cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

920
Views
0
Helpful
3
Replies
Highlighted
Cisco Employee

ISE 2.1 Walled Garden design

Hi,

I am working on a requirement for bunch of 3rd party switches mainly HP and Brocade and some legacy Cisco switches. All users are distributed geographically and connected centrally via MetroE with very low latency and around 250+ sites.

Does Walled Garden allow central DHCP/DNS? Putting SNS in every location will drive up the cost. Do we have any design for this?

Thanks

Wing Churn

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

You could, but need to make sure that max concurrent users < platform max which is the case here if using 3595s.  If plan to perform lots of web auth, then scale as you would regular ISE flows with maybe a bit more overhead for DNS/DHCP and additional redirect functions.  Consider web auths (non-registered endpoints) is about 25-40 auths/sec.

Note that there are some open defects planned for ISE 2.1 Patch 2 to address overlapping scopes and couple other issues.  If plan to overload PSNs with multiple Auth VLANs, then will need to wait until Patch 2 or request hotfix.

  • CSCva66772 ISE: DHCP Domain name cannot have more than 2 dots.
  • CSCuz10364 'overlap' error seen on DHCP page while the network ID different.
  • CSCvb02052 ISE Assigns DHCP IP even if scope does not match local subnet.

/Craig

View solution in original post

3 REPLIES 3
Highlighted
Cisco Employee

If PSN is layer 3, then configure "helper" on local gateway to use DHCP Server on configured PSN interface, this is defined under the Auth VLAN Config

Highlighted

Hi Imran,

Thanks for the response. I am looking at around 250 sites with around 15k user. Do we have any specific design for this?

Can I dedicate 2 x SNS 3595 for 3rd Party integration only?

Thanks

Wing Churn

Highlighted

You could, but need to make sure that max concurrent users < platform max which is the case here if using 3595s.  If plan to perform lots of web auth, then scale as you would regular ISE flows with maybe a bit more overhead for DNS/DHCP and additional redirect functions.  Consider web auths (non-registered endpoints) is about 25-40 auths/sec.

Note that there are some open defects planned for ISE 2.1 Patch 2 to address overlapping scopes and couple other issues.  If plan to overload PSNs with multiple Auth VLANs, then will need to wait until Patch 2 or request hotfix.

  • CSCva66772 ISE: DHCP Domain name cannot have more than 2 dots.
  • CSCuz10364 'overlap' error seen on DHCP page while the network ID different.
  • CSCvb02052 ISE Assigns DHCP IP even if scope does not match local subnet.

/Craig

View solution in original post