Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

I have ISE 2.6 and 3.1, but some specific networks in this segment should send to ISE3.1 Pool member

Srirengaa
Cirrus
Cirrus

‎06-Mar-2023 09:40 - last edited on ‎08-Mar-2023 10:11 by Community Manager

💎Solution :

Using i-RULE or Policies to solve the above issue

Step 1:

For ISE 2.6 and ISE 3.1, pool members should already be defined.

Local Traffic -> Pools ->

Step 2:

Under Data group, an IP source segment must be added.

Step 3:

i_RULE is below

Parameter for each single VS should call a different i-RULE. In my case, the ISE traffic for Radius, TACACS, Guest, and Profile was prepared independently and followed exactly.

i-RULE for Profiler:
--------------------

when CLIENT_ACCEPTED {
  log local0. "Client: [IP::client_addr]"
  if { [class match [IP::client_addr] equals DG_ISE3.1_10.X.X.X_25] } {
    log local0. "Pool Member Partition/Name: [LB::server pool]"
    pool PROD-Profiler-VXX_ISE3.1
  } else {
      pool PROD-Profiler-VXX
  }
}

i-RULE for Radius:
--------------------

when CLIENT_ACCEPTED {
  log local0. "Client: [IP::client_addr]"
  if { [class match [IP::client_addr] equals DG_ISE3.1_10.X.X.X_25] } {
    log local0. "Pool Member Partition/Name: [LB::server pool]"
    pool PROD-RADIUS-VXX_ISE3.1
  } else {
      pool PROD-RADIUS-VXX
  }
}

i-RULE for TACACS:
--------------------

when CLIENT_ACCEPTED {
  log local0. "Client: [IP::client_addr]"
  if { [class match [IP::client_addr] equals DG_ISE3.1_10.X.X.X_25] } {
    log local0. "Pool Member Partition/Name: [LB::server pool]"
    pool PROD-TACACS-VXX_ISE3.1
  } else {
      pool PROD-TACACS-VXX
  }
}

i-RULE for Guest:
--------------------

when CLIENT_ACCEPTED {
  log local0. "Client: [IP::client_addr]" --> Logging the client IP address
  if { [class match [IP::client_addr] equals DG_ISE3.1_10.X.X.X_25] } {
    log local0. "Pool Member Partition/Name: [LB::server pool]"
    pool PROD-Guest-VXX_ISE3.1
  } else {
      pool PROD-Guest-VXX
  }
}

Step 4:

Connect the i-RULE to the VS in F5, then set the default Pool's load balancing to none.

Note : For steps, see the screenshot in the attachment

Labels:
Preview file
137 KB
3 REPLIES 3

Leslie_Hubertus
Community Manager
Community Manager

‎10-Mar-2023 12:15 - edited ‎10-Mar-2023 12:24

Thanks so much for this, @Srirengaa!

Could you please add a little more detail around the problem you are solving? If you can, I'd like to promote this to a CrowdSRC CodeShare post, so that more people can see the solution you've shared. 

0 Kudos

Srirengaa
Cirrus
Cirrus
In response to Leslie_Hubertus

‎14-Mar-2023 13:14

Sure Leslie

Here the Problem statement - I am using the ISE 2.6 version in production and have concurrently built 3.1 ISE nodes; the legacy 2.6 nodes should be decommissioned and replaced with the 3.1 version, but testing has not been completed.
How can we test ISE 3.1 guest portal access using both 2.6 and 3.1 ISE nodes without affecting the production environment? This is the changellence, and i found a solution by combining i-rules and data groups to complete the tasks.

0 Kudos

Srirengaa
Cirrus
Cirrus
In response to Srirengaa

‎14-Mar-2023 13:18

When the source segment matches the datagroup, the traffic is routed to ISE3.1, and the remaining traffic is routed through 2.6 nodes.

Example: I'm coming from 10.10.10.10 source IP and told i-rule to look for matching IPs in the datagroup and forward traffic to ISE3.1 if any matches are found.

0 Kudos
Copyright © 2023 Khoros, LLC