cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

423
Views
0
Helpful
3
Replies
MS-JK
Beginner

ISE and F5 Load Balancer (RADIUS + TACACS) using SAME IPs

Any issues using same IP address (diff port for TACACS for f5 VIPs for both RADIUS functions and TACACS+ to the SAME PSN nodes? PSN nodes have ONE IP.

 

Example:

VIP1: 10.10.10.1 Radius VIP with all its settings for AUTH

VIP2: 10.10.10.1 Profiling VIP as needed.

VIP3: 10.10.10.1 TCP 49 - tacacs VIP with all its settings.

 

NOTE: Reading the Cisco's ISE/F5 deployment guides and looking at Cisco's live BRKSEC-3699 session I can not find answer.

 

Would this create issues in certain scenarios where for example outbound SNAT is used for traffic initiating from PSNs. 

 

Thanks for input.

 

3 REPLIES 3
Damien Miller
VIP Advisor

While I find it nice to keep VIPs separate, there is nothing stopping this from working. The same virtual servers will be set up, just using the same VIP instead of different.

Thanks for your response - BUT now you're mixing UDP with TCP. For example: design document calls for the VIP on the F5 for RADIUS to be configured as UDP protocol. I'm afraid that TACACS traffic will then have issues.

 

With that said - let me ADD to this question to make it little bit more complicated:

The F5 is (F5 on a stick) design. BUT - it doesn't have external/internal - it actually has only ONE VLAN X that shares both VIPs and NODES. Example: VIP: 10.0.0.1/24 PS1 NODE: 10.0.0.2/24. With traffic such as HTTP I know this wouldn't be a problem - BUT will this create issues with any RADIUS/TACACS/PROFILING/PORTALS ..etc?

 

Basically you have L3 Router on VLAX that has the internal VLAX and external VLANY. This router will do /32 for VIPs to point to the F5 and PSNs will have DG to the F5. Now that I think of this - routes will probably NOT be enough, static MAC/ARP assignments will also be required to prevent the router from answering for the VIPs/NODEs.

 

Thanks for feedback.

 

 

OK - actually found a slide on this ( on the same VLAN/F5 on stick). Has ANYONE or is ANYONE doing this that can comment how its going or any issues?

 

 

Screen Shot 2020-01-26 at 4.49.59 PM.png

Content for Community-Ad