Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4536
Views
5
Helpful
3
Replies

ISE communication flow and ports

Go to solution
Madura Malwatte
Level 4
Level 4

‎08-23-2018 12:05 AM

Hi All,

 

For someone that is working on ISE for the first time, I'm having some difficulty confirming the communication traffic flow and ports between ise nodes and devices. This is to configure the firewalls in the network. I have ISE nodes sitting in different data centers and between internal and dmz networks, so there are a lot of firewalls in place.

 

If I refer to the ISE ports reference document and diagram - https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/install_guide/b_ise_InstallationGuide23/b_ise_InstallationGuide23_chapter_0110.html

 

Some services mention inbound or outbound, but majority of services does not mention which direction. Example for PSN session ports how do I know which direction? Another example in the diagram: traffic flow is from NAD to PSN, so I will need to open the required ports on PSN side, is it correct that the PSN's will never initiate traffic towards the NAD?

 

Should I go by the diagram and just use the arrows as reference for direction, is this accurate? Or is there a better document?

1 person had this problem
Preview file
813 KB
1 Accepted Solution

Accepted Solutions

Go to solution
howon
Cisco Employee
Cisco Employee

‎08-23-2018 09:42 AM

This is the best resource. Use the arrows and the tables below in the document for details. In regards to the NAD:

- NAD to ISE: RADIUS Authentication & Accounting, T+, SNMP trap, syslog

- ISE to NAD: CoA, SNMP read/write, netflow. Also, if you are using Secure Access Wizard, ISE will initiate SSH to the WLC.

There are additional ports that needs to be open for TrustSec communications show in the document.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
howon
Cisco Employee
Cisco Employee

‎08-23-2018 09:42 AM

This is the best resource. Use the arrows and the tables below in the document for details. In regards to the NAD:

- NAD to ISE: RADIUS Authentication & Accounting, T+, SNMP trap, syslog

- ISE to NAD: CoA, SNMP read/write, netflow. Also, if you are using Secure Access Wizard, ISE will initiate SSH to the WLC.

There are additional ports that needs to be open for TrustSec communications show in the document.

0 Helpful

Go to solution
Madura Malwatte
Level 4
Level 4
In response to howon

‎08-23-2018 08:59 PM

Hi Hosuk,

 

Thanks for the reply. Actually 2.3 diagram has NAD to ISE arrows in both directions, so one would assume to open up ports in both directions. But in the 2.2 diagram the arrow is in only one direction (NAD to ISE). These are some of the inconsistencies which are confusing when setting up the firewalls.

 

 

Also for multiple PSN's is there any ports needed to open for comms between PSN's?

0 Helpful

Go to solution
howon
Cisco Employee
Cisco Employee
In response to Madura Malwatte

‎08-24-2018 03:41 PM

If you have node group configured amongst PSNs, then you need to open TCP/7800 both directions.

0 Helpful
Customers Also Viewed These Support Documents