Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1392
Views
25
Helpful
6
Replies

ISE features matrix with IOS Lan Base vs IP Base licensing on NADs

Go to solution
cfitzgerald
Level 1
Level 1

‎01-15-2020 09:35 AM

We have a fleet of 3650 switches running Lanbase license. I just discovered today that the Device Profiling (Device Sensor) features of ISE require the IP Base license on the switches. I am trying to find out what other features of ISE require IP Base, but I can't find what I need. Does anybody have any ideas? Thanks.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to cfitzgerald

‎01-15-2020 02:11 PM

I could not find this information in public documentation, but I did find an previous TAC case in which the TAC engineer confirmed the following:

"NAC when used for posture flow, requires DACL configuration on the ISE. The DACLs are not applied on the switch interfaces if the switch uses LAN base license."

TrustSec also requires the IP Base feature set as per the Platform and Capability Matrix

As such, you would need to upgrade to the IP Base license to take advantage of the more advanced ISE features.

 

Cheers,

Greg

View solution in original post

6 Replies 6

Go to solution
cfitzgerald
Level 1
Level 1
In response to Mike.Cifelli

‎01-15-2020 12:52 PM

HI @Mike.Cifelli,

 

Thanks for your response, but I've looked at that document before. It confirms that the 3650 switch is compatible with all ISE features, but it does not differentiate between a switch with LAN Base license vs IP Base (or higher).

 

2020-01-15_14-50-29.jpg

 

ISE Device Profiling requires IP Base. But what about TrustSec? Or Posturing?

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to cfitzgerald

‎01-15-2020 01:28 PM

I don't think you will find a comprehensive list because feature sets have always varied by model. I've never seen one at least.

If you look at the TrustSec matrix, you can see what I'm talking about. In general though, trustsec is a feature found in ip base/network advantage/dna advantage. Some exceptions on the ends, ex. ie series switches, 2960's.
https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/software-platform-capability-matrix.pdf

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to cfitzgerald

‎01-15-2020 02:11 PM

I could not find this information in public documentation, but I did find an previous TAC case in which the TAC engineer confirmed the following:

"NAC when used for posture flow, requires DACL configuration on the ISE. The DACLs are not applied on the switch interfaces if the switch uses LAN base license."

TrustSec also requires the IP Base feature set as per the Platform and Capability Matrix

As such, you would need to upgrade to the IP Base license to take advantage of the more advanced ISE features.

 

Cheers,

Greg

Go to solution
cfitzgerald
Level 1
Level 1
In response to Greg Gibbs

‎01-16-2020 09:23 AM

DACL seems like one of the most basic features of ISE, since it is required for any meaningful application of an AuthZ policy result.

I have been unable to find any reference to DACL in the Feature Navigator for the 3650 Platform.

 

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to cfitzgerald

‎01-16-2020 10:08 AM

While I can't speak to the feature navigator, I am 100% on DACLs being supported on 3650's.
0 Helpful
Customers Also Viewed These Support Documents