Solved: ISE with DHCP Server

Ali · ‎04-08-2018

Hello Community,

In our Environment Currently running with ISE 2.1 with patch 1,3 & 5.

Our Company is planning to make ISE as DHCP server for providing 25K IP address with 100 subnets.

IS it feasible to configure for ISE as DHCP , if configured what will be impact (or) any future issue with ISE with DHCP Server.

is anyone applied this setup in their environment ?

Needful suggestion would be highly appreciated.

Jason Kunst · ‎04-09-2018

There is no general purpose dhcp service in ISE

Please look into other dhcp servers from Microsoft or Infoblox as an example

View solution in original post

Jason Kunst · ‎04-16-2019

See auth vlan here

https://community.cisco.com/t5/security-documents/ise-features-by-release/ta-p/3621656#toc-hId-155267693

Since 1.1 is real old please install latest recommended release 2.4 as fresh install, configure and evaluate. I wouldn’t recommend an upgrade unless critical to maintain user accounts

Things are so much different starting from scratch would be very beneficial.

You can always point ise back to itself if needing access to older system,

View solution in original post

Jason Kunst · ‎04-08-2018

ISE is not a DHCP server.

Ali · ‎04-09-2018

but still, if we want to enable DHCP on ISE

is it feasible for 25K IP address with more than 100 subnets ? what be the performance impact on ISE with future issues related with DHCP.

Does anyone have implemented this solution, if so what are the challenges you have faced in your network.

Thanks

Jason Kunst · ‎04-09-2018

There is no general purpose dhcp service in ISE

Please look into other dhcp servers from Microsoft or Infoblox as an example

Craig Hyps · ‎04-09-2018

To clarify a bit...

The DNS/DHCP server function in ISE is specific to Auth VLAN feature to support 3rd-party or other NADs that lack URL redirect support. As such, it will delve out IP addresses with a DNS server address that points to ISE itself to sinkhole your web traffic until auth is complete!

Next, the lease timers are deliberately set to low values to facilitate re-DHCP post auth and allow endpoint to get IP address in new access VLAN at which point the ISE DNS/DHCP server is no longer used, i.e. you must use an external DHCP server in access VLAN.

This is why you would not use the ISE DNS or DHCP server for any general use case.

Craig

networker4424 · ‎04-15-2019

Hello Craig, Can you please point me in the direction where I can configure DNS/DHCP on ISE for devices that dont support URL redirection. I looked for quite a while but couldn't find it on the ISE. My ISE version is 1.1 but I can upgrade to 2.4 if this feature is not available in the older version, thanks,

Jason Kunst · ‎04-16-2019

See auth vlan here

https://community.cisco.com/t5/security-documents/ise-features-by-release/ta-p/3621656#toc-hId-155267693

Since 1.1 is real old please install latest recommended release 2.4 as fresh install, configure and evaluate. I wouldn’t recommend an upgrade unless critical to maintain user accounts

Things are so much different starting from scratch would be very beneficial.

You can always point ise back to itself if needing access to older system,

damode · ‎02-25-2020

Can we use ISE as DHCP/DNS to prevent guest traffic using internal DHCP/DNS servers ?