Re: ISE interfaces

engahmedsaied · ‎10-29-2024

Hello,

In ISE, can we have interface to serve network access and another interface to serve device administration?

what is required to have IP for network access and another IP for device administration so can we separate between them?

balaji.bandi · ‎10-29-2024

Look at the thread you get some idea :

https://community.cisco.com/t5/network-access-control/ise-with-multiple-interfaces/td-p/3087858

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Arne Bier · ‎10-29-2024

@engahmedsaied - this is possible, but what is your reason for doing so?

In my personal view, don't see the technical advantage of doing this. If for some reason, you need to add an additional interface to ISE to solve some ugly network design decision, then I might do it. But I would never add another physical interface to an SNS server, nor to a virtual ISE VM to split RADIUS from TACACS+. ISE doesn't care where the requests come from and Gig0 and Gig1 will serve the requests equally - that means, you cannot disable RADIUS on gig0 to force your NADs to use gig1, and likewise with TACACS+, Therefore the interfaces cannot be isolated for separation of duties. You'd be making more work for yourself in terms of network address planning. And my personal pet peeve with ISE, is that in the GUI you only see the Gig0 IP address - you cannot see the IPs of any other ISE interfaces. This means your engineers/support staff are only seeing half of the story. It's confusing and messy. Cisco should really fix that and include a GUI page that lists all the interfaces and their IPs. I have asked for this in a feature request but it's never happened.

I'd be keen to know WHY you want to do this.