09-18-2016 06:20 PM - edited 03-11-2019 12:05 AM
I am attempting to create an ISE lab at home. But I wanted to access the ISE interface from my production network, but at the same time segregate the ISE virtual machine and switches in there own environment. So I was thinking I could create another VLAN, and put all the ISE test stuff in that VLAN.
But I am a little confused on how to get the routing working between the two environments, and if it's even possible to keep the ISE console in my production network too.
I have the ISE virtual machine running on an ESXi server. So I created another vSwitch and ran a dedicated cable to the production switch. I created the second VLAN and added both VLANs to that switchport. But I can no longer hit ISE. I'm wondering maybe it was the VLAN setup in the ISE initial setup that has to be changed.
What would be the best way to setup this ISE test environment?
Thanks,
10-01-2016 12:44 AM
Any thoughts on this? There has to be others working and labbing with ISE in a similar manner.
10-02-2016 06:51 PM
hello Evan-
- What you described here should work fine
- There shouldn't be any VLAN related settings in ISE
- Do you have an SVI created for the new VLAN that is required for routing
- Is the SVI on the same switch? If not, is the new VLAN allowed on the trunk links connecting the switches
- It would probably be helpful if you post a diagram of your setup
Thank you for rating helpful posts!
10-22-2016 02:15 AM
I do not have a specified SVI for the new VLAN that ISE will reside in. So everything resides on the same switch, does that mean I could create a VLAN and specify an SVI and assign 6 ports to that VLAN, all on the same switch? That would work?
My concern for this lab, is that it has it's own Active Directory server, and soon it's own firewall. So I wanted to keep it separate, but I also want to be able to manage it from my workstation on the production network. I'm starting to see that SVI's are my saving grace.
Sorry for the late reply, and thanks for responding and helping Neno!
10-25-2016 10:05 AM
No problem about the delayed reply. To answer your questions:
1. Yes, you can create a new VLAN with a new subnet that is different than your current one
2. If your switch is Layer 3 capable then you should be able to create an SVI for that VLAN to provide default-gateway/routing
3. You can then create an ACL and attach it to the SVI to restrict access
Does this make sense?
Thank you for rating helpful posts!
10-29-2016 02:05 PM
So I was able to configure an SVI on my switch, which is a 2960. At first I thought I had to upgrade the code to IOS version 12.2(55)SE to support the 'ip routing' command, but I think I'm okay.
Currently my test environment doesn't have an ASA in it. I have it powered up and ready, I just have to upgrade the code and get it connected.
Thanks for the help Neno! This definitely did help and make total sense!!
10-30-2016 08:59 AM
No problem! Glad I was able to help!
Now, if your issue is resolved, you should mark the thread as "answered" :)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide