cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
486
Views
3
Helpful
3
Replies

A few questions about a Cisco/3rd party WAN setup

tisnow
Cisco Employee
Cisco Employee

I have a partner that has successfully done a test on deployment ISE at a regional hub with posture happening on 3rd party at the branches, however, we have a few questions

1) A) In the link below, for DHCP/DNS fencing, is there a limit on the number of subnets that can be configured. Say 20,50,100?
ALso, there is a incomplete section - (For more information, see ),
https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_01001.html

   B). Does the IP-Helper allow ISE to selectively provide the correct DHCP for that branch?

2) Since some of the switches do not support URL redirection for posture, the partner statically entered an IP address in the anyconnect profile on ISE.  Is that going to cause issues with teh DHCP/DNS method and session ID?

Thanks,

Tim

3 Replies 3

hslai
Cisco Employee
Cisco Employee

1.A. No data available presently for such limit. I do expect 20 would work.

Regarding the incomplete section, please cite the section and paragraph or go ahead and log a doc bug.

1.B. By specifying ISE as the IP helper address at an SVI of a particular subnet, then ISE should be able to return a DHCP assignment for that subnet.

2. If the NAD not supporting URL redirection, we may either specify a friendly FQDN for an ISE client provisioning portal or use the Call Home setting in ISE Posture profile or use the Auth VLAN.

tisnow
Cisco Employee
Cisco Employee

1A)  Could we confirm 100 would work?

1B)  The documentation bug is here -

URL Redirect Mechanism and Auth VLAN

2)  Is there a guide on when to use each?  We hardcoded the discovery address but I recall have session linkage issues in the past.  
Auth Vlan - would be for the DHCP/DNS inline type solution,  does that allow ISe to respond on behalf of itself with teh discovery address?  Is there a flow diagram (I may have missed it)

Thanks Hsing

hslai
Cisco Employee
Cisco Employee

1A. Sorry. No data to confirm whether 100 works.

1B. CDETS ID?

2. Client Provisioning Portal FQDN and Call Home setting are covered in [ISE Lab Guide] ISE 2.2 Update

Configure Third-Party NAD Redirection on ISE 2.1 - Cisco on Auth VLAN.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: