Forum Discussion

Srirengaa's avatar
Srirengaa
Icon for Cirrus rankCirrus
Mar 06, 2023

I have ISE 2.6 and 3.1, but some specific networks in this segment should send to ISE3.1 Pool member

šŸ’ŽSolution :

Using i-RULE or Policies to solve the above issue

Step 1:

For ISE 2.6 and ISE 3.1, pool members should already be defined.

Local Traffic -> Pools ->

Step 2:

Under Data group, an IP source segment must be added.

Step 3:

i_RULE is below

Parameter for each single VS should call a different i-RULE. In my case, the ISE traffic for Radius, TACACS, Guest, and Profile was prepared independently and followed exactly.

i-RULE for Profiler:
--------------------

when CLIENT_ACCEPTED {
  log local0. "Client: [IP::client_addr]"
  if { [class match [IP::client_addr] equals DG_ISE3.1_10.X.X.X_25] } {
    log local0. "Pool Member Partition/Name: [LB::server pool]"
    pool PROD-Profiler-VXX_ISE3.1
  } else {
      pool PROD-Profiler-VXX
  }
}

i-RULE for Radius:
--------------------

when CLIENT_ACCEPTED {
  log local0. "Client: [IP::client_addr]"
  if { [class match [IP::client_addr] equals DG_ISE3.1_10.X.X.X_25] } {
    log local0. "Pool Member Partition/Name: [LB::server pool]"
    pool PROD-RADIUS-VXX_ISE3.1
  } else {
      pool PROD-RADIUS-VXX
  }
}

i-RULE for TACACS:
--------------------

when CLIENT_ACCEPTED {
  log local0. "Client: [IP::client_addr]"
  if { [class match [IP::client_addr] equals DG_ISE3.1_10.X.X.X_25] } {
    log local0. "Pool Member Partition/Name: [LB::server pool]"
    pool PROD-TACACS-VXX_ISE3.1
  } else {
      pool PROD-TACACS-VXX
  }
}

i-RULE for Guest:
--------------------

when CLIENT_ACCEPTED {
  log local0. "Client: [IP::client_addr]" --> Logging the client IP address
  if { [class match [IP::client_addr] equals DG_ISE3.1_10.X.X.X_25] } {
    log local0. "Pool Member Partition/Name: [LB::server pool]"
    pool PROD-Guest-VXX_ISE3.1
  } else {
      pool PROD-Guest-VXX
  }
}

Step 4:

Connect the i-RULE to the VS in F5, then set the default Pool's load balancing to none.

Note : For steps, see the screenshot in the attachment

3 Replies

  • Thanks so much for this, Srirengaa!

    Could you please add a little more detail around the problem you are solving? If you can, I'd like to promote this to a CrowdSRC CodeShare post, so that more people can see the solution you've shared. 

    • Srirengaa's avatar
      Srirengaa
      Icon for Cirrus rankCirrus

      Sure Leslie

      Here the Problem statement - I am using the ISE 2.6 version in production and have concurrently built 3.1 ISE nodes; the legacy 2.6 nodes should be decommissioned and replaced with the 3.1 version, but testing has not been completed.
      How can we test ISE 3.1 guest portal access using both 2.6 and 3.1 ISE nodes without affecting the production environment? This is the changellence, and i found a solution by combining i-rules and data groups to complete the tasks.

      • Srirengaa's avatar
        Srirengaa
        Icon for Cirrus rankCirrus

        When the source segment matches the datagroup, the traffic is routed to ISE3.1, and the remaining traffic is routed through 2.6 nodes.

        Example: I'm coming from 10.10.10.10 source IP and told i-rule to look for matching IPs in the datagroup and forward traffic to ISE3.1 if any matches are found.