11-16-2017 02:06 PM - edited 02-21-2020 10:39 AM
When beginning to setup ISE on the UCS 220 appliance is it a good idea to separate the management of ISE to one physical network on the appliance separate from the network card on the same UCS that will serve traffic to and from ISE. Why or why not? The UCS comes with 4 1GB ports on a PCI card, a port for the CIMC, and 2 1GB on-board nics.
In short, what is the best-practice of the initial network setup for ISE on the UCS appliance?
11-16-2017 02:29 PM
If cost is not a factor, then of course you should dedicate a GigE port on your top of rack switch just for management of the server. And if money is really no obstacle, then plug that management link into a separate out of band switch totally separate from the data plane.
In most deployments though I have seen customers use two GigE interfaces on the hardware appliance and put them into a bond (NIC teaming) and connect across two switches for redundancy.
I am not a fan of deploying ISE in hardware appliances, if the ISE is running in your data center. Too much hassle with space, power supply issues, heat considerations, cables, SFP, BIOS updates, HDD failing. Pain in the rear. If you have a VM environment then you'll have a much better experience.
11-16-2017 03:43 PM
The Cisco ISE 3515 and 3595 are both based on the UCS c- series appliance. I'm trying to gather how the best network configuration for ISE would be on the ucs aappliance
11-19-2017 09:05 PM
You have to put some definition (and/or) constraints around the definition of best network configuration. The answer is always "it depends". If you are constrained by cost, or by cabling infrastructure then the UCS can be managed by a single GiGE interface that serves both the CIMC (so-called Shared LOM) and the ISE application (ISE GigabitEthernet 0). This is the default mode I think on UCS. And quite common too. The CIMC IP address is on the same VLAN/subnet as the ISE Gig0.
One step up from that is NIC teaming. Two GigE ports on the UCS that go to the same uplink switch. ISE has to be configured for "bonding" - it means instead of seeing Gig0 and Gig1 on the ISE appliance, you'll see interface Bond0. Only one link in the bond is active. Failover is transparent. I have not tested this myself, but I believe that the CIMC will also failover in this mode of operation.
The final optimisation would be to create additional ISE Application Bond interface to separate out client traffic. e.g. ISE Guest Portals must be in a DMZ, therefore the Bond1 will be connected to a VLAN that is in the DMZ. The rest of ISE (Bond0) is in a more trusted zone. By the way, ISE only responds to management traffic on Gig0 (or Bond0). This is a limitation - so you can't ssh to ISE on any other interface.
11-21-2017 06:42 AM
With ISE on a UCS chassis am I forced to use the same IP address for CIMC access as well as the IP address for ISE? I would hope not
11-21-2017 07:35 AM
Answer: NO, in fact my 9+ ISE deployment have a totally separated subnet/LAN Switch for the CIMC mgmt.
11-21-2017 08:49 AM - edited 11-21-2017 10:43 AM
Thanks for all your help. I'm good now on the interfaces. What I am
trying to achieve is to recreate our production ISE servers on our new lab
servers down to the same version. My concern is that the production ISE
servers are on the 3495 chassis and the lab servers are the 3515's. Also
I have discovered that the 3515's come pre-installed with ISE 2.3.00 .
With the CIMC and KVM I guess I can clear the configuration on the drive
and configure the C220 to boot from the 2.0 ISE from the virtual DVD on my
desktop
David James
11-21-2017 11:23 AM - edited 11-21-2017 11:25 AM
My brand new 3595 came with version 2.0 preinstalled and using the mechanism explained above I just wiped out that version and installed 2.2.
HOWEVER, I strongly suggest you to use 2.1 or 2.3 (skip 2.2)
11-21-2017 11:34 AM
My plan is to go to 2.3 but our production environment is 2.0.0.306 and I want to create a lab environment running the same version. Import a copy of the 2.0.0 db over to our lab and then upgrade the lab to 2.3 and finally upgrade our production to 2.3 as well.
The UI of the CIMC 3.0(3S2) is changed and I get figure out out to boot the UCS 220 either from a virtual DVD iso on my desktop or from a DVD connected to the physical USB port on the back of the C220
11-21-2017 11:45 AM
Hi David,
I just realized that I was wrong on my previous note. The only thing you need is the ISO in the laptop and then run Daemon Lite to create the virtual DVD from which you would upload the new image to the UCS during the reboot process. Before doing this, the CIMC needs to be configured.
Once you configure the CIMC and connect the laptop in the same subnet, then you can https into the CIMC page and then launch the internal KVM as part of the reimage process. Let me provide you a few screenshots in the next note as a guide.
11-21-2017 12:02 PM
Pictures sequence from CIMC
11-21-2017 12:03 PM - edited 11-22-2017 07:40 AM
removed duplicated post.
11-21-2017 12:04 PM
From the latest screenshot, you map the virtual DVD on your laptop/desktop AND using the Power TAB you can restart the server and then press F6 to boot from that DVD.
11-21-2017 12:44 PM - edited 11-21-2017 12:56 PM
Here is what I have decided to do. I have created two ISE vm's running the same ISE 2.0.0.306 version as my production ISE servers. I will leave ISE 2.3 as is on the 3515 appliances. I have connected the ISE vm to the repository where the production ISE uploads it's weekly configuration and operational backups. At this point from the ISE VM can I just preform a restore from the most current backups? I'm assuming that if so the configuration restore would be first followed by the operational. The current VM's role at this time are standalone. I am supposed to change the role to PRIMARY and THEN preform the restore operations?
11-22-2017 07:43 AM - edited 11-22-2017 07:45 AM
1.-Yes, you can restore the backup's into your VM's as soon as they have the same version + patch installed. Restore Config and then Operational bck's.
2.-Yes, you can restore the backup into one of the standalone VM nodes running the 3 personas. If you want to create a deployment with the VM's then you need to assign specific personas to each one.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide