04-19-2017 04:43 AM - edited 03-11-2019 12:38 AM
Hello,
I'm wondering about the following statement regarding the use of multiple NICs on a PSN (Source: https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_011011.html):
Allowed interfaces — Select the PSN interfaces which a PAN can use to run a portal. When a request to open a portal is made on the PAN, the PAN looks for an available allowed Port on the PSN. You must configure the Ethernet interfaces using IP addresses on different subnets.
These interfaces must be available on all the PSNs, including VM-based ones, that have Policy Services turned on. This is a requirement because any of these PSNs can be used for the redirect at the start of the guest session.
In our lab environment we only have one subnet. I configured Gig 0 and Gig 1 on a PSN with different IP-addresses from the same subnet. Gig 1 hosts the sponsor-portal, Gig 0 everything else. The goal is to simply spread the portals (guest and sponsor) over different NICs. And it works that way.
So, why is the recommendation to have IP-addresses from different subnets on different interfaces?
Thanks a lot.
Regards.
Solved! Go to Solution.
04-19-2017 05:26 AM
Hi
Having 2 different IPs in different subnet on the PSN is for design and security. Let's take an example. Your Guest users (wireless or wired) have an IP from the DMZ zone behind the firewall. You would like to have your PSN syncing with your ISE infrastructure and WLC on their Management zone (NIC1) but all users getting the portal should be redirect to a DMZ IP and not opening multiple ports to the management zone. that's why you setup a new IP on the NIC2.
Hope that's clear.
Thanks
PS: Please don't forget to rate and mark as correct answer if this answered your questions
04-19-2017 03:39 PM
I'm not aware about a specific official document saying in details what NIC to use for what services. But globally, NIC0 is used for all "standard" services like radius, communication with PAN/MnT node and NIC1 for webportal like Guest.
This is what I'm designing most of the time on customer implementation and that's why having 2 different IPs makes sense.
Other designs would be to have bond multiple interfaces for HA.
I'm also using, for example, NIC 1 to setup an IP address that will be the same on every PSN involved by implementing Anycast design for redundancy purpose as well.
Hope that answers your questions.
Thanks
PS: Please don't forget to rate and mark as correct answer if this answered your question
04-19-2017 05:26 AM
Hi
Having 2 different IPs in different subnet on the PSN is for design and security. Let's take an example. Your Guest users (wireless or wired) have an IP from the DMZ zone behind the firewall. You would like to have your PSN syncing with your ISE infrastructure and WLC on their Management zone (NIC1) but all users getting the portal should be redirect to a DMZ IP and not opening multiple ports to the management zone. that's why you setup a new IP on the NIC2.
Hope that's clear.
Thanks
PS: Please don't forget to rate and mark as correct answer if this answered your questions
04-19-2017 07:52 AM
Hi Francesco,
Thanks for you answer and explanation. But "except" for security and design reasons (which have the highest priority, of course), there's no technical reason to have the interfaces' IPs in different subnets.
This leads me to another question: is there a best practice recommendation for what to assign to the different interfaces? Like ...
04-19-2017 03:39 PM
I'm not aware about a specific official document saying in details what NIC to use for what services. But globally, NIC0 is used for all "standard" services like radius, communication with PAN/MnT node and NIC1 for webportal like Guest.
This is what I'm designing most of the time on customer implementation and that's why having 2 different IPs makes sense.
Other designs would be to have bond multiple interfaces for HA.
I'm also using, for example, NIC 1 to setup an IP address that will be the same on every PSN involved by implementing Anycast design for redundancy purpose as well.
Hope that answers your questions.
Thanks
PS: Please don't forget to rate and mark as correct answer if this answered your question
09-22-2017 05:26 AM - edited 09-22-2017 05:27 AM
09-22-2017 05:30 AM - edited 09-22-2017 05:46 AM
I tested this configuration with ACS (virtual appliance on vmware) a couple of years ago. Every thing seemed to work fine but giving a deeper look I found out that when both interfaces were up randomly ACS responded with g0 mac address to arp requests for g1 interface ip address, and actually ip traffic with g1 address was originated from g0. If g1 was disconnected from virtual switch but kept up on ACS, g1 ip address kept on working with g0 interface taking care of it.
Regards
MM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide