Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
847
Views
4
Helpful
5
Replies

Can I use Catalyst 9300 OOB mgmt. port to communicate with ISE

hashimwajid1
Level 3
Level 3

‎09-08-2025 06:13 AM

Hi,

I've below queries.

1- can I use Catalyst 9300 dedicated OOB mgmt. port to communicate with ISE for 802.1x, MAB and Tacacs device admin?

2- should I use separate in-band SVI for ISE communication or any other suggestion?

Thanks

Labels:
5 Replies 5

Torbjørn
VIP
VIP

‎09-08-2025 06:55 AM - edited ‎09-08-2025 06:55 AM

1 - Yes, the management port is "just" a routed interface in a dedicated standard VRF. 

2 - I would recommend keeping this traffic in your "in band" network infrastructure. This way you will keep the resilience and performance of your in band network, and you get to keep your OOB network exclusively for OOB management. If you wish to separate authentication traffic from user traffic you can create a separate VRF for authentication/other service traffic.

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

MHM Cisco World
VIP
VIP

‎09-08-2025 08:23 AM

1- can I use Catalyst 9300 dedicated OOB mgmt. port to communicate with ISE for 802.1x, MAB and Tacacs device admin? Yes It work but there are many command need to add t

2- should I use separate in-band SVI for ISE communication or any other suggestion? I prefer this solution than use mgmt port

MHM

hashimwajid1
Level 3
Level 3
In response to MHM Cisco World

‎09-08-2025 01:41 PM

Switches are in different Zone, such as DMZ, Perimeter, LAN etc, so only OOB Mgmt Interface/VLAN is common. 

can we use the same approach for Nexus 9300 as well? using dedicated Nexus OOB mgmt port for Radius and Tacacs?

0 Helpful

Stefan Mihajlov
VIP
VIP

‎09-08-2025 09:50 AM

@hashimwajid1 

  1. Yes. The 9300’s dedicated OOB port (in Mgmt-vrf) can talk to ISE for 802.1X/MAB (RADIUS) and device admin (TACACS+). Just make sure you source AAA from Mgmt-vrf and allow return traffic/CoA to the switch’s management IP:

  • Point your RADIUS/TACACS servers to ISE with vrf Mgmt-vrf (and/or set the AAA source-interface in Mgmt-vrf).

  • Enable Dynamic Authorization (CoA) in Mgmt-vrf and ensure ISE can reach UDP 3799 back to the switch’s mgmt IP.

  • Provide routing in Mgmt-vrf (no NAT) and allow UDP 1812/1813 (RADIUS) and TCP 49 (TACACS+).

  1. In-band SVI vs OOB? Both are valid.

  • OOB/Mgmt-vrf: clean separation, good for security; just verify CoA reachability to the mgmt IP.

  • In-band SVI: simpler path (matches data plane), often easier for CoA and high availability via your routed core.

Pick the one that fits your policy; functionally either works as long as ISE can reach the same source IP the switch uses for AAA/CoA.

–––
Best regards,
Stefan Mihajlov

Mark this post as Helpful if it helped you, and Accept as Solution if it resolved your question.

julian.bendix
VIP
VIP

‎09-08-2025 10:15 AM

Yes you can, but I prefer the SVI method.

0 Helpful
Customers Also Viewed These Support Documents