02-23-2020 11:42 PM - edited 02-26-2020 12:04 AM
Hello Team,
Need suggesion...
(We have 2 ISE hardware box SNS-3495) we are planning to connect 2x ISE (Active/Standby) with 3x interfaces.
Please share if any supportive IP designing document is available.
Solved! Go to Solution.
02-24-2020 02:10 AM
Hello Mohammed,
Thanks for your response.
Is there any suppoting document which states that "Its not necessary for PAN and PSN to be in same subnet." ??
Also please suggest if IP assignement is correct or not.
02-25-2020 02:23 PM
ISE will listen for TACACS+ on Gig2 if you prefer to use a separate interface. This is all dependent on your overall architecture and design (routing, security zones, etc).
Both RADIUS and TACACS+ are lightweight protocols, so unless you expect to overload the interface bandwidth there may be no value in using separate interfaces if the same node will be processing both.
I would suggest also reviewing the following:
02-24-2020 01:06 AM
02-24-2020 02:10 AM
Hello Mohammed,
Thanks for your response.
Is there any suppoting document which states that "Its not necessary for PAN and PSN to be in same subnet." ??
Also please suggest if IP assignement is correct or not.
02-24-2020 01:08 PM
The wording of the question is a bit vague, but it sounds like you have 2 total SNS-3495 appliances (you should be aware that End of Software Support on that platform was October 2019 - 34xx EoL Notice ) you are using to deploy ISE.
If this is the case, you would have all 4 Personas (PAN, MnT, PSN, Device Admin) running on both nodes. In this scenario, you would typically only use 2x IP addresses for ISE (Gig0 for management, RADIUS, TACACS, etc; Gig1 for Guest Portal) and 1x IP address for CIMC for each node.
I would suggest reviewing the following collateral:
Install Guide - Network Deployments in ISE
Install Guide - ISE Ports Reference
When using multiple interfaces for ISE services, you will also need to configure an interface alias for portal redirection. I would suggest reviewing the section on Load Balancing ISE Web Services in this Cisco Live presentation:
BRKSEC-3432 - Advanced ISEArchitect, Design and Scale ISE for your production networks
Cheers,
Greg
02-25-2020 01:41 AM
Helo Greg,
Thank for the information.
Deployment scenario that you have mentioned is correct. We have 2 total SNS-3495 appliances and we are aware that it is EOS & EOL.
As you mentioned "you would typically only use 2x IP addresses for ISE (Gig0 for management, RADIUS, TACACS, etc; Gig1 for Guest Portal)" so cant we configure Gig 2 for TACACS ??
02-25-2020 02:23 PM
ISE will listen for TACACS+ on Gig2 if you prefer to use a separate interface. This is all dependent on your overall architecture and design (routing, security zones, etc).
Both RADIUS and TACACS+ are lightweight protocols, so unless you expect to overload the interface bandwidth there may be no value in using separate interfaces if the same node will be processing both.
I would suggest also reviewing the following:
03-02-2020 01:18 AM
03-02-2020 12:56 PM
I would not see the value in using separate interfaces in the same subnet for the separate services. Using separate interfaces would typically involve those interfaces sitting on different subnets.
03-02-2020 11:51 PM
Yes you are correct.
So if we use Gig 0 for Mgmt & TACACS and Gig 1 for Guest then that will be a best approch.
however Gig 0 & Gig 1 in different subnet and connected to different switch then what will be my gateway ??
03-03-2020 02:15 PM
As of ISE 2.0, you can configure multiple default gateways via 'ip route' when you have multiple interfaces and it will use the correct gateway for outbound traffic.
I would suggest reviewing the Load Balancing ISE Web Services section of the following CiscoLive deck:
BRKSEC-3699: Designing ISE for Scale & High Availability - 2018 Orlando (Session Reference deck)
Excerpt:
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: