cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Load balancing in a ISE TACACS deployment

742
Views
0
Helpful
0
Comments

TACACS works on TCP protocol port 49 or any customizable port in ISE. TCP is connection oriented and asynchronous.

So if you are using LB, suggest inline LB option. If not, then you need to find a way to deal with TCP property explained above.

Stickiness can be based on Source IP address ( Network device IP address).

Question: Can I use Anycast?

Anycast is used with UDP since it is connectionless. You can use this probably with HTTP since it is connection less even though the underlying protocol is TCP, may not be suitable to TACACS. It may be suitable for RADIUS.

For eg: if the Anycast instance is broken mid-way for some reason, the network devices need to open a TCP connection to PSN first before sending traffic. That means that there could be a lot of open TCP connections if the routes change. So rate limiting need to be done not to overwhelm PSN’s.

 

That said, TACACS+ is transactional that means that it opens a TCP connection every time it does a authentication or authorization or accounting, unlike RADIUS where these happen in the same transaction. These transactions are separate.

So this may work depending on how big is configuration request/change from a client machine when accessing CLI on the network device or browsing a UI.

 

In case of bursty traffic where there is a bunch of requests coming from one or many sources, you typically enable persistence(single connect mode) in TACACS configuration (in ISE Network device config) so that you can use same TCP connection.

 

However with Anycast, persistence may not be preferred due to the nature of Anycast if routes change.

 

Here is a resource related to TACACS LB in general is

BRRSEC-3699 – Cisco Live presentation – slide 192

 

Here is a note on Anycast LB. Note how to LB if ISE PSN is down. I think this is meant for RADIUS

http://www.ciscopress.com/articles/article.asp?p=2812072&seqNum=2

 

Please try out your configuration in a test environment to make sure things work seamlessly.

Consider PSN failure, not-reachable scenarios etc. Here is a nice writeup by Damien what to avoid when doing

Load balancing using TACACS

https://community.cisco.com/t5/security-blogs/how-to-tacacs-failover-with-f5-big-ip-virtual-servers/ba-p/3796384