01-24-2020 10:39 AM
Any issues using same IP address (diff port for TACACS for f5 VIPs for both RADIUS functions and TACACS+ to the SAME PSN nodes? PSN nodes have ONE IP.
Example:
VIP1: 10.10.10.1 Radius VIP with all its settings for AUTH
VIP2: 10.10.10.1 Profiling VIP as needed.
VIP3: 10.10.10.1 TCP 49 - tacacs VIP with all its settings.
NOTE: Reading the Cisco's ISE/F5 deployment guides and looking at Cisco's live BRKSEC-3699 session I can not find answer.
Would this create issues in certain scenarios where for example outbound SNAT is used for traffic initiating from PSNs.
Thanks for input.
01-25-2020 09:34 AM
01-26-2020 03:29 PM
Thanks for your response - BUT now you're mixing UDP with TCP. For example: design document calls for the VIP on the F5 for RADIUS to be configured as UDP protocol. I'm afraid that TACACS traffic will then have issues.
With that said - let me ADD to this question to make it little bit more complicated:
The F5 is (F5 on a stick) design. BUT - it doesn't have external/internal - it actually has only ONE VLAN X that shares both VIPs and NODES. Example: VIP: 10.0.0.1/24 PS1 NODE: 10.0.0.2/24. With traffic such as HTTP I know this wouldn't be a problem - BUT will this create issues with any RADIUS/TACACS/PROFILING/PORTALS ..etc?
Basically you have L3 Router on VLAX that has the internal VLAX and external VLANY. This router will do /32 for VIPs to point to the F5 and PSNs will have DG to the F5. Now that I think of this - routes will probably NOT be enough, static MAC/ARP assignments will also be required to prevent the router from answering for the VIPs/NODEs.
Thanks for feedback.
01-26-2020 03:51 PM
OK - actually found a slide on this ( on the same VLAN/F5 on stick). Has ANYONE or is ANYONE doing this that can comment how its going or any issues?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide