE 2.6?

Already answered by Surendra, but yes, and this is the most common deployment type. You will deploy two ISE VM's and run the same persona roles across them, they will handle authentication in an active/active HA.

It could look like this and they would ideally be in different data centers/sites.
VM 1 hosts - Primary Admin, Secondary MNT, Policy Service Node, Device Admin (TACACS)
VM 2 hosts - Secondary Admin, Primary MNT, Policy Service Node, Device Admin (TACACS)

Your network devices will have two radius server IPs specified, VM1 and VM2, you can order them however you want.

Scaling for a 1 or 2 node standalone deployment is identical based on the vm template size you deploy, you just gain HA.