Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1068
Views
5
Helpful
3
Replies

ISE 1.2 - Multiple NICs/Load Balancing for DHCP Probe

Go to solution
sayrmatics
Level 1
Level 1

‎09-28-2014 05:21 PM - edited ‎03-10-2019 10:04 PM

Hello guys

Just prepping an ISE 1.2 patch 8 setup in our organization. I am going for the virtual appliances with multiple NICs. It will be a distributed deployment with 4 x PSNs behind a load balancer and there is no requirement for wireless or guest user at the moment. I've got 2 points I will like to get some guidance on:

  1. Our DC has a dedicated mgmt network and I plan to IP the gig0 interface of the PANs, MNTs and PSNs from this subnet. All device admin, clustering, config replication, etc will be over this interface. However, RADIUS/probe/other user traffic to the ISE PSNs will be over the gig1 interface which will be addressed from another L3 network. Is this a supported configuration in ISE?
  2. I intend to use the DHCP probe as part of device profiling and will ideally like to have just an additional ip helper to add to our switch SVI config. Also, it will appear that WLCs can only be configured for 2 DHCP servers for a given network so another consideration for when we bringing our WLAN in scope. We however use ACE load balancers within our DC and from what I have read, they do not support DHCP load balancing. Are there any workarounds to using the DHCP probe with multiple PSNs without having to add each node as an ip helper/DHCP server on the NADs?

Thanks in advance

Sayre

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎09-29-2014 11:26 PM

Hello Sayre-

For Question #1:

  • Management is restricted to GigabitEthernet 0 and that cannot be changed so you should be good there
  • You can configure Radius and Profiling to be enabled on other interfaces
  • Even though you are not using guest services yet, you can dedicate an interface just for that. As a result, you can separate guest traffic completely from your production network
  • Take a look at this link for more info:

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/installation_guide/ise_ig/ise_app_c-ports.html

For Question #2

If you are using a Cisco WLC and running code 7.4 and newer you don't need to mess with the IP helper configurations. 

The controller can be configured to act as a collector for client profiling and interact with the DHCP thread along with the RADIUS accounting task that is running on the controller. The controller receives a copy of the DHCP request packet sent from the DHCP thread and parses the DHCP packet for two options:

–Option 12—HostName of the client
–Option 60—The Vendor Class Identifier
After this information is gathered from the DHCP_REQUEST packet, a message is formed by the controller with these option fields and is sent to the RADIUS accounting thread, which is in turn transmitted to the ISE in the form of an interim accounting message.
Both DHCP and HTTP profiling settings are located under the "Advanced" configuration tab in the WLC
On the other hand, you can also use Anycast for profiling. You can check out some of Cisco Live's sessions for more info on that. Here is one that is from a couple of years (There are more recent ones that are available as well):

http://www.alcatron.net/Cisco%20Live%202013%20Melbourne/Cisco%20Live%20Content/Security/BRKSEC-3040%20%20Advanced%20ISE%20and%20Secure%20Access%20Deployment.pdf

I hope this helps!

 

Thank you for rating helpful posts!

View solution in original post

3 Replies 3

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎09-29-2014 11:26 PM

Hello Sayre-

For Question #1:

  • Management is restricted to GigabitEthernet 0 and that cannot be changed so you should be good there
  • You can configure Radius and Profiling to be enabled on other interfaces
  • Even though you are not using guest services yet, you can dedicate an interface just for that. As a result, you can separate guest traffic completely from your production network
  • Take a look at this link for more info:

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/installation_guide/ise_ig/ise_app_c-ports.html

For Question #2

If you are using a Cisco WLC and running code 7.4 and newer you don't need to mess with the IP helper configurations. 

The controller can be configured to act as a collector for client profiling and interact with the DHCP thread along with the RADIUS accounting task that is running on the controller. The controller receives a copy of the DHCP request packet sent from the DHCP thread and parses the DHCP packet for two options:

–Option 12—HostName of the client
–Option 60—The Vendor Class Identifier
After this information is gathered from the DHCP_REQUEST packet, a message is formed by the controller with these option fields and is sent to the RADIUS accounting thread, which is in turn transmitted to the ISE in the form of an interim accounting message.
Both DHCP and HTTP profiling settings are located under the "Advanced" configuration tab in the WLC
On the other hand, you can also use Anycast for profiling. You can check out some of Cisco Live's sessions for more info on that. Here is one that is from a couple of years (There are more recent ones that are available as well):

http://www.alcatron.net/Cisco%20Live%202013%20Melbourne/Cisco%20Live%20Content/Security/BRKSEC-3040%20%20Advanced%20ISE%20and%20Secure%20Access%20Deployment.pdf

I hope this helps!

 

Thank you for rating helpful posts!

Go to solution
sayrmatics
Level 1
Level 1
In response to nspasov

‎10-02-2014 01:00 PM

Hi Neno

Many thanks for the detailed response...much appreciated. 

Sayre

 

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to sayrmatics

‎10-02-2014 01:41 PM

You are welcome Sayre! Glad I could help! :)

0 Helpful
Customers Also Viewed These Support Documents