03-20-2019 10:32 AM
Cisco Identity Services Engine Installation Guide, Release 2.4 states that "If you choose VMXNET3, you might have to remap the ESXi adapter to synchronize it with the ISE adapter order."
My design requires 6 x VMXNET3 adapters and they're out of the expected order, as warned by this statement.
Does anyone have information on *how* to remap the ESXi adapter so that it realigns with the ISE adapter order?
As present, this is the mapping:
VMware Network Adapter 1 > ISE GE0
VMware Network Adapter 5 > ISE GE1
VMware Network Adapter 2 > ISE GE2
VMware Network Adapter 6 > ISE GE3
VMware Network Adapter 3 > ISE GE4
VMware Network Adapter 4 > ISE GE5
Whereas I'd like the more intuitive mapping:
VMware Network Adapter 1 > ISE GE0
VMware Network Adapter 2 > ISE GE1
VMware Network Adapter 3 > ISE GE2
VMware Network Adapter 4 > ISE GE3
VMware Network Adapter 5 > ISE GE4
VMware Network Adapter 6 > ISE GE5
Solved! Go to Solution.
03-25-2019 03:04 PM
03-20-2019 01:32 PM
Good question. I am wondering why this even happens in the first place.
Strange that it only happens when you cross over a certain count (three?). I would still continue using vmxnet3 but I agree if you need to do this gymnastics for 50 nodes then you might be annoyed.
03-20-2019 06:48 PM
I believe the threshold is 4 before renumbering occurs. I would be curious what design needs 6 NICS. In a 100+ installs I have never used more than 2.
03-22-2019 02:49 AM
03-22-2019 07:25 AM
03-22-2019 12:26 PM - edited 03-22-2019 12:31 PM
Segregating traffic using VLANs (including in a vSwitch) is common accepted practice in most environments. If it was a highly secure environment then I would agree... but I'd also be using a two tiered firewall with different vendors. Horses for courses.
TAC involvement was useless. They sent me information on VMware Workstation and vSphere 5.0, using the Client. It's always a lucky dip whether you get a useful response in my experience and unfortunately this time I didn't.
Unless I've missed something, it's not possible to subinterface an ISE bond. They're not a true bond anyway - they're active/passive.
Standardising on VMXNET3 across all VMs. It also gives the best room for future growth. It's one of those annoying situations where vendor Best Practice clashes - VMware's is to use VMXNET3 unless mandated otherwise; Cisco says that E1000 should be used, but only to avoid the situation I've come across.
03-23-2019 12:46 PM - edited 03-23-2019 01:01 PM
I was thinking more along the lines of making the bond a couple of vNICs with the same access VLAN, and configuring the gateway's subinterface as dedicated for ISE. The bond could then serve both management and internal networks on a single subnet. You would add your security controls at the gateway.
Not ideal, but it may work for you.
03-22-2019 02:45 AM
03-22-2019 12:28 PM - edited 03-25-2019 03:06 PM
03-25-2019 03:04 PM
03-26-2019 06:42 AM
If it works, awesome :)
Did you check that your mapping persists after you shutdown and power on the VM?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide