Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
846
Views
12
Helpful
3
Replies

ise trunking

cisco8887
Level 2
Level 2

‎08-23-2017 06:58 AM - edited ‎02-21-2020 10:32 AM

Hi All,

 

Does ISE 3515 support trunking ?

If not what is the purpose of having 5-6 NICs for data only?

 

I know if has bond concept which is bond 0 using gig 0 as primary and 1 as backup .

bond 1 using 2 and 3 and bond 2.

 

Is Bond another word for switch independent port channeling which can not share load but act as redundancy

 

in that case, if you plug port 0 to 3 which is bond 0 and 1, then how does ise act or forward traffic if all of them are part of the same vlan ?

Labels:
0 Helpful
3 Replies 3

Arne Bier
VIP
VIP

‎08-23-2017 05:47 PM - edited ‎08-23-2017 05:49 PM

Hi

No VLAN concept on ISE.  The hardware appliance has many GigE interfaces but none of them will process 802.1Q tagged traffic (i.e. Cisco calls this VLAN 'trunking').

The bonding concept is exactly as you described - it's called NIC Teaming in other parts of the world and essentially it's a layer 1 redundancy where the remote end will send traffic on the standby link if the primary link has an issue.  The MAC address is the same for BOTH members of the Bond group - hence, the clients and the switch don't get involved at L2 upwards.

In most real world cases you can get away with using one GigE interface for all of your ISE needs.  If you have the luxury and the means to create a Bond, then do it.  And when would you use another interface (like Gig1 or Bond1) ?  I have ony seen people talk about putting web portals into a DMZ network for security.  But other than that, 1Gbps is more than enough bandwidth for a typical Radius PSN work load.  ANd remember that all ISE management traffic (SSH, Admin GUI, etc.) HAS to go via Gig0 (it's hard coded that way).

Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-23-2017 09:09 PM

Amplifying Arne's correct answer, the additional NICs can also be used with static routes to present PSN services on different networks that may be administratively separated for one reason or another.

 

In all the small to medium size deployments I have done (up to 50k endpoints) I have always only used the single NIC. Generally speaking a PSN will run out of ability to support more sessions on a compute basis than it will based on network capacity.

Francesco Molino
VIP Alumni
VIP Alumni

‎08-28-2017 05:44 PM - edited ‎08-28-2017 05:45 PM

Hi 

 

Just to add over Arne and Marvin very good answers.

I usually use a dedicated interface for guest and byod because in many deployments those zones are behind a firewall in the dmz.

 

When I've multiple PSN, i use a dedicated interface and setup an anycast design then you can just configure 1 IP on all your switches. Which one will answer to the switch will be based on routing path.

It's a simple solution for doing redundancy with no load balancer.

 

Thanks 

PS: Please don't forget to rate and select as validated answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents