cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2311
Views
3
Helpful
3
Replies
Highlighted

ISE 1.1.1 firewall rules distributed deployment

My question is in reference to the following link:

http://www.cisco.com/en/US/docs/security/ise/1.1.1/installation_guide/ise_app_e-ports.html

Basically I am struggling in some areas to work out my firewall rules for a distributed deployment. The referenced documentation is not entirely clear in my opinion. In some instances it is easy to work out what ports need to be opened eg Admin node TCP 22,80,443 for management from administrator hosts/ranges. In other instances it difficult to work out eg TCP 1521 Database listener and AQ is this for ISE nodes only or for access devices aswell

My question is whether there is a better document that details these requirements. What rules are meant to be ISE node - ISE node communications and which rules are for access device - ISE, or ISE - access device. One of the rules I am pretty confused about is the PSN CoA ports. SHould the rule be WLC - PSN on 1700 and 3799 or is it the otherway round or unidirectional?

I am pretty sure that the ports are meant to be ISE-ISE in most instances barring the PSN for Radius and CoA.

3 REPLIES 3

ISE 1.1.1 firewall rules distributed deployment

I am having the same questions. So far I have opend SNMP from ISE to NAD and then all the probe trafic (DNS, DHCP...) from NAD to ISE. And I seem to be able to profile devices correctly.

Beginner

ISE 1.1.1 firewall rules distributed deployment

Try this for size.

In answer to the specific CoA question, I see no need for the WLC to send CoA to PSN, so just PSN to WLC as far as I can see.

You might be able to cut this list down, and you might have to add to it for any specific requirements.

From PSN to AD (potentially all AD nodes):

TCP 389, 3268, 445, 88, 464

UDP 389, 3268

From PSN to Monitoring nodes:

TCP 443

UDP 20514

PSN to Admin Nodes (2Way):

TCP 443, 1521

ICMP echo and reply (heartbeat)

WLC to PSN:

TCP 443, 8443, 80, 8080

UDP 1645, 1646, 1812, 1813, 1700, 3799, 161, 162, 9993, 67

PSN to other PSN’s (2 way)

UDP 30514, 45588, 45990

Endpoint (Laptop) to PSN (Guest laptops just need to get to external PSN’s, internal users just to internal PSN’s)

TCP 8443, 8905

UDP 8905

Admin/Sponsor to all ISE nodes:

TCP 22, 80, 443, 8080, 8443

UDP 161

PSN access to DNS servers:

TCP/UDP 53

PSN access to NTP servers:

UDP 123

Advocate

ISE 1.1.1 firewall rules distributed deployment

You could also issue a show ports | inc ip from cli to see the ports that are successfully connected between each node. Also if you are deploying an inline node you will have to add 8443 to bikespace reference

PSN to Admin Nodes (2Way):

TCP 443, 1521, 8443

ICMP echo and reply (heartbeat)

Thanks,

Tarik Admani
*Please rate helpful posts*

Tarik Admani
*Please rate helpful posts*