05-20-2019 05:53 PM
Hi,
I have a FSI customer and typical of FSI customers, they are very worried when opening up TCP/UDP ports on their firewall. With reference to the Cisco ISE Ports reference guide below,
I am using ISE 2.6 for 802.1x (wired and wireless) and profiling.
1 - Do we need to enable two-way SNMP UDP port 161 between ISE PSN and NAD? Port 161 should be initiated by ISE and not NAD, right?
2 - Is there a need for NAD to send ISE syslog? Do I need to allow inbound syslog UDP 20514, TCP1468, 6514?
3 - For Oracle DB Listener port TCP/1521, it is only between PAN and MnT (PSN is not needed), right?
4 - I need to permit Syslog port TCP 1468, 6514 between all nodes (PAN, MnT, PSN) in the ISE cluster?
05-20-2019 08:09 PM
1. Only required if you are using SNMP for profiling.
2. Optional and depending on your syslog choice (secure or not).
3. Correct.
4. I'm not sure about this one.
05-20-2019 08:20 PM
Hi Marvin,
Tks for your reply!
1. Only required if you are using SNMP for profiling.
> Yes, I am using SNMP for profiling. But port 161 should be outbound from ISE to NAD and inbound should just be 162 for SNMP trap/notification from the NAD?
2. Optional and depending on your syslog choice (secure or not).
> Why will ISE need to receive syslog from NAD? Any of the profiling method uses syslog from NAD?
05-21-2019 03:41 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide