cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1237
Views
0
Helpful
1
Replies

ISE - interface aware TACACS / NAD definitions with overlapping IPs - feature request ?

hi All,

just wanted to ask if thats possible (I think not) or if they are any plans on roadmap to implement the following feature.

 

I'd like to reuse my existing ISE deployment for different network segments which can have overlapping networks.

Anyway I need to distinguish NADs somehow and thats the first obstacle - ISE doesn't allow overlapping ones

If we could just add one differentiator to such definition

aka

VRF / interface ...

 

what do you think?

1 Accepted Solution

Accepted Solutions

Arne Bier
VIP Advisor VIP Advisor
VIP Advisor

Hello

 

This would require ISE to become VRF aware, because at the simple L3 level (UDP/TCP) without that knowledge, how would ISE know how to return the UDP traffic (i.e. if it has to send a UDP packet to 10.10.10.10 ... all ISE knows is to use the IPv4 stack and send the packet on its way). But if you have overlapping IPv4 subnets then ISE will need to have that routing intelligence.

I won't say "never" - but I think unless that Layer 3 IP routing issue is not resolved, then this problem applies to any RADIUS vendor. ISE has multiple interfaces - but at the Linux level, they all find their way to a single IPv4 stack.

Obvious solution would be to deploy one ISE deployment per "customer/overlap"

IPv6 is perhaps an alternative solution :-)

 

You can send feature requests to this link.

 

regards

Arne 

View solution in original post

1 Reply 1

Arne Bier
VIP Advisor VIP Advisor
VIP Advisor

Hello

 

This would require ISE to become VRF aware, because at the simple L3 level (UDP/TCP) without that knowledge, how would ISE know how to return the UDP traffic (i.e. if it has to send a UDP packet to 10.10.10.10 ... all ISE knows is to use the IPv4 stack and send the packet on its way). But if you have overlapping IPv4 subnets then ISE will need to have that routing intelligence.

I won't say "never" - but I think unless that Layer 3 IP routing issue is not resolved, then this problem applies to any RADIUS vendor. ISE has multiple interfaces - but at the Linux level, they all find their way to a single IPv4 stack.

Obvious solution would be to deploy one ISE deployment per "customer/overlap"

IPv6 is perhaps an alternative solution :-)

 

You can send feature requests to this link.

 

regards

Arne 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: