cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

374
Views
20
Helpful
9
Replies

Cisco ISE IP Interfaces configuration

 

Hello Team,

Need suggesion...

 (We have 2 ISE hardware box SNS-3495) we are planning to connect 2x ISE (Active/Standby) with 3x interfaces.

 

Please share if any supportive IP designing document is available.

 

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted

Re: Cisco ISE IP Interfaces configuration

Hello Mohammed,

Thanks for your response.


Is there any suppoting document which states that "Its not necessary for PAN and PSN to be in same subnet." ??

Also please suggest if IP assignement is correct or not.

 

View solution in original post

Highlighted
Cisco Employee

Re: Cisco ISE IP Interfaces configuration

ISE will listen for TACACS+ on Gig2 if you prefer to use a separate interface. This is all dependent on your overall architecture and design (routing, security zones, etc).

Both RADIUS and TACACS+ are lightweight protocols, so unless you expect to overload the interface bandwidth there may be no value in using separate interfaces if the same node will be processing both.

I would suggest also reviewing the following:

ISE Performance & Scale 

ISE TACACS+ Deployment & Sizing Guidance

View solution in original post

9 REPLIES 9
Highlighted
VIP Advisor

Re: Cisco ISE IP Interfaces configuration

Hi,

One IP per NIC is good unless you expect high throughput or you want NIC
bonding for redundancy.

Its not necessary for PAN and PSN to be in same subnet. Just ensure that
required ports are allowed to communication and latency is less than 200
msec.

***** Please remember to rate useful posts.
Highlighted

Re: Cisco ISE IP Interfaces configuration

Hello Mohammed,

Thanks for your response.


Is there any suppoting document which states that "Its not necessary for PAN and PSN to be in same subnet." ??

Also please suggest if IP assignement is correct or not.

 

View solution in original post

Highlighted
Cisco Employee

Re: Cisco ISE IP Interfaces configuration

The wording of the question is a bit vague, but it sounds like you have 2 total SNS-3495 appliances (you should be aware that End of Software Support on that platform was October 2019 - 34xx EoL Notice ) you are using to deploy ISE.

If this is the case, you would have all 4 Personas (PAN, MnT, PSN, Device Admin) running on both nodes. In this scenario, you would typically only use 2x IP addresses for ISE (Gig0 for management, RADIUS, TACACS, etc; Gig1 for Guest Portal) and 1x IP address for CIMC for each node.

I would suggest reviewing the following collateral:

Install Guide - Network Deployments in ISE 

Install Guide - ISE Ports Reference

 

When using multiple interfaces for ISE services, you will also need to configure an interface alias for portal redirection. I would suggest reviewing the section on Load Balancing ISE Web Services in this Cisco Live presentation:

BRKSEC-3432 - Advanced ISEArchitect, Design and Scale ISE for your production networks 

 

Cheers,

Greg

Highlighted

Re: Cisco ISE IP Interfaces configuration

Helo Greg,

 

Thank for the information.

 

Deployment scenario that you have mentioned is correct. We have 2 total SNS-3495 appliances and we are aware that it is EOS & EOL.

 

As you mentioned "you would typically only use 2x IP addresses for ISE (Gig0 for management, RADIUS, TACACS, etc; Gig1 for Guest Portal)"  so cant we configure Gig 2 for TACACS ??

 

Highlighted
Cisco Employee

Re: Cisco ISE IP Interfaces configuration

ISE will listen for TACACS+ on Gig2 if you prefer to use a separate interface. This is all dependent on your overall architecture and design (routing, security zones, etc).

Both RADIUS and TACACS+ are lightweight protocols, so unless you expect to overload the interface bandwidth there may be no value in using separate interfaces if the same node will be processing both.

I would suggest also reviewing the following:

ISE Performance & Scale 

ISE TACACS+ Deployment & Sizing Guidance

View solution in original post

Highlighted

Re: Cisco ISE IP Interfaces configuration

Hello Gerg,

 

Please find attached scenario.

 

Is it possible to keep Gig 0 & Gig 2 in same subnet. (Gig 0 for Mgmt & Gig 2 for TACACS)

Or it is better to use one single IP for TACACS & Mgmt.

 

 

Highlighted
Cisco Employee

Re: Cisco ISE IP Interfaces configuration

I would not see the value in using separate interfaces in the same subnet for the separate services. Using separate interfaces would typically involve those interfaces sitting on different subnets.

Highlighted

Re: Cisco ISE IP Interfaces configuration

Yes you are correct.

 

So if we use Gig 0 for Mgmt & TACACS and Gig 1 for Guest then that will be a best approch.

however Gig 0 & Gig 1 in different subnet and connected to different switch then what will be my gateway ??

 

Highlighted
Cisco Employee

Re: Cisco ISE IP Interfaces configuration

As of ISE 2.0, you can configure multiple default gateways via 'ip route' when you have multiple interfaces and it will use the correct gateway for outbound traffic.

I would suggest reviewing the Load Balancing ISE Web Services section of the following CiscoLive deck:

BRKSEC-3699: Designing ISE for Scale & High Availability - 2018 Orlando (Session Reference deck)


Excerpt:

Screen Shot 2020-03-04 at 9.04.50 am.png