cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1646
Views
0
Helpful
7
Replies

Creation of secondary IP or IP loopback with /32 on ISE

Alexey Babaytsev
Cisco Employee
Cisco Employee

Hi team,

Customer is migrating from ACS to ISE. They need to create a secondary host IP address (/32) or loopback on ISE to provide an access to. Is it possible to do it?

Thanks,

Alexey

1 Accepted Solution

Accepted Solutions

Right now I don’t see an option for secondary or loopback.

Management must reside on gig0 but other traffic can take place on other interfaces

Is there a reason they can’t create another interface and use that?

View solution in original post

7 Replies 7

Jason Kunst
Cisco Employee
Cisco Employee

I don’t think so, is there a reason they cannot create another interface and configure that?

Hi Jason,

Customer needs to assign a host address to ISE because this address was used by ACE before (from different network segment). But for LAN communication (VRRP and so on) usual address /27 should be used also. These addresses are totally different addresses.

Idea is to use /27 address for LAN communication and /32 address for using by network devices for TACACS service.

Regards,

Alexey

Right now I don’t see an option for secondary or loopback.

Management must reside on gig0 but other traffic can take place on other interfaces

Is there a reason they can’t create another interface and use that?

ISE supports multiple interfaces which can be assigned unique IP in its own subnet but loopbacks and secondaries not supported.  You mention ACE, so potentially sounds like trying to replicate a DSR config which also is not supported by ISE.

Craig

Thanks Craig.

Does it mean that ISE doesn’t support /32 addresses at all?

Sorry for typo – I meant ACS, not ACE.

Regards,

Alexey

/32 is not the same as a loopback or secondary.  You should be able to config /32, but not sure if it will achieve desired result.  ISE will not forward traffic between interfaces.

Alexey,

I am still confused on what the customer is trying to do. Is the customer trying to do a flash but by using the same address on ISE that was used  in ACS so they don't have to go and touch all their network equipment to change TACACS IPs?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: