Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
504
Views
0
Helpful
1
Replies

ISE Deployment in Network and Vlan's Routing

Go to solution
shoaibmaqbool8260
Level 1
Level 1

‎01-03-2016 10:59 AM - edited ‎03-10-2019 11:21 PM

Hi Everybody,

                       New bee to ISE.I want help/suggestions on how to deploy ise in my network or comment if my plan is efficient

ISE ,Servers(ALL) and Corporate machines (Dot1x and Domain) in vlan 10

Guest should be in separate vlan 20

By default all switch ports should be in vlan 30 having nothing but only DHCP.

Every endpoint should come through vlan30 and then pushed to respective vlan i.e to 10 if corp(Dot1x) PC   and to guest vlan 20 if mab and not listed in endpoints.

Is this an efficient deployment?

Secondly does inter-vlan routing is required in this scenario for the endpoints to be policed properly.

Should ise be able to communicate and police endpoints that are not in its vlan.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Vidyadhar Evani
Level 1
Level 1

‎01-04-2016 11:22 AM

Hi,

ISE deployment needs lot of consideration into many aspects. Suggest to read through cisco documentation to get familiar. 

http://www.cisco.com/c/dam/en/us/td/docs/solutions/Enterprise/Security/TrustSec_2-0/trustsec_2-0_dig.pdf 

Cisco ISE node has many roles; Admin, Monitor & Policy Service. The policy service node (PSN) is the one which plays the role of RADIUS server ( Advanced RADIUS to be precise) to handle AAA requests. 

For Internal hosts dot1x authentication, you can have an ISE PSN in internal LAN (same VLAN as servers or Users). Whereas for Wireless Guests, you can use a dedicated PSN or share the PSN depending on security requirements. 

Cheers,

Vidy

Please don't forget to rate this post if useful. 

/Vidya

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Vidyadhar Evani
Level 1
Level 1

‎01-04-2016 11:22 AM

Hi,

ISE deployment needs lot of consideration into many aspects. Suggest to read through cisco documentation to get familiar. 

http://www.cisco.com/c/dam/en/us/td/docs/solutions/Enterprise/Security/TrustSec_2-0/trustsec_2-0_dig.pdf 

Cisco ISE node has many roles; Admin, Monitor & Policy Service. The policy service node (PSN) is the one which plays the role of RADIUS server ( Advanced RADIUS to be precise) to handle AAA requests. 

For Internal hosts dot1x authentication, you can have an ISE PSN in internal LAN (same VLAN as servers or Users). Whereas for Wireless Guests, you can use a dedicated PSN or share the PSN depending on security requirements. 

Cheers,

Vidy

Please don't forget to rate this post if useful. 

/Vidya
0 Helpful
Customers Also Viewed These Support Documents