11-02-2018 06:08 AM
Hi there,
What happens to a TrustSec environment when all ISE servers are down?
Will traffic still be forwarded? When will it stop working?
Thanks.
Solved! Go to Solution.
11-02-2018 07:52 AM
Ricardo, As Hsing pointed out we could increase the timers to weeks/years so that the network devices wont request the new policy though ISE is down.
Also one more thing is to configure Static SGACLs on the switches. But that would require lot of manual effort. When ISE is unavailable Static SGACLs would be used by the NADs for enforcement. As soon as ISE is up then dynamic SGACL policies from ISE would take the precedence.
11-02-2018 07:58 AM
It can always push new configuration on demand. That has nothing to do with timers/cache.
11-02-2018 07:30 AM
The environment data is cached on the NAD so the enforcement should work still.
11-02-2018 07:32 AM
Hi Hslay,
As far as I remember that cache has a lifetime of typically 24 hours.
Will traffic stop flowing after the cache expires and ISE is down?
Thanks
11-02-2018 07:37 AM
11-02-2018 07:41 AM - edited 11-02-2018 07:42 AM
I'm not using ISE for AAA. Another software is classifying the devices and sending the tag info to the NADs.
I'm just using ISE to manage the TrustSec infrastructure (SGACLs, Matrix, etc), and only have one ISE (Express Bundle) per site.
11-02-2018 07:52 AM
Ricardo, As Hsing pointed out we could increase the timers to weeks/years so that the network devices wont request the new policy though ISE is down.
Also one more thing is to configure Static SGACLs on the switches. But that would require lot of manual effort. When ISE is unavailable Static SGACLs would be used by the NADs for enforcement. As soon as ISE is up then dynamic SGACL policies from ISE would take the precedence.
11-02-2018 07:56 AM
Thanks for your answer.
If I have a huge cache lifetime, can ISE push new configurations on demand, or will I have to wait for the cache to expire and/or do a manual download at the switch?
11-02-2018 07:58 AM
It can always push new configuration on demand. That has nothing to do with timers/cache.
03-18-2019 08:30 PM
Is that possible to keep the downloaded SGACL and TrsutSec environment data after ISE down or the policy expire?
Because I still want to keep the SGACL enforcement function working, even though there is no new user can be authentication, after the Cisco ISE down or the policy expires.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide