Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner

I have ISE 2.6 and 3.1, but some specific networks in this segment should send to ISE3.1 Pool member

Srirengaa
Cirrus
Cirrus

💎Solution :

Using i-RULE or Policies to solve the above issue

Step 1:

For ISE 2.6 and ISE 3.1, pool members should already be defined.

Local Traffic -> Pools ->

Step 2:

Under Data group, an IP source segment must be added.

Step 3:

i_RULE is below

Parameter for each single VS should call a different i-RULE. In my case, the ISE traffic for Radius, TACACS, Guest, and Profile was prepared independently and followed exactly.

i-RULE for Profiler:
--------------------

when CLIENT_ACCEPTED {
  log local0. "Client: [IP::client_addr]"
  if { [class match [IP::client_addr] equals DG_ISE3.1_10.X.X.X_25] } {
    log local0. "Pool Member Partition/Name: [LB::server pool]"
    pool PROD-Profiler-VXX_ISE3.1
  } else {
      pool PROD-Profiler-VXX
  }
}

i-RULE for Radius:
--------------------

when CLIENT_ACCEPTED {
  log local0. "Client: [IP::client_addr]"
  if { [class match [IP::client_addr] equals DG_ISE3.1_10.X.X.X_25] } {
    log local0. "Pool Member Partition/Name: [LB::server pool]"
    pool PROD-RADIUS-VXX_ISE3.1
  } else {
      pool PROD-RADIUS-VXX
  }
}

i-RULE for TACACS:
--------------------

when CLIENT_ACCEPTED {
  log local0. "Client: [IP::client_addr]"
  if { [class match [IP::client_addr] equals DG_ISE3.1_10.X.X.X_25] } {
    log local0. "Pool Member Partition/Name: [LB::server pool]"
    pool PROD-TACACS-VXX_ISE3.1
  } else {
      pool PROD-TACACS-VXX
  }
}

i-RULE for Guest:
--------------------

when CLIENT_ACCEPTED {
  log local0. "Client: [IP::client_addr]" --> Logging the client IP address
  if { [class match [IP::client_addr] equals DG_ISE3.1_10.X.X.X_25] } {
    log local0. "Pool Member Partition/Name: [LB::server pool]"
    pool PROD-Guest-VXX_ISE3.1
  } else {
      pool PROD-Guest-VXX
  }
}

Step 4:

Connect the i-RULE to the VS in F5, then set the default Pool's load balancing to none.

Note : For steps, see the screenshot in the attachment

3 REPLIES 3

Leslie_Hubertus
Community Manager
Community Manager

Thanks so much for this, @Srirengaa!

Could you please add a little more detail around the problem you are solving? If you can, I'd like to promote this to a CrowdSRC CodeShare post, so that more people can see the solution you've shared. 

Sure Leslie

Here the Problem statement - I am using the ISE 2.6 version in production and have concurrently built 3.1 ISE nodes; the legacy 2.6 nodes should be decommissioned and replaced with the 3.1 version, but testing has not been completed.
How can we test ISE 3.1 guest portal access using both 2.6 and 3.1 ISE nodes without affecting the production environment? This is the changellence, and i found a solution by combining i-rules and data groups to complete the tasks.

When the source segment matches the datagroup, the traffic is routed to ISE3.1, and the remaining traffic is routed through 2.6 nodes.

Example: I'm coming from 10.10.10.10 source IP and told i-rule to look for matching IPs in the datagroup and forward traffic to ISE3.1 if any matches are found.