Hi Experts,
This is with reference to the question asked in the following link https://community.cisco.com/t5/identity-services-engine-ise/creation-of-secondary-ip-or-ip-loopback-with-32-on-ise/m-p/3523973#M8886
From what I understand we still cannot configure Loopback or secondary IP on ISE. I have had questions on why this is the case. From an exploitation perspective, I can think of reasons where if a server is actually exploited one could potentially use the Loopback IP which is always on and configure it with a routable IP and spoof packets for lateral movements or even use the loopback to do potential IPC comms. For secondary IPs I can think of traffic subnet segmentation and not wishing to have different subnets on the same physical interface but what is the actual reasoning for ISE not to have the option for loopback or secondary IP interfaces?
Additionally, I would just like to confirm that it is actually possible to configure a secondary IP on a second interface and this will respond to TACACS+ requests as per https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_0110.html#ID-1420-000000ee . I can then achieve symmetric responses by creating separate default routes per interface as per BRKSEC-3699.
Are there any gotchas I need to be aware of in this design. The reason I am asking is because a customer initially had a design with just one Interface. Now they do not want to rehome from ACS to ISE and would like to configure the ACS IP on the ISE as a secondary interface. From the looks of this configuration wise it looks doable but is this a recommended design or are there any gotchas to be aware of?
Any thoughts are welcome.
Thanks
Avinash
