12-12-2017 04:28 AM
Hi team,
Customer is migrating from ACS to ISE. They need to create a secondary host IP address (/32) or loopback on ISE to provide an access to. Is it possible to do it?
Thanks,
Alexey
Solved! Go to Solution.
12-12-2017 07:41 AM
Right now I don’t see an option for secondary or loopback.
Management must reside on gig0 but other traffic can take place on other interfaces
Is there a reason they can’t create another interface and use that?
12-12-2017 06:37 AM
I don’t think so, is there a reason they cannot create another interface and configure that?
12-12-2017 07:34 AM
Hi Jason,
Customer needs to assign a host address to ISE because this address was used by ACE before (from different network segment). But for LAN communication (VRRP and so on) usual address /27 should be used also. These addresses are totally different addresses.
Idea is to use /27 address for LAN communication and /32 address for using by network devices for TACACS service.
Regards,
Alexey
12-12-2017 07:41 AM
Right now I don’t see an option for secondary or loopback.
Management must reside on gig0 but other traffic can take place on other interfaces
Is there a reason they can’t create another interface and use that?
12-12-2017 12:35 PM
ISE supports multiple interfaces which can be assigned unique IP in its own subnet but loopbacks and secondaries not supported. You mention ACE, so potentially sounds like trying to replicate a DSR config which also is not supported by ISE.
Craig
12-12-2017 12:42 PM
Thanks Craig.
Does it mean that ISE doesn’t support /32 addresses at all?
Sorry for typo – I meant ACS, not ACE.
Regards,
Alexey
12-12-2017 12:52 PM
/32 is not the same as a loopback or secondary. You should be able to config /32, but not sure if it will achieve desired result. ISE will not forward traffic between interfaces.
12-13-2017 05:14 AM
Alexey,
I am still confused on what the customer is trying to do. Is the customer trying to do a flash but by using the same address on ISE that was used in ACS so they don't have to go and touch all their network equipment to change TACACS IPs?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: