Solved: Re: Presence of Loopback or secondary IP option for ISE

Avinash N. · ‎07-26-2019

Hi Experts,

This is with reference to the question asked in the following link https://community.cisco.com/t5/identity-services-engine-ise/creation-of-secondary-ip-or-ip-loopback-with-32-on-ise/m-p/3523973#M8886

From what I understand we still cannot configure Loopback or secondary IP on ISE. I have had questions on why this is the case. From an exploitation perspective, I can think of reasons where if a server is actually exploited one could potentially use the Loopback IP which is always on and configure it with a routable IP and spoof packets for lateral movements or even use the loopback to do potential IPC comms. For secondary IPs I can think of traffic subnet segmentation and not wishing to have different subnets on the same physical interface but what is the actual reasoning for ISE not to have the option for loopback or secondary IP interfaces?

Additionally, I would just like to confirm that it is actually possible to configure a secondary IP on a second interface and this will respond to TACACS+ requests as per https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_0110.html#ID-1420-000000ee . I can then achieve symmetric responses by creating separate default routes per interface as per BRKSEC-3699.

Are there any gotchas I need to be aware of in this design. The reason I am asking is because a customer initially had a design with just one Interface. Now they do not want to rehome from ACS to ISE and would like to configure the ACS IP on the ISE as a secondary interface. From the looks of this configuration wise it looks doable but is this a recommended design or are there any gotchas to be aware of?

Any thoughts are welcome.

Thanks

Avinash

Surendra · ‎07-26-2019

There should not be any other complications for TACACS+. Whichever interface ISE receives the packets on should be interface the replies will be going out from. However, routes should be configured for symmetric routing as you said. I’ll let the Product Management Team to answer the secondary IP address question.

View solution in original post

Surendra · ‎07-26-2019

I do not have an answer for the first question but for second one, have a look at https://community.cisco.com/t5/identity-services-engine-ise/ise-load-balancing-with-multiple-interfaces/td-p/3575847 . The first question probably boils down to the necessity of having another IP address on the same interface when one can have them configured on different interfaces on the same node which is sufficient for all the services served by ISE except a few. Also, ISE is not a pass through traffic controller but just a server, not sure if any other Cisco product which acts as a server has such a feature. ASAs and other network devices do for a purpose which ISE is not made for and I guess that is one of the reasons why we don’t support that.

Avinash N. · ‎07-26-2019

Hey Suri,

Yeah I actually did go through the doc thats where Craig pointed to the Cisco Live doc 3699. Im concerned about any other repecussions or design loopholes to look out for of having a secondary IP configured on ISE to accept TACACS+ requests. For example from the documentation on the Cisco live docs it seems a default route per interface is mandatory to achieve symmetric replies.

I'm thinking the secondary IP question probably comes from folks working on Microsoft or some form of server installation where the OS allows you to configure a standby IP on the same NIC. I think IOS routers also allow this https://community.cisco.com/t5/switching/use-of-secondary-ip-on-vlan-interface/td-p/2038746 again its more of a workaround to avoid any routing complexities etc but it's allowed nonetheless. ip address a.b.c.d secondary.

If you see the following link https://unix.stackexchange.com/questions/127723/what-are-the-benefits-of-using-several-ip-addresses-on-a-server youd see quite a lot of reasons why a server itself could have a secondary IP configured and point 3 4 5 are similar to what we are facing now.

But the question still stands. In this scenario, if I could just configure the ACS IP on the ISE as a secondary it would have avoided adding that extra default route for the g1 interface. So why don't we have a loopback support on ISE or ability to configure a secondary IP? Are there security implications for this apart from its functional irrelevance?

Thanks

Surendra · ‎07-26-2019

There should not be any other complications for TACACS+. Whichever interface ISE receives the packets on should be interface the replies will be going out from. However, routes should be configured for symmetric routing as you said. I’ll let the Product Management Team to answer the secondary IP address question.