Cisco ISE VM

Moderator: mike

Post Reply
stevenjwilliams83
Posts: 77
Joined: Mon Mar 20, 2017 1:53 pm

Cisco ISE VM

Post by stevenjwilliams83 » Wed Aug 30, 2017 3:07 pm

I have installed an instance of ISE in my ESXi lab along with EVE. I am trying to figure out how to incorporate this into my topology. I have both VMs in the same vSwitch, and both reside on the same subnet. I can access both of these VMs from my desktop on a separate network. So my PC and the VMs have a different gateway. So creating a cloud connection for the ISE machine is what I need to do but cant figure out what I would need to do for my windows nodes and switch nodes for them to be able to "route" to ISE. Would they all have to be on the same subnet as the ISE VM? The gateway for my pc and ISE machine reside on an external router running ROAT.

Uldis (UD)
Posts: 5067
Joined: Wed Mar 15, 2017 4:44 pm
Location: London
Contact:

Re: Cisco ISE VM

Post by Uldis (UD) » Wed Aug 30, 2017 5:02 pm

It is simplier as you think :)

Assuming your ISE and EVE management reside in the vSwitch0 and GW is is some 192.168.1.1 then:
On the EVE topology add the network Cloud0, connect it to EVE node Switch or Router and point his default route to same GW what has your EVE or ISE.

Little bit logic and all will work. Be sure that your vSwitch has enabled Promiscue on its securtity settings...

UD

stevenjwilliams83
Posts: 77
Joined: Mon Mar 20, 2017 1:53 pm

Re: Cisco ISE VM

Post by stevenjwilliams83 » Wed Aug 30, 2017 5:32 pm

Ok so all my devices (switches, and Windows Clients) would have IP addresses on the same subnet as EVE and ISE?

stevenjwilliams83
Posts: 77
Joined: Mon Mar 20, 2017 1:53 pm

Re: Cisco ISE VM

Post by stevenjwilliams83 » Wed Aug 30, 2017 5:45 pm

the cloud0 is labeled as "Management" So I connected that to an IOL switch, created interface vlan 27, IP address 10.100.27.106 which is ISE subnet and EVE mgmt Subnet, made IP default-gateway 10.100.27.1 and turned off IP routing.

Port eth0/2 connected to Cloud0 is access port on vlan 27.

Esxi host connected to Cisco 2960 Portchannel (mode on, trunking, allowing vlan 27 on the trunk)

From EVE CLI i can ping 10.100.27.1 (gateway) and 10.100.27.20 (Cisco ISE) but cannot ping 10.100.27.106 (IOL Switch in EVE Topology)

vswitch and port group is set to accept pernicious mode. Vlan ID is set to vlan 27.

Uldis (UD)
Posts: 5067
Joined: Wed Mar 15, 2017 4:44 pm
Location: London
Contact:

Re: Cisco ISE VM

Post by Uldis (UD) » Thu Aug 31, 2017 12:31 am

lost logic...

do same on IOL switch trunk with allowed vlan 27
create vlan 27 on IOL, do SWI 27 and test
your cloud0 is nothing else as simple bridge to real sw

stevenjwilliams83
Posts: 77
Joined: Mon Mar 20, 2017 1:53 pm

Re: Cisco ISE VM

Post by stevenjwilliams83 » Thu Aug 31, 2017 1:40 pm

No joy on that. See anything I have missed with the info I have provided?

=================================================================
SW06#show run int eth0/2
Building configuration...

Current configuration : 137 bytes
!
interface Ethernet0/2
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 27
switchport mode trunk
duplex auto
end

SW06#show run int vlan 27
Building configuration...

Current configuration : 64 bytes
!
interface Vlan27
ip address 10.100.27.106 255.255.255.0
end

SW06#show vlan br

VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Et0/0, Et0/1, Et0/3
27 VLAN0027 active
1002 fddi-default act/unsup
1003 token-ring-default act/unsup
1004 fddinet-default act/unsup
1005 trnet-default act/unsup
SW06#show ip int br
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 unassigned YES unset up up
Ethernet0/1 unassigned YES unset up up
Ethernet0/2 unassigned YES unset up up
Ethernet0/3 unassigned YES unset up up
Vlan1 unassigned YES unset up up
Vlan27 10.100.27.106 YES NVRAM up up
SW06#show ip route
Default gateway is 10.100.27.1

Host Gateway Last Use Total Uses Interface
ICMP redirect cache is empty
SW06#
!
!
!
!
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.9.40-eve-ng-ukms+ x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
root@eve-ng:~# ping 10.100.27.20
PING 10.100.27.20 (10.100.27.20) 56(84) bytes of data.
64 bytes from 10.100.27.20: icmp_seq=1 ttl=64 time=0.340 ms
64 bytes from 10.100.27.20: icmp_seq=2 ttl=64 time=0.181 ms
64 bytes from 10.100.27.20: icmp_seq=3 ttl=64 time=0.187 ms
64 bytes from 10.100.27.20: icmp_seq=4 ttl=64 time=0.211 ms
64 bytes from 10.100.27.20: icmp_seq=5 ttl=64 time=0.204 ms
64 bytes from 10.100.27.20: icmp_seq=6 ttl=64 time=0.157 ms
64 bytes from 10.100.27.20: icmp_seq=7 ttl=64 time=0.190 ms
^C
--- 10.100.27.20 ping statistics ---
7 packets transmitted, 7 received, 0% packet loss, time 6124ms
rtt min/avg/max/mdev = 0.157/0.210/0.340/0.055 ms
root@eve-ng:~# ping 10.100.27.1
PING 10.100.27.1 (10.100.27.1) 56(84) bytes of data.
64 bytes from 10.100.27.1: icmp_seq=1 ttl=255 time=0.521 ms
64 bytes from 10.100.27.1: icmp_seq=2 ttl=255 time=0.588 ms
64 bytes from 10.100.27.1: icmp_seq=3 ttl=255 time=0.462 ms
64 bytes from 10.100.27.1: icmp_seq=4 ttl=255 time=0.521 ms
^C
--- 10.100.27.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3075ms
rtt min/avg/max/mdev = 0.462/0.523/0.588/0.044 ms
root@eve-ng:~# ping 10.100.27.106
PING 10.100.27.106 (10.100.27.106) 56(84) bytes of data.
From 10.100.27.15 icmp_seq=1 Destination Host Unreachable
From 10.100.27.15 icmp_seq=2 Destination Host Unreachable
From 10.100.27.15 icmp_seq=3 Destination Host Unreachable
^C
--- 10.100.27.106 ping statistics ---
5 packets transmitted, 0 received, +3 errors, 100% packet loss, time 4090ms
pipe 4
root@eve-ng:~#
root@eve-ng:~# ifconfig pnet0
pnet0 Link encap:Ethernet HWaddr 00:50:56:84:93:c3
inet addr:10.100.27.15 Bcast:10.100.27.255 Mask:255.255.255.0
inet6 addr: fe80::250:56ff:fe84:7001/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1390854 errors:0 dropped:71 overruns:0 frame:0
TX packets:1052781 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:5258459398 (5.2 GB) TX bytes:89410038 (89.4 MB)

root@eve-ng:~#
!
!
!
You do not have the required permissions to view the files attached to this post.

stevenjwilliams83
Posts: 77
Joined: Mon Mar 20, 2017 1:53 pm

Re: Cisco ISE VM

Post by stevenjwilliams83 » Fri Sep 01, 2017 7:32 pm

Issue Resolved.

Changes to the vSwitches and other changes were made without reboot of EVE. After reboot and disabling IP CEF on node to cloud it has begun to work.

Thanks for the Help Eve Team!


Please close thread, because if I can do it, I can't figure it out lol

Post Reply