cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

306
Views
3
Helpful
3
Replies
tisnow
Cisco Employee

A few questions about a Cisco/3rd party WAN setup

I have a partner that has successfully done a test on deployment ISE at a regional hub with posture happening on 3rd party at the branches, however, we have a few questions

1) A) In the link below, for DHCP/DNS fencing, is there a limit on the number of subnets that can be configured. Say 20,50,100?
ALso, there is a incomplete section - (For more information, see ),
https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_23_chapter_01001.html

   B). Does the IP-Helper allow ISE to selectively provide the correct DHCP for that branch?

2) Since some of the switches do not support URL redirection for posture, the partner statically entered an IP address in the anyconnect profile on ISE.  Is that going to cause issues with teh DHCP/DNS method and session ID?

Thanks,

Tim

3 REPLIES 3
hslai
Cisco Employee

1.A. No data available presently for such limit. I do expect 20 would work.

Regarding the incomplete section, please cite the section and paragraph or go ahead and log a doc bug.

1.B. By specifying ISE as the IP helper address at an SVI of a particular subnet, then ISE should be able to return a DHCP assignment for that subnet.

2. If the NAD not supporting URL redirection, we may either specify a friendly FQDN for an ISE client provisioning portal or use the Call Home setting in ISE Posture profile or use the Auth VLAN.

tisnow
Cisco Employee

1A)  Could we confirm 100 would work?

1B)  The documentation bug is here -

URL Redirect Mechanism and Auth VLAN

2)  Is there a guide on when to use each?  We hardcoded the discovery address but I recall have session linkage issues in the past.  
Auth Vlan - would be for the DHCP/DNS inline type solution,  does that allow ISe to respond on behalf of itself with teh discovery address?  Is there a flow diagram (I may have missed it)

Thanks Hsing

hslai
Cisco Employee

1A. Sorry. No data to confirm whether 100 works.

1B. CDETS ID?

2. Client Provisioning Portal FQDN and Call Home setting are covered in [ISE Lab Guide] ISE 2.2 Update

Configure Third-Party NAD Redirection on ISE 2.1 - Cisco on Auth VLAN.

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube