ISE Nodes with different IP subnet and locate across DCs

Da ICS16 · ‎01-24-2024

Dear Community,

There are 3 Deployment Nodes with same IP subnet(10.1.2.x)

- secondary Node & pxGRID node are locate at DC1

- Primary admin node locate at DC2

Objective:

- We are planning to update to new IP subnet (10.1.3.x) on PAN (DC2).

We know how to remove node from and cluster and register back when PAN node already update to new IP.

Also require change ISE ip on switch level as well.

Here are concern with below information:

- Firewall configuration change

- What are ISE node - ISE node communication (PSN, pxGRID...) port & protocol between DC1 and DC2 due to it cross the firewall

- Any required change on AD, DNS, NTP on DC2 or not ( For Nodes at DC1 keep the same ).

Thanks for supporting.

Aref Alsouqi · ‎01-24-2024

As long as ISE has the right DNS it should be able to find its way up to the AD, so no changes from the AD join point perspective would be required. Regarding DNS and NTP, you would need to update them on ISE nodes that you will migrate, and obv you would need to update the DNS records on the AD for those nodes that you will re-IP.

With regard to the ports, it all depends on the services that will be running on ISE, take a look at this guide, it is a bit intensive, but you can go through the ports details and build up the firewall rules accordingly. Alternatively, you can allow everything between ISE nodes at the beginning, then taking a look at the firewall logs and see what application/ports have been recognized for that traffic and finally building up your more specific security rules. I would recommend this later approach.

Cisco Identity Services Engine Installation Guide, Release 3.2 - Cisco ISE Ports Reference [Cisco Identity Services Engine] - Cisco