Solved: Re: ISE - PSN - interfaces in the same subnet

Sven Herrmann · ‎04-19-2017

Hello,

I'm wondering about the following statement regarding the use of multiple NICs on a PSN (Source: https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_011011.html):

Allowed interfaces — Select the PSN interfaces which a PAN can use to run a portal. When a request to open a portal is made on the PAN, the PAN looks for an available allowed Port on the PSN. You must configure the Ethernet interfaces using IP addresses on different subnets.

These interfaces must be available on all the PSNs, including VM-based ones, that have Policy Services turned on. This is a requirement because any of these PSNs can be used for the redirect at the start of the guest session.

The Ethernet interfaces must use IP addresses on different subnets.

In our lab environment we only have one subnet. I configured Gig 0 and Gig 1 on a PSN with different IP-addresses from the same subnet. Gig 1 hosts the sponsor-portal, Gig 0 everything else. The goal is to simply spread the portals (guest and sponsor) over different NICs. And it works that way.

So, why is the recommendation to have IP-addresses from different subnets on different interfaces?

Thanks a lot.

Regards.

Francesco Molino · ‎04-19-2017

Hi

Having 2 different IPs in different subnet on the PSN is for design and security. Let's take an example. Your Guest users (wireless or wired) have an IP from the DMZ zone behind the firewall. You would like to have your PSN syncing with your ISE infrastructure and WLC on their Management zone (NIC1) but all users getting the portal should be redirect to a DMZ IP and not opening multiple ports to the management zone. that's why you setup a new IP on the NIC2.

Hope that's clear.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your questions

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎04-19-2017

I'm not aware about a specific official document saying in details what NIC to use for what services. But globally, NIC0 is used for all "standard" services like radius, communication with PAN/MnT node and NIC1 for webportal like Guest.

This is what I'm designing most of the time on customer implementation and that's why having 2 different IPs makes sense.

Other designs would be to have bond multiple interfaces for HA.

I'm also using, for example, NIC 1 to setup an IP address that will be the same on every PSN involved by implementing Anycast design for redundancy purpose as well.

Hope that answers your questions.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎04-19-2017

Hi

Having 2 different IPs in different subnet on the PSN is for design and security. Let's take an example. Your Guest users (wireless or wired) have an IP from the DMZ zone behind the firewall. You would like to have your PSN syncing with your ISE infrastructure and WLC on their Management zone (NIC1) but all users getting the portal should be redirect to a DMZ IP and not opening multiple ports to the management zone. that's why you setup a new IP on the NIC2.

Hope that's clear.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your questions

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Sven Herrmann · ‎04-19-2017

Hi Francesco,

Thanks for you answer and explanation. But "except" for security and design reasons (which have the highest priority, of course), there's no technical reason to have the interfaces' IPs in different subnets.

This leads me to another question: is there a best practice recommendation for what to assign to the different interfaces? Like ...

Management (Inter-node-, RADIUS-communication, ...) on NIC 0
Guest-portal in DMZ on NIC 1
Sponsor- and/or My-devices-portal on NIC2
....

Thanks a lot.

Best Regards.

Francesco Molino · ‎04-19-2017

I'm not aware about a specific official document saying in details what NIC to use for what services. But globally, NIC0 is used for all "standard" services like radius, communication with PAN/MnT node and NIC1 for webportal like Guest.

This is what I'm designing most of the time on customer implementation and that's why having 2 different IPs makes sense.

Other designs would be to have bond multiple interfaces for HA.

I'm also using, for example, NIC 1 to setup an IP address that will be the same on every PSN involved by implementing Anycast design for redundancy purpose as well.

Hope that answers your questions.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

supporto rai · ‎09-22-2017

marco.merlo · ‎09-22-2017

I tested this configuration with ACS (virtual appliance on vmware) a couple of years ago. Every thing seemed to work fine but giving a deeper look I found out that when both interfaces were up randomly ACS responded with g0 mac address to arp requests for g1 interface ip address, and actually ip traffic with g1 address was originated from g0. If g1 was disconnected from virtual switch but kept up on ACS, g1 ip address kept on working with g0 interface taking care of it.

Regards

MM