Re: ISE TCP/UDP port usage

wiong · ‎05-20-2019

Hi,

I have a FSI customer and typical of FSI customers, they are very worried when opening up TCP/UDP ports on their firewall. With reference to the Cisco ISE Ports reference guide below,

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_0110.pdf

I am using ISE 2.6 for 802.1x (wired and wireless) and profiling.

1 - Do we need to enable two-way SNMP UDP port 161 between ISE PSN and NAD? Port 161 should be initiated by ISE and not NAD, right?

2 - Is there a need for NAD to send ISE syslog? Do I need to allow inbound syslog UDP 20514, TCP1468, 6514?

3 - For Oracle DB Listener port TCP/1521, it is only between PAN and MnT (PSN is not needed), right?

4 - I need to permit Syslog port TCP 1468, 6514 between all nodes (PAN, MnT, PSN) in the ISE cluster?

Marvin Rhoads · ‎05-20-2019

1. Only required if you are using SNMP for profiling.

2. Optional and depending on your syslog choice (secure or not).

3. Correct.

4. I'm not sure about this one.

wiong · ‎05-20-2019

Hi Marvin,

Tks for your reply!

1. Only required if you are using SNMP for profiling.

> Yes, I am using SNMP for profiling. But port 161 should be outbound from ISE to NAD and inbound should just be 162 for SNMP trap/notification from the NAD?

2. Optional and depending on your syslog choice (secure or not).

> Why will ISE need to receive syslog from NAD? Any of the profiling method uses syslog from NAD?

Jason Kunst · ‎05-21-2019

the only time you should be sending syslog from network access device Is if you doing troubleshooting