cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

706
Views
0
Helpful
1
Replies

ISE - interface aware TACACS / NAD definitions with overlapping IPs - feature request ?

hi All,

just wanted to ask if thats possible (I think not) or if they are any plans on roadmap to implement the following feature.

 

I'd like to reuse my existing ISE deployment for different network segments which can have overlapping networks.

Anyway I need to distinguish NADs somehow and thats the first obstacle - ISE doesn't allow overlapping ones

If we could just add one differentiator to such definition

aka

VRF / interface ...

 

what do you think?

1 ACCEPTED SOLUTION

Accepted Solutions
Arne Bier
VIP Advisor

Hello

 

This would require ISE to become VRF aware, because at the simple L3 level (UDP/TCP) without that knowledge, how would ISE know how to return the UDP traffic (i.e. if it has to send a UDP packet to 10.10.10.10 ... all ISE knows is to use the IPv4 stack and send the packet on its way). But if you have overlapping IPv4 subnets then ISE will need to have that routing intelligence.

I won't say "never" - but I think unless that Layer 3 IP routing issue is not resolved, then this problem applies to any RADIUS vendor. ISE has multiple interfaces - but at the Linux level, they all find their way to a single IPv4 stack.

Obvious solution would be to deploy one ISE deployment per "customer/overlap"

IPv6 is perhaps an alternative solution :-)

 

You can send feature requests to this link.

 

regards

Arne 

View solution in original post

1 REPLY 1
Arne Bier
VIP Advisor

Hello

 

This would require ISE to become VRF aware, because at the simple L3 level (UDP/TCP) without that knowledge, how would ISE know how to return the UDP traffic (i.e. if it has to send a UDP packet to 10.10.10.10 ... all ISE knows is to use the IPv4 stack and send the packet on its way). But if you have overlapping IPv4 subnets then ISE will need to have that routing intelligence.

I won't say "never" - but I think unless that Layer 3 IP routing issue is not resolved, then this problem applies to any RADIUS vendor. ISE has multiple interfaces - but at the Linux level, they all find their way to a single IPv4 stack.

Obvious solution would be to deploy one ISE deployment per "customer/overlap"

IPv6 is perhaps an alternative solution :-)

 

You can send feature requests to this link.

 

regards

Arne 

View solution in original post

Content for Community-Ad