Access Switch Recommendation for ISE

nasim_nasri · ‎08-26-2013

Dear Expert,

My client is thinking to role out the ISE in the network they have old switches 2950g which supports only authentication with ISE.

In order to utilize most of the feature if not all we are thinking to replace them with 2960g.

Any advice, expereinvce in this regards will be very helpful for the recommended model for the access layer.

Thanks

Karsten Iwen · ‎08-27-2013

The actual 2960-switches (which are 2960-X, but the 2960-S are also very good access-switches) will be a very good choice. If you want to use the full power of ISE, you want a switch that is capable of running IOS >= 15.0. If I remember right, not all of the older 2960 are papable of that.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Leo Laohoo · ‎08-27-2013

you want a switch that is capable of running IOS >= 15.0. If I remember right

Nah. All 2960-series, from the legacy all the way up to 2960S, can run 15.0.

All of my 2960/2960G are running 15.0(2)SE4 already.

Rated +5.

Karsten Iwen · ‎08-27-2013

for sure you are right, I was thinking about the older 3750 which I used as access-switches some years ago when there were no 2960 with PoE. These switches only supported IOS 12.2.55.

Sent from Cisco Technical Support iPad App

muhammk2 · ‎08-27-2013

Hello,

Catalyst 2960, Catalyst 2960S, ISR EtherSwitch ES2 with OS [IOS v12.2(52)SE LAN Base] will support MAB, 802.1X, Web Auth, Session CoA, VLAN and DACL.

Catalyst 2960, Catalyst 2960S with OS [IOS v12.2(52)SE LAN Lite²] will support MAB, 802.1X and VLAN.

For more details of Network Access Devices, please refer to the following link:

http://www.cisco.com/en/US/docs/security/ise/1.0.4/compatibility/ise104_sdt.html#wp55038

BR,

Muhammad Khan

Tarik Admani · ‎08-27-2013

You can use the 2960s that were recommended. However if you want to implement device sensor features (i.e. if profiling endpoints is a mandatory requirement). You should consider the 3750X with the proper licensing.

Thanks,

Tarik Admani
*Please rate helpful posts*

Muhammad Munir · ‎08-27-2013

Hello Nasim

Agreed by the Tarik and Muhammad Khan's reply you can use the 2960s switch, but I recommend you to use 3750x which is capable of using all the services of ISE 1.1 as well as 1.2.

Thanks

Leo Laohoo · ‎08-27-2013

but I recommend you to use 3750x which is capable of using all the services of ISE 1.1 as well as 1.2.

Are you kidding????

I wouldn't recommend 3750X particularly when the 3850 is priced LOWER than 3750X and the 3850 has THE SAME features as the 3750X.

The future of the 3560 and 3750 looks bleak particularly when the 3850's "younger brother" is about to come out.

Venkatesh Attuluri · ‎08-28-2013

Following is the Cisco Identity Services Engine Network Component Compatibility, Release 1.2 which specify recommeded switch to use with ISE and different features supported by switch

http://www.cisco.com/en/US/docs/security/ise/1.2/compatibility/ise_sdt.html

Leo Laohoo · ‎08-28-2013

Hi Venkatesh,

Good document and had a look under "Supported Network Access Devices" and all I can say is it's OUTDATED. Someone needs to add the status of the Sup8 and the 6800ia, even though it's not supported.

kaaftab · ‎09-16-2013

You can use any of the L2 switches for 802.1x authentication and if you want L3 features you should use the L3 switches for reference you can check the list of features and IOS form the following link

http://www.cisco.com/en/US/solutions/collateral/ns170/ns896/ns1051/product_bulletin_c25-712066.html

http://www.cisco.com/en/US/solutions/ns170/ns896/ns1051/trustsec_matrix.html

and hardware compliance from the list for all ISE versions

http://www.cisco.com/en/US/products/ps11640/products_device_support_tables_list.html