Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1173
Views
0
Helpful
8
Replies

ISE Guest with Ruckus Flex connect integration

Go to solution
bhenderickx
Level 1
Level 1

‎09-18-2018 11:27 PM

Hi All,

 

we are currently trying to integrate ISE with Ruckus Wi-fi. the main purpose of usage will be for the guest. As Ruckus does not support URL redirect we will need  to use the DHCP and DNS of ISE in the pre-auth vlan to sinkhole all requests to the captive portal. in the tests we did on the same location it is working perfectly. However we would need to deploy this also on locations where no ISE server will be located. we will only have S2S layer 3 connection between the remote site and ISE server. As the Ruckus works with local breakout we need to use ip helper to relay it to the ISE servers located into the main hubs. You would have 3 main hubs where all remote sites will connect to where a PSN will be located.

 

my questions are the following :

  • Does ISE support DHCP in the same way as a normal DHCP
    • Dhcp-relay will be implemented on all sites and will point to the ISE server, ISE will provide IP following the source subnet correct ?
    • Does ISE DHCP support like 1000 simultaneous users between the different scopes
    • how many scopes can we implement per ISE server ?
    • Can we run DHCP server on PSN nodes ?

thanks,

 

Benjamin

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎09-19-2018 01:37 PM

The service only runs on the PSN node. Only one PSN can serve any given subnet (there is no active standby where if one PSN fails another can take it on)

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_01000.html#concept_CDD87F6FE3A54351B27FF35316A23DA3


Scaling I would have to check on that.

View solution in original post

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to bhenderickx

‎10-12-2018 08:08 AM

Unfortunately we don't have the numbers as it wasn't validated as such. Please reach out through your account team to the ISE product management team and reference this thread. Ask them for further clarification (will do the same as well). For now here is some guidance as its currently understood.

 

Does ISE support DHCP in the same way as a normal DHCP

NO its utilized for those Network access devices that don’t support URL redirection and/or SNMP/RADIUS COA for those clients doing guest/byod that need to be redirected for onboarding and then move to a different state afterwards. its not a replacement

  

Dhcp-relay will be implemented on all sites and will point to the ISE server, ISE will provide IP following the source subnet correct ?

Yes this should work - https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_01000.html#concept_CDD87F6FE3A54351B27FF35316A23DA3 

 

Does ISE DHCP support like 1000 simultaneous users between the different scopes

A PSN can support thousand of users. Unfortunately we don't have these testing numbers but would think 1000 would be ok

 

how many scopes can we implement per ISE server ?

No data

 

Can we run DHCP server on PSN nodes ?

Not sure of the question. This service for AUTH VLAN has a DHCP DNS service running on the PSN so yes?

 

 

 

 

 

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎09-19-2018 01:37 PM

The service only runs on the PSN node. Only one PSN can serve any given subnet (there is no active standby where if one PSN fails another can take it on)

https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_01000.html#concept_CDD87F6FE3A54351B27FF35316A23DA3


Scaling I would have to check on that.
0 Helpful

Go to solution
bhenderickx
Level 1
Level 1
In response to Jason Kunst

‎09-20-2018 01:22 AM

Hi Jason,

 

thanks for quick response and explanation.

if we could check for the scaling that would be great to be sure to not have any issues on that point when deploying this.

 

 

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to bhenderickx

‎09-24-2018 10:34 AM

i have asked our performance/scale SME @Nidhi to look into this

0 Helpful

Go to solution
bhenderickx
Level 1
Level 1
In response to Jason Kunst

‎10-10-2018 02:27 AM

Hi jason,

 

any news on this topic ?

 

thanks,

 

Benjamin

0 Helpful

Go to solution
Nidhi
Cisco Employee
Cisco Employee
In response to bhenderickx

‎10-11-2018 02:50 AM

Hello Benjamin, 

We do not have any performance numbers available for this.

but please note that the purpose of this flow is to intercept the traffic from a 3rd party device for redirection to ISE. And should not be used as a replacement of a DHCP/DNS server. 

Thanks,

Nidhi

 

0 Helpful

Go to solution
bhenderickx
Level 1
Level 1
In response to Nidhi

‎10-12-2018 12:52 AM

Hi Nidhi,

 

i am well aware of this. just as this is a world-wide setup we will have some clients connecting to the pre-auth vlan which the ISE will be the DHCP/DNS and after they go to the auth-vlan where they will have an other server doing the DHCP.

will 90 dhcp scopes be allowed on ISE , and mayby 1000 users is to much lets say 200 at same time ?

my concern is more about how much dhcp scopes we can create.

 

thanks,

 

Benjamin

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to bhenderickx

‎10-12-2018 08:08 AM

Unfortunately we don't have the numbers as it wasn't validated as such. Please reach out through your account team to the ISE product management team and reference this thread. Ask them for further clarification (will do the same as well). For now here is some guidance as its currently understood.

 

Does ISE support DHCP in the same way as a normal DHCP

NO its utilized for those Network access devices that don’t support URL redirection and/or SNMP/RADIUS COA for those clients doing guest/byod that need to be redirected for onboarding and then move to a different state afterwards. its not a replacement

  

Dhcp-relay will be implemented on all sites and will point to the ISE server, ISE will provide IP following the source subnet correct ?

Yes this should work - https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/admin_guide/b_ise_admin_guide_22/b_ise_admin_guide_22_chapter_01000.html#concept_CDD87F6FE3A54351B27FF35316A23DA3 

 

Does ISE DHCP support like 1000 simultaneous users between the different scopes

A PSN can support thousand of users. Unfortunately we don't have these testing numbers but would think 1000 would be ok

 

how many scopes can we implement per ISE server ?

No data

 

Can we run DHCP server on PSN nodes ?

Not sure of the question. This service for AUTH VLAN has a DHCP DNS service running on the PSN so yes?

 

 

 

 

 

0 Helpful

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to bhenderickx

‎10-29-2018 12:40 PM

will 90 dhcp scopes be allowed on ISE , and mayby 1000 users is to much lets say 200 at same time ?

my concern is more about how much dhcp scopes we can create.

 

There is no hard limit on the number of such scopes to be created, I believe. Without being tested by our teams, we can't provide a confidence level how well the scopes would work.

0 Helpful
Customers Also Viewed These Support Documents