cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1696
Views
0
Helpful
1
Replies
Michal Garcarz
Cisco Employee

ISE multitenancy readiness: overlapping IP for NADs

Hello Team,

 

Do we have any plans to have ISE being ready for multi-tenancy (supporting many separate orgs / customers) ?

It looks like we have already most components ready for this (including AD, IP-SGT mapping per VRF), but one very important is still missing:

- we can not create NADs with the same IPs

Any plan to have it fixed ?

(NAT is not acceptable solution because of CoA and other issues)

 

My plan for the design is the following:

- 2xPAN+2xMNT in central locaction

- PSN per customer (or two PSNs)

Policy Sets with rules like: if radius/tacacs traffic from PSN1 then policy Customer1, from PSN2 then policy Customer2....

Each customer would group their NADs based on Location (eg. Location/Customer1/US). Then every incoming radius or tacacs packet will be evaluated by policy-set (with PSN name condition) and that will narrow down the search for NAD to a specific Location (Customer1).

Possible ?

Are we evaluating similar functionality to have in ISE ?

Any other works to make it fully multi-tenant with NADs belonging to multiple customers with overlapping IPs ?

 

Thanks,

Michal

1 REPLY 1
howon
Cisco Employee

No, overlaps allowed currently. Please reach out to the PM team for roadmap.

Create
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: ISE- Guest and Posture Troubleshooting (37%)

Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel