cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1444
Views
5
Helpful
11
Replies

WS-C3560-48PS-S compatible with ISE 2.6?

as00001111
Level 1
Level 1

Hey guys,

I examine if I can replace my ACS 5.8 for ISE 2.6

I have a lot of WS-C3560-48PS-S with IOS version 12.2(55)SE11.

Are those compatible with ISE?

I use tacacs for admin user login and radius for mac based authentication (Printers, Phones) and certificate authentication (Domain Computers).

When I take a look at the ISE compatibility matrix:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/compatibility/b_ise_sdt_26.html

I can't find my switch version.

Can you help me?

Thank you!

1 Accepted Solution

Accepted Solutions

The switch has been end of life for 4 years, I know it works fine with 2.4, I expect it to work fine with 2.6. There is no replacement for testing and certifying your configuration and software version for every primary device type. Looking back at ISE 1.1 documentation, the 3560 was tested with 12.2(52)SE, so anything newer than that should have software support for the primary 802.1x features.

For example, if my customer want's dot1x functionality on "X" platform. I do not take Cisco's word that it will work. I do a bug scrub, pick a potential version of code, test the use cases in a lab "certifying" the platform and IOS, then implement a limited production roll out which acts as a pilot.

View solution in original post

11 Replies 11

hslai
Cisco Employee
Cisco Employee

okay, but that doesn't help me.

I understand that it would perhaps work.

But my question was rather if someone can confirm it.

The switch has been end of life for 4 years, I know it works fine with 2.4, I expect it to work fine with 2.6. There is no replacement for testing and certifying your configuration and software version for every primary device type. Looking back at ISE 1.1 documentation, the 3560 was tested with 12.2(52)SE, so anything newer than that should have software support for the primary 802.1x features.

For example, if my customer want's dot1x functionality on "X" platform. I do not take Cisco's word that it will work. I do a bug scrub, pick a potential version of code, test the use cases in a lab "certifying" the platform and IOS, then implement a limited production roll out which acts as a pilot.

Hi Damien,

thanks for that answer!

What about tacacs admin user login? Is that supported, too?

Yes.

@Damien Miller 

@Surendra 

I want to buy the ISE appliance as VM. There is a highly redundant virtualization environment so the probablity of a shutdown of a VM is tiny.

But what about having two ISE VMs in case of one ISE has a system failure or something like that.

Does it make sense to buy two ISE VMs?

Well.. There technically is no such thing as ISE VM as a product but yeah, it makes sense to have 2 VMs on which ISE is installed with HA for redundancy by purchasing two ISE VM licenses based on the sizing of the nodes.

what do you mean by "based on the sizing of the nodes" ?

 

Furthermore, I'm wondering how much base licenses and plus license are necessary.

With one ISE VM, we need 1500 base licenses and 1500 plus licenses.

But what do we need with two VMs ?

Or are these licenses just CALs like in Microsoft: They are not installed, you just need to have them on "paper" ?

In ISE they need to be installed. Base/Plus/Apex licenses are per deployment and not per node. If you have a deployment of 2 nodes, you would still only need 1500 base and 1500 plus in total. When I said Sizing, there are 3 types of VM licenses and these are per node. Small/Medium/Large depending on the specs of the VM on which ISE will be installed. Look for the section “Licenses for VM nodes” in https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_0110.html

Thank you for that helpful answer!

So it's possible to install the base and plus licenses on both nodes? There is no message like "this license is already in use" or something like that.

Already answered by Surendra, but yes, and this is the most common deployment type. You will deploy two ISE VM's and run the same persona roles across them, they will handle authentication in an active/active HA.

It could look like this and they would ideally be in different data centers/sites.
VM 1 hosts - Primary Admin, Secondary MNT, Policy Service Node, Device Admin (TACACS)
VM 2 hosts - Secondary Admin, Primary MNT, Policy Service Node, Device Admin (TACACS)

Your network devices will have two radius server IPs specified, VM1 and VM2, you can order them however you want.

Scaling for a 1 or 2 node standalone deployment is identical based on the vm template size you deploy, you just gain HA.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: