Вы находитесь на странице: 1из 208

ISE 1.

3 F5-ISE Load Balancing


Deep Dive
• Craig Hyps, Cisco Systems, Senior Technical Marketing Engineer
• Faraz Siddiqui, F5 Networks, Solution Architect

• December 4, 2014
Agenda

 Introducing F5 BIG-IP and Cisco ISE Solution Components


 Joint Solution Overview – Deployment Model, Topology, and Traffic Flow
 Configuration Prerequisites (Starting Point for LB Deployment)
 Forwarding Non-LB Traffic
 Load Balancing RADIUS
 Load Balancing Profiling Services
 Load Balancing Web Services
 Global Load Balancing Considerations
 Monitoring and Troubleshooting
 Summary

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
F5 BIG-IP Solution
Components

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
F5 BIG-IP Product
Good, Better, Best Platforms

New VIPRION 2200 VIPRION 2400


25M 200M 1Gbps 3Gbps 5Gbps New 10Gbps

2000 series* 4000 series 5000 Series 7000 Series 10000 Series 11000 Series VIPRION 4480 VIPRION 4800

Virtual Physical Hybrid


F5 virtual editions F5 physical ADCs Physical + virtual =
Provide flexible deployment options for High-performance with specialized and hybrid ADC infrastructure
virtual environments and the cloud dedicated hardware Ultimate flexibility and performance
Virtual ADC is best for: Physical ADC is best for: Hybrid ADC is best for:
• Accelerated deployment • Fastest performance • Transitioning from physical to
• Maximizing data center efficiency • Highest scale virtual and private data center to
• Private and public cloud deployments • SSL offload, compression, and DoS mitigation cloud
• Application or tenant-based pods • An all F5 solution: integrated HW+SW • Cloud bursting
• Keeping security close to the app • Edge and front door services • Splitting large workloads
• Lab, test, and QA deployments • Purpose-built isolation for application delivery • Tiered levels of service
workloads
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Understanding F5 BIG-IP
Components

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Understanding F5 Components
BIG-IP
BIG-IP is the name of the platform produced by
F5, provide Application Delivery Controller (ADC)
functionality. F5 BIG-IP offers virtual, appliance
Virtual Edition Appliance Chassis or chassis form factor

LTM is the Local Traffic Manager, it is a licensed


LTM software module run inside a F5 BIG-IP. LTM
handles server load balancing function.

Virtual Server is the traffic management object


on the BIG-IP system that represented by an IP
address and a service. VIP is configured in the
virtual server

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
BIG-IP LTM Components: Nodes

A node is a physical or logical


(for example, VMWare) server
in the internal network
A node is represented by the
IP address of the server

172.20.10.1 1 7 2 .2 0 .1 0 .2 1 7 2 .2 0 .1 0 .3 1 7 2 .2 0 .1 0 .4

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
BIG-IP LTM Components: Pool Members

A pool member is a service running on a node, A node can host multiple pool
represented by the IP address of the node and members
service (port) number

172.20.10.1 1 7 2 .2 0 .1 0 .2 1 7 2 .2 0 .1 0 .3 1 7 2 .2 0 .1 0 .4
1 7 2 .2 0 .1 0 .1 :8 0 1 7 2 .2 0 .1 0 .2 :8 0 1 7 2 .2 0 .1 0 .3 :8 0
1 7 2 .2 0 .1 0 .2 :4 4 3 1 7 2 .2 0 .1 0 .3 :4 4 3 1 7 2 .2 0 .1 0 .4 :4 4 3

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
BIG-IP LTM Components: Pools

Each pool has its own load


balancing method

A pool is a logical grouping of pool A node can be a member of


members that represents an multiple pools
application

172.20.10.1 1 7 2 .2 0 .1 0 .2 1 7 2 .2 0 .1 0 .3 1 7 2 .2 0 .1 0 .4
1 7 2 .2 0 .1 0 .1 :8 0 1 7 2 .2 0 .1 0 .2 :8 0 1 7 2 .2 0 .1 0 .3 :8 0 8 0
1 7 2 .2 0 .1 0 .2 :4 4 3 1 7 2 .2 0 .1 0 .3 :4 4 3 1 7 2 .2 0 .1 0 .4 :4 4 3

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
BIG-IP LTM Components: Virtual Servers
NOTE: BIG-IP
NOTE: LTM isvirtual
Multiple a default denycan
servers device; the virtual server Each virtual server will uniquely process
is the most common way allow Arequests
client
reference the same pools, pool members, virtual server is an IP address and
to pass service
client request that match its IP address and
and/ or nodes through (port) combination that listens for client port
requests

10 .2 .2 .10 0 :80 10 .2 .2 .10 0 :4 43

Each virtual server then directs the


10 .2 .2 .2 2 5 :80 80 traffic, usually to an application pool

The virtual server translates the


destination IP address and port to the
selected pool member

172.20.10.1 1 7 2 .2 0 .1 0 .2 1 7 2 .2 0 .1 0 .3 1 7 2 .2 0 .1 0 .4
1 7 2 .2 0 .1 0 .1 :8 0 1 7 2 .2 0 .1 0 .2 :8 0 1 7 2 .2 0 .1 0 .3 :8 0 8 0
1 7 2 .2 0 .1 0 .2 :4 4 3 1 7 2 .2 0 .1 0 .3 :4 4 3 1 7 2 .2 0 .1 0 .4 :4 4 3

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
Monitors
• A monitor is a test;
• Of a specific application. For an expected response. Within a given
time
• All BIG-IP have to things in common
• Interval
• The time between each check
• Timeout
• The time required for a successful check to be received before BIG-IP
marks the node as unavailable
• BIG-IP LTM can use composite monitors, so it can apply multiple checks
• It can use all or some of the monitors to determine member status
• Monitors can also use reverse logic

• Monitors are served from the Self IP addresses

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
How Active Monitors Work

BIG-IP LTM continues to


direct traffic to the remaining
pool members while
continuing to monitor the
10.2.2.100:80 10.2.2.100:443
offline pool member or node
Monitors check the status of
a pool member or node on Are you up? When the pool member or
an ongoing basis, at a set Ifnode responds,
a pool memberBIG-IP LTMbeing
or node
interval marks it as available
monitored andrespond
does not starts
directing traffic
within the to the pool
set interval, BIG-IP
LTMmember
marks it offline

172.20.10.1 Yes 172.20.10.2 Yes 172.20.10.3 Yes 172.20.10.4


172.20.10.1:80 172.20.10.2:80 172.20.10.3:8080
172.20.10.2:443 172.20.10.3:443 172.20.10.4:443
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
What is an iRule?

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
What are iRules?

• The programming language integrated into


the TMOS® architecture
• iRules work at wire-speed
• Based on the industry standard Tool
Command Language (TCL)
• Provide the ability to intercept, inspect,
transform, direct, and track inbound or
outbound application traffic
• Core of the F5 “secret sauce” and key
differentiator

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
How do iRules Work?
• Respond to events, such as:
• HTTP_REQUEST
• HTTP_RESPONSE
• CLIENT_ACCEPTED Modified
Requests
HTTP_RESPONSE
HTTP_REQUEST Response
• Enable you to perform deep packet inspection (entire iRule triggered
header and payload) HTTP events fired

• Provide a full scripting language that enables


bidirectional and granular control of: Response
Modified
• Inspection Request
• Alteration
• Delivery of application traffic on a packet-by-packet
basis
Note: The bi-directional proxy capabilities of BIG-IP LTM enable it to inspect,
modify, and route traffic at nearly any point in the traffic flow, regardless of
direction

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Key Elements of an iRule

Event Declarations
• Define when the code executes
• Every iRule has an event

when HTTP_REQUEST {
if{[HTTP::host] ends_with “bob.com”}{
pool http_pool1
}
} Operators
Commands • Define under which conditions BIG-IP LTM
• Define the action to perform performs an action

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
iRules Events
• Events are actions that trigger the processing of the iRule

• Examples
• HTTP_REQUEST
• HTTP_RESPONSE
• CLIENT_ACCEPTED
• LB_FAILED
when HTTP_REQUEST {
if{[HTTP::host] ends_with “bob.com”}{
pool http_pool1
}
}

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Persistence
• Persistence
• Directs a client back to the same server after the
initial load balancing decision has been made
• Is required for stateful applications
• such as e-commerce shopping carts
• May skew load balancing statistics
• Universal Persistence
• iRules can create persistence records based on
anything in the clients request
• Such as, sessionid, username, etc.

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Radius Persistence

• Cisco ISE requires RADIUS Authentication and Authorization traffic established to single PSN
which includes additional RADIUS transactions that may occur during the initial connection phase
such as re-authentication following CoA.
• It is advantageous for this persistence to continue after initial session establishment to allow re-
authentications to leverage EAP Session Resume and Fast Reconnect cache on the PSN

Using Persistence Profiles Using iRules for Radius Persistence


• Persist Attribute • iRules form the crucial pillar behind the
• Default Persistence Profile operational and configurational flexibility for
• Fallback Persistence Profile enabling load balancing of any device, in
this case, the Cisco ISE

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
BIG-IP Listeners
Traffic Flow

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
How Does Traffic Enter a BIG-IP?
• Routing to a listener on the BIG-IP

• Listeners are
• Self IPs
Internet
• SNATs
• NATs
• Virtual Servers

10.2.2.1
10.2.2.100:80 External VLAN 10.2.2.50
NAT to 192.168.4.8

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Packet Processing Priority
1. Existing connection in connection table
2. Packet filter rule
3. Virtual server
4. SNAT
5. NAT
6. Self-IP
7. Drop

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Load Balancing
• A load balancing method is an algorithm or formula used to determine which pool member to send
traffic to
• Load balancing is connection based
• Static load balancing methods distribute connections in a fixed manner
• Round Robin (RR)
• Ratio (Weighted Round Robin)
• Distributes in a RR fashion for members/ nodes whose ratio has not been met
• Dynamic load balancing methods take into account one or more factors, such as the current
connection count
• It is important to experiment with different load balancing methods and select the one that offers
the best performance in your particular environment

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Dynamic Load Balancing Methods
• Least Connections
• Fewest L4 connections when load balancing decision is being made
• Recommended when servers have similar capabilities
• Very commonly used
• Fastest
• Balances based upon the number of outstanding L7 requests and then L4 connections
• Requires a L7 profile on the virtual server, else its just Least Connection
• Recommended when servers have similar capabilities
• Observed
• Calculates a ratio each second based on the number of L4 connections
• Not recommended for large pools

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Load Balancing a Service (Member)
With each new client request, BIG-IP
Internet LTM verifies which pool member has
the fewest active connections
1 8 .2 0 0 .1 5 0 .1 0
In this example, the HTTP pool is
configured with the Least Connections
(member) method

10 .2 .2 .10 0 :80 BIG-IP LTM directs the request to the


pool member with the least number of
connections

Current connection counts for


each pool member are
displayed in red

1 7 2 .2 0 .1 0 .1 1 7 2 .2 0 .1 0 .2 1 7 2 .2 0 .1 0 .3
http_pool 1 7 2 .2 0 .1 0 .1 :8 0 45 1 7 2 .2 0 .1 0 .2 :8 0 42 1 7 2 .2 0 .1 0 .3 :8 0 8 0 36
secure_pool 1 7 2 .2 0 .1 0 .2 :4 4 3 12 1 7 2 .2 0 .1 0 .3 :4 4 3 22

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
F5 BIG-IP and Cisco ISE
Joint Solution Benefits
F5 BIG-IP Local Traffic Manager (LTM) is a sophisticated local load balancing solution that
incorporates many advanced security and traffic optimization features.
Integrating F5 BIG-IP load balancing solutions with ISE can:
• Significantly improve ISE RADIUS, Profiling, and Web Service performance, scalability, and
availability
• Provide Bring Your Own Device (BYOD) endpoint scalability
• Deliver customizable policies for identity management of enterprise users and user devices
• Offer flexibility of iRules to maintain persistence profiles of Wi-Fi users
• Implement health monitor probes with BIG-IP LTM for health check of Cisco ISE servers

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
References
• BIG-IP LTM Product Overview
http://www.f5.com/pdf/products/big-ip-local-traffic-manager-overview.pdf

• BIG-IP LTM Configuration Guide https://support.f5.com/kb/en-us/products/big-


ip_ltm/manuals/product/ltm_configuration_guide_10_0_0.html

• BIG-IP LTM Support forum


https://support.f5.com/kb/en-us/products/big-ip_ltm.html

• DevCentral Forum
https://devcentral.f5.com/

• iRules on F5 DevCentral
https://devcentral.f5.com/wiki/irules.ltmmaintenancepage.ashx

• F5 University – LTM Training


https://login.f5.com/resource/login.jsp?ctx=719748&referral=university

Follow us on Twitter @f5Networks  Official F5 Networks Channel

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Load Balancing - 101

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Load Balancing
• A load balancing method is an algorithm or formula used to determine which pool
member to send traffic to
• Load balancing is connection based

• Static load balancing methods distribute connections in a fixed manner


• Round Robin (RR)
• Ratio (Weighted Round Robin)
• Distributes in a RR fashion for members/nodes whose ratio has not been met

• Dynamic load balancing methods take into account one or more factors, such as the
current connection count
• It is important to experiment with different load balancing methods and select the one that
offers the best performance in your particular environment

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Dynamic Load Balancing Methods
• Least Connections
• Fewest L4 connections when load balancing decision is being made
• Recommended when servers have similar capabilities
• Very commonly used
• Fastest
• Balances based upon the number of outstanding L7 requests and then L4 connections
• Requires an L7 profile on the virtual server, else its just Least Connections
• Recommended when servers have similar capabilities
• Observed
• Calculates a ratio each second based on the number of L4 connections
• Not recommended for large pools

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Load Balancing a Service (Member)
With each new client request, BIG-
Internet IP LTM verifies which pool
member has the fewest active
18.200.150.10
In connections
this example, the HTTP pool is
configured with the Least Connections
(member) method

10.2.2.100:80 BIG-IP LTM directs the request to


the pool member with the least
number of connections

Current connection counts


for each pool member are
displayed in red

1 7 2 .2 0 .1 0 .1 1 7 2 .2 0 .1 0 .2 1 7 2 .2 0 .1 0 .3
http_pool 1 7 2 .2 0 .1 0 .1 :8 0 45 1 7 2 .2 0 .1 0 .2 :8 0 42 1 7 2 .2 0 .1 0 .3 :8 0 8 0 36
secure_pool 1 7 2 .2 0 .1 0 .2 :4 4 3 12 1 7 2 .2 0 .1 0 .3 :4 4 3 22

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Load Balancing an IP Address (Node)
Internet
18.200.150.10
In this example, the HTTP pool is
configured with the Least Connections
(node) method

With
Witheach
eachnew
newclient
end-user
request,
request,
BIG- 10.2.2.100:80
IPBIG-IP
LTM
BIG-IP verifies
LTM LTM verifies
which
directs node
which has
the request node
to the
has fewest
the fewest
active
active
connections
connections
the node with the least number of
connections

This takes into account all Current connection counts


services running on the node for each pool member are
displayed in red

45 54 58

172.20.10.1 1 7 2 .2 0 .1 0 .2 1 7 2 .2 0 .1 0 .3
http_pool 1 7 2 .2 0 .1 0 .1 :8 0 45 1 7 2 .2 0 .1 0 .2 :8 0 42 1 7 2 .2 0 .1 0 .3 :8 0 8 0 36
secure_pool 1 7 2 .2 0 .1 0 .2 :4 4 3 12 1 7 2 .2 0 .1 0 .3 :4 4 3 22

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34
Pool Failure Mechanisms
• Fallback Host (for HTTP and HTTPS applications)
• Is the server of last resort if all pool members are unavailable
• Returns HTTP redirect (http 302) to client
• Configured in the HTTP profile, the fallback host is not monitored

• Priority Group Activation


• Can dynamically pull in new members into the pool
• Pulls lower priority groups into higher priority groups Backup Servers
Running WWW and FTP
• Pulls in all members of a priority group together Priority = 1

web_pool ftp_pool

Priority = 5 Priority = 5
Activation < 2 Activation < 3
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
F5 BIG-IP and Cisco ISE
Joint Solution Benefits

• F5 BIG-IP Local Traffic Manager (LTM) is a sophisticated local load balancing solution that
incorporates many advanced security and traffic optimization features.
• Integrating F5 BIG-IP load balancing solutions with ISE can:
• Significantly improve ISE RADIUS, Profiling, and Web Service performance, scalability, and
availability
• Provide Bring Your Own Device (BYOD) endpoint scalability
• Deliver customizable policies for identity management of enterprise users and user devices
• Offer flexibility of iRules to maintain persistence profiles of Wi-Fi users
• Implement health monitor probes with BIG-IP LTM for health check of Cisco ISE servers

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
References
• BIG-IP LTM Product Overview
http://www.f5.com/pdf/products/big-ip-local-traffic-manager-overview.pdf

• BIG-IP LTM Configuration Guide


https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm_configuration_guide_10_0_0.html

• BIG-IP LTM Support forum


https://support.f5.com/kb/en-us/products/big-ip_ltm.html

• DevCentral Forum
https://devcentral.f5.com/

• iRules on F5 DevCentral
https://devcentral.f5.com/wiki/irules.ltmmaintenancepage.ashx

• F5 University – LTM Training


https://login.f5.com/resource/login.jsp?ctx=719748&referral=university

Follow us on Twitter @f5Networks  Official F5 Networks Channel

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
DevCentral F5 User Community
Over 105,000 Members in 191 Countries and Growing!
References
• Wikis
• API/SDK Documentation

Resources
• Sample Code
• Tech Tips
• Forums
• Podcasts
• Blogs

Tools and Frameworks


• iRule Editor
• iControl SDK
• .NET, Java, Python,
Powershell, ...
• VMware vSphere Management
Plug-in
• Microsoft SCOM Monitoring Pack

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
Cisco ISE Solution
Components

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
Cisco Identity Services Engine (ISE)
All-in-One Enterprise Policy Control

Who What Where When How

Security Policy Attributes

Identity
Context Cisco® ISE
Business-Relevant
Policies

Wired Wireless VPN

Virtual machine client, IP device, guest, employee, and remote user


Replaces AAA and RADIUS, NAC, guest management, and device identity servers
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
ISE Node Types

 Policy Service Node (PSN) Can run in a single host


– Makes policy decisions
– RADIUS server & provides endpoint/user services

 Policy Administration Node (PAN)


– Interface to configure policies and manage ISE deployment
– Writeable access to the database

 Monitoring & Troubleshooting Node (MnT)


– Interface to reporting and logging
– Destination for syslog from other ISE nodes and NADs

 Inline Posture Node (IPN)


– Enforces posture policy for legacy or 3rd-party NADs

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
Admin
ISE Communications

Network Access Policy Service Node Policy Administration Monitoring and


Device The “Work-Horse”: Node: All Management Troubleshooting
Access-Layer Devices RADIUS, Profiling, UI Activities & Logging and
Enforcement Point for WebAuth, Posture, Sponsor synchronizing all ISE Reporting Data
all Policy Portal Client Provisioning Nodes

NAD PSN PAN MnT

Policy Sync
RADIUS from NAD to PSN

PSN queries
RADIUS reply from PSN to NAD external database
User directly
RADIUS Accounting syslog
syslog
syslog

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
Example ISE Deployment

Admin (P) Monitor (P) Policy Services Cluster Distributed


Admin (S) Monitor (S) Policy Services
PAN MnT PSN PSN PSN PSN
PAN MnT PSN PSN

HA Inline AD/LDAP
Posture Nodes (External ID/ AD/LDAP
Attribute Store) (External ID/
Data DC B Attribute Store)
IPN
IPN
Center A
WLC
Non-CoA 802.1X
ASA VPN
Switch
802.1X AP
WLC
802.1X Switch
AP 802.1X

Branch B
Branch A

Switch Switch
AP 802.1X AP
802.1X

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
Scaling by Deployment, Platform, and Persona
• Max Concurrent Endpoint Counts by Deployment Model and Platform
Max # Dedicated
Deployment Model Platform Max # Endpoints per Deployment
PSNs
Standalone (all personas on 33xx 2,000 0
same node) 3415 5,000 0
(2 nodes redundant) 3495 10,000 0
3355 as Admin+MNT 5,000 5
Admin + MnT on same node;
3395 as Admin+MNT 10,000 5
Dedicated PSN
(Minimum 4 nodes redundant) 3415 as Admin+MNT 5,000 5
3495 as Admin+MNT 10,000 5
Dedicated Admin and MnT nodes 3395 as Admin and MNT 100,000 40
(Minimum 6 nodes redundant) 3495 as Admin and MNT 250,000 40

Scaling per PSN Platform Max # Endpoints per PSN


ISE-3315 3,000
Dedicated Policy nodes ISE-3355 6,000
(Max Endpoints Gated by Total ISE-3395 10,000
Deployment Size) SNS-3415 5,000
SNS-3495 20,000
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
Joint Solution Overview –
Deployment Model,
Topology, and Traffic Flow

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
Scaling RADIUS, Web, and Profiling with BIG-IP LTM
• Policy Service nodes can be configured in a cluster behind a load balancer (LB).

• Access Devices send RADIUS AAA requests to LB virtual IP.

ISE PSNs
PSN
PSN PSN PSN PSN PSN PSN PSN PSN
(RADIUS
Servers)

F5 BIG-IP
LTM (Load
Balancers)
Virtual IP

Network
Access
Devices

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
Scaling Global Sponsor / MyDevices with BIG-IP GTM
DNS SERVER: DOMAIN =
COMPANY.COM
F5 BIG-IP GTM
MnT MnT
(Global LB) SPONSOR
PAN PAN
10.1.0.100, 10.2.0.100, 10.3.0.100
MYDEVICES
10.1.0.100, 10.2.0.100, 10.3.0.100
ISE-PSN-1 10.1.1.1
ISE-PSN-2 10.1.1.2
PSN PSN PSN
ISE-PSN-3 10.1.1.3
PSN PSN PSN
ISE-PSN-4 10.2.1.4
ISE-PSN-5 10.2.1.5
F5 BIG-IP LTM ISE-PSN-6 10.2.1.6
(Local LB) F5 BIG-IP ISE-PSN-7 10.3.1.7
10.1.0.100 LTM ISE-PSN-8 10.3.1.8
10.2.0.100 (Local LB) ISE-PSN-9 10.3.1.9

PSN PSN PSN

Use Global Load Balancing (GTM) to direct traffic to closest VIP.


Local Web Load-balancing (LTM) distributes request to single PSN. F5 BIG-IP
LTM
Load Balancing simplifies and scales ISE Web Portal Services 10.3.0.100 (Local LB)

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 47
Load Balancing ISE Policy Services

• RADIUS Authentication and Accounting Services


Packets sent to LB virtual IP are load-balanced to real PSN based on configured algorithm. Sticky
algorithm determines method to ensure same Policy Service node services same endpoint.

• URL-Redirected Services: Posture (CPP) / MDM / Central WebAuth (CWA) / Native


Supplicant Provisioning (NSP) / Device Registration WebAuth (DRW) / Hotspot
No LB Required! PSN that terminates RADIUS returns URL Redirect with its own certificate CN name
substituted for ‘ip’ variable in URL.

• Direct HTTP/S Services: Local WebAuth (LWA) / Sponsor Portal / MyDevices Portal
Single web portal domain name should resolve to LB virtual IP for http/s load balancing.

• Profiling Services: DHCP Helper / SNMP Traps / Netflow / RADIUS


LB VIP is the target for one-way Profile Data (no response required). VIP can be same or different than
one used by RADIUS LB; Real server interface can be same or different than one used by RADIUS
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
Load Balancing RADIUS
Sample Flow
VLAN 98 (10.1.98.0/24) VLAN 99 (10.1.99.0/24)

PSN
10.1.99.5
1 radius-server host 10.1.98.8
ISE-PSN-1
F5 LTM
2 AUTH request
RADIUS ACCTG requesttoto10.1.98.8
10.1.98.8
PSN
10.1.99.6
AUTH response
RADIUS ACCTG from
response 10.1.99.7
from 10.1.99.7
Access VIP: 10.1.98.8 ISE-PSN-2
User
Device 4 5 PSN-CLUSTER

PSN
10.1.99.7
1. NAD has single RADIUS Server defined (10.1.98.8)
2. RADIUS Auth requests sent to VIP 10.1.98.8
ISE-PSN-3
3
3. Requests for same endpoint load balanced to same PSN via sticky based
on RADIUS Calling-Station-ID and Framed-IP-Address
4. RADIUS Response received from real server ise-psn-3 @ 10.1.99.7
5. RADIUS Accounting sent to/from same PSN based on sticky

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50
Load Balancing with URL-Redirection
Sample Flow

DNS Lookup = ise-psn-3.company.com


DNS
4 DNS Response = 10.1.99.7 Server
PSN
10.1.99.5

ISE-PSN-1
F5 LTM
1 RADIUS request to psn-cluster.company.com
PSN
10.1.99.6
RADIUS response from ise-psn-3.company.com
3
Access VIP: 10.1.98.8 ISE-PSN-2
Device https://ise-psn-3.company.com:8443/... PSN-CLUSTER
User
2
5 HTTPS response from ise-psn-3.company.com PSN
10.1.99.7

1. RADIUS Authentication requests sent to VIP 10.1.98.8. ISE-PSN-3


2. Requests for same endpoint load balanced to same PSN via RADIUS sticky.
3. RADIUS Authorization received from ise-psn-3 @ 10.1.99.7 with URL Redirect to ISE Certificate
https://ise-psn-3.company.com:8443/... Subject CN =
4. Client browser redirected and resolves FQDN in URL to real server address. ise-psn-3.company.com
5. User sends web request directly to same PSN that serviced RADIUS request.
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51
Load Balancing Non-Redirected Web Services
Sample Flow

DNS Lookup = sponsor.company.com


DNS PSN
1 DNS Response = 10.1.98.8 Server 10.1.99.5

https://sponsor.company.com ISE-PSN-1
F5 LTM
2 https://sponsor. company.com @ 10.1.98.8
PSN
10.1.99.6
https response from ise-psn-3 @ 10.1.99.7
Access VIP: 10.1.98.8 ISE-PSN-2
Sponsor 4 Device PSN-CLUSTER
Certificate OK! 5 PSN
Requested URL = sponsor.company.com 10.1.99.7
Certificate SAN = sponsor.company.com
ISE-PSN-3 3
ISE Certificate 1. Browser resolves sponsor.company.com to VIP @ 10.1.98.8
Subject = 2. Web request sent to https://sponsor.company.com @ 10.1.98.8
ise-psn-3.company.com 3. ACE load balances request to PSN based on IP or HTTP sticky
SAN= 4. HTTPS response received from ise-psn-3 @ 10.1.99.7
ise-psn-3.company.com 5. Certificate SAN includes FQDN for both sponsor and ise-psn-3.
sponsor.company.com
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
Load Balancing Profiling Services
Sample Flow

DHCP Request to Helper IP 10.1.1.10


2 DHCP PSN
10.1.99.5
DHCP Response returned from DHCP Server Server
3
ISE-PSN-1
F5 LTM
DHCP Request to Helper IP 10.1.98.8
1 2 PSN
10.1.99.6
VIP: 10.1.98.8
Access PSN-CLUSTER ISE-PSN-2
Device
User

4 PSN
10.1.99.7
1. Client OS sends DHCP Request
2. Next hop router with IP Helper configured forwards DHCP request to ISE-PSN-3
real DHCP server and to secondary entry = LB VIP
3. Real DHCP server responds and provide client a valid IP address
4. DHCP request to VIP is load balanced to PSN @ 10.1.99.7 based on
source IP stick (L3 gateway) or DHCP field parsed from request.

© 2013-2014 Cisco and/or its affiliates. All rights reserved. 53 Cisco Confidential 53
High-Level Load Balancing Diagram
DNS
NTP
External SMTP
ISE-PAN-1 ISE-MNT-1 Logger MDM AD/LDAP

VLAN 98 VLAN 99 10.1.99.5


(10.1.98.0/24) (10.1.99.0/24) ISE-PSN-1

NAS IP: 10.1.50.2 VIP: 10.1.98.8 LB: 10.1.99.1


10.1.99.6
Network Access ISE-PSN-2
End User/Device Device F5 LTM

10.1.99.7
ISE-PSN-3

ISE-PAN-2 ISE-MNT-2
54
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54
Traffic Flow—Fully Inline: Physically Separation
Physical Network Separation Using Separate LB Interfaces Fully Inline Traffic
Flow recommended—
• BIG-IP LTM is directly inline between ISE PSNs and rest of network
physical or logical
• All traffic flows through Load Balancer including RADIUS, PAN/MnT,
Profiling, Web Services, Management, Feed
Services, MDM, AD, LDAP… VLAN 98 VLAN 99 10.1.99.5
(External) (Internal) ISE-PSN-1
Network
Switch
NAS IP: 10.1.50.2
10.1.98.1 10.1.98.2 10.1.99.1
10.1.99.6
Network Access ISE-PSN-2
End User/Device Device F5 LTM

DNS AD 10.1.99.7
External NTP LDAP
ISE-PAN ISE-MNT Logger SMTP ISE-PSN-3
MDM

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56
Traffic Flow—Fully Inline: VLAN Separation
Logical Network Separation Using Single LB Interface and VLAN Trunking
F5 LTM
• BIG-IP LTM is directly inline between ISE PSNs
and rest of network. VIP: 10.1.98.8

• All traffic flows through LB including RADIUS, 10.1.98.2 10.1.99.1


PAN/MnT, Profiling, Web Services, Management, VLAN 98 VLAN 99 10.1.99.5
Feed Services, MDM, AD, LDAP… (External) (Internal)
ISE-PSN-1
10.1.98.1
NAS IP: 10.1.50.2
10.1.99.6
Network Access ISE-PSN-2
End User/Device Device Network
Switch

DNS AD 10.1.99.7
External NTP LDAP
ISE-PAN ISE-MNT Logger ISE-PSN-3
SMTP MDM

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 57
Partially Inline: Layer 2/Same VLAN (One PSN Interface)
Direct PSN Connections to LB and Rest of Network
F5 LTM
10.1.98.2
• All inbound LB traffic such RADIUS, Profiling,
and directed Web Services sent to LTM VIP 10.1.98.5
VIP: 10.1.98.8
• Other inbound non-LB traffic bypasses LTM ISE-PSN-1
including redirected Web Services, PAN/MnT, VLAN 98
Management, Feed Services, MDM, AD, LDAP… 10.1.98.6

• All outbound traffic from PSNs NAS IP: 10.1.50.2 ISE-PSN-2


10.1.98.1
sent to LTM as DFGW.
10.1.98.7
• LTM must be configured Network Access L3
Device Switch
to allow Asymmetric traffic End User/Device ISE-PSN-3

Generally NOT RECOMMENDED due to DNS AD


traffic flow complexity—must fully External NTP LDAP
ISE-PAN ISE-MNT Logger SMTP MDM
understand path of each flow to ensure
proper handling by routing, LB, and
end stations.

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58
Partially Inline: Layer 3/Different VLANs (One PSN Interface)
Direct PSN Connections to LB and Rest of Network
F5 LTM
10.1.99.2
• All inbound LB traffic such RADIUS, Profiling, VIP: 10.1.98.8
and directed Web Services sent to LTM VIP 10.1.99.5
10.1.98.2
• Other inbound non-LB traffic bypasses LTM ISE-PSN-1
VLAN 98 VLAN 99
including redirected Web Services, PAN/MnT, (External) (Internal)
Management, Feed Services, MDM, AD, LDAP… 10.1.99.6

NAS IP: 10.1.98.1


• All outbound traffic from PSNs ISE-PSN-2
10.1.50.2
sent to LTM as DFGW. 10.1.99.1
10.1.99.7
• LTM must be configured Network Access L3
to allow Asymmetric traffic End User/Device Device Switch
ISE-PSN-3

Generally NOT RECOMMENDED due to DNS AD


traffic flow complexity—must fully External NTP LDAP
ISE-PAN ISE-MNT Logger SMTP MDM
understand path of each flow to ensure
proper handling by routing, LB, and
end stations.

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 59
Partially Inline: Multiple PSN Interfaces
10.1.99.5 10.1.91.5
Separate PSN Connections to LB and Rest of Network
F5 LTM
ISE-PSN-1
VIP:
• All LB traffic sent to LTM VIP including 10.1.98.8
RADIUS, Profiling (except SPAN data), 10.1.99.2
10.1.99.6 10.1.91.6
and directed Web Services 10.1.98.2
ISE-PSN-2
VLAN 98 VLAN 99
• All traffic initiated by PSNs sent to (Internal)
(External)
F5 LTM as global default gateway 10.1.99.7 10.1.91.7
NAS IP: 10.1.98.1
• Redirected Web
10.1.50.2 ISE-PSN-3
Services traffic 10.1.91.1
bypasses LTM
Network Access L3 VLAN 91
• For ISE 1.2, End User/Device Device Switch (Web Portals)
recommend SNAT redirected
HTTPS traffic at L3 switch DNS AD
External NTP LDAP
• ISE 1.3+ supports symmetric ISE-PAN ISE-MNT Logger SMTP MDM
traffic responses (set default
gateway per interface)

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 60
Fully Inline – Multiple PSN Interfaces VLAN 91
(Web Portals)
Network Separation Using Separate LB Interfaces
10.1.91.1

• All traffic sent to LTM including F5 LTM


RADIUS, Profiling (except SPAN data), 10.1.99.1 10.1.99.5 10.1.91.5
10.1.98.2
and directed Web Services VIP: 10.1.98.8 ISE-PSN-1
• All traffic initiated by PSNs sent to VLAN 98 VLAN 99
F5 LTM as global default gateway (External) (Internal) 10.1.99.6 10.1.91.6

NAS IP: 10.1.98.1


• LTM sends Web ISE-PSN-2
10.1.50.2
Services traffic L3
on separate PSN Switch 10.1.99.7 10.1.91.7
interface. Network Access
End User/Device Device
ISE-PSN-3
• For ISE 1.2 (and optionally 1.3),
SNAT Web Services at LTM DNS AD
External NTP LDAP
• ISE 1.3+ supports symmetric ISE-PAN ISE-MNT Logger SMTP MDM
traffic responses (set default
gateway per interface)

© 2013-2014 Cisco and/or its affiliates. All rights reserved. 61 Cisco Confidential 61
Configuration Prerequisites

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 62
Verify Routing Configuration in Overall Topology
L3 Switch/Router off LTM External Interface Must have Route to LTM Internal Network

Network Next Hop


0.0.0.0/0 10.1.98.1
Network Next Hop VLAN 98 VLAN 99 10.1.99.5
10.1.99.0/24 10.1.98.2
(10.1.98.0/24) (10.1.99.0/24) ISE-PSN-1
Network
Switch
NAS IP: 10.1.50.2
VIP: 10.1.98.8
10.1.99.6
10.1.50.1 10.1.98.1 10.1.98.2 10.1.99.1
Network Access ISE-PSN-2
End User/Device Device 10.1.100.1 F5 LTM

DNS
10.1.100.3 NTP 10.1.99.7
10.1.100.4 External AD/
SMTP
ISE-PAN ISE-MNT Logger MDM LDAP ISE-PSN-3

Network Next Hop


0.0.0.0/0 10.1.99.1

© 2013-2014 Cisco and/or its affiliates. All rights reserved. 63 Cisco Confidential 63
Recommended Software Versions

• F5 BIG-IP LTM: 11.4.1 hotfix HF5 or 11.4.0 hotfix HF6


Additionally, 11.6.0 HF2 incorporates performance enhancements that can improve
RADIUS load balancing performance.

• Cisco ISE: 1.2.0, 1.2.1, or 1.3.0 with current patches installed.

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 64
F5 Configuration Prerequisites

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 65
Validate IP Addressing for Internal and External Interfaces

 Main > Network Self IPs

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 66
Validate Correct VLAN Assignments
Main > Network > VLANs > VLAN List

• Separate Physical Interfaces Example

• Single Physical Interfaces—VLAN Trunking Example

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 67
Verify LTM Routing Configuration
Main > Network > Routes

• Default route for LTM appliance set to external interface next hop gateway

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 68
Optional: Verify LTM High Availability

• F5 BIG-IP LTM supports Active-Standby and Active-Active high availability modes

• Configuration of LTM high availability is beyond the scope of this session.

• Refer to F5 product documentation for additional details:


• Active-Standby configuration: Creating an Active-Standby Configuration Using the Setup Utility
• Active-Active configuration: Creating an Active-Active Configuration Using the Setup Utility
• When configured for high availability, default gateways and next hop routes will point to the
floating IP address on the F5 appliance
• Health monitors will be sourced from the locally-assigned IP addresses.

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 69
ISE Configuration Prerequisites

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 70
Configure Node Groups for LB Cluster
All PSNs in LB Cluster in Same Node Group

• Administration > System > Deployment


2) Assign name (and multicast address if ISE 1.2)
1) Create node group

3) Add individual PSNs to node group

• Node group members can be L2 or L3


• Multicast no longer a requirements in ISE 1.3

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 71
Load Balancer General RADIUS Guidelines
RADIUS Servers and Clients – Where Defined PSNs are RADIUS Servers for
Health Probes
ISE Admin Node > Network Devices Name PSN-Probe
(RADIUS Clients) Type RADIUS
Interval 15
ISE-PAN-1 ISE-MNT-1
Timeout 46
PAN MnT
User Name radprobe
Password cisco123
Alias Service Port 1812
PSN

ISE-PSN-1
VIP: 10.1.98.8
NAS IP: 10.1.50.2 10.1.99.1
PSN

Access Device
F5 LTM ISE-PSN-2
User
PSN
Load Balancer VIP is RADIUS Server
radius-server host 10.1.98.8 auth-port 1812 acct-port
1813 test username radtest ignore-acct-port key cisco123 ISE-PSN-3
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 72
Add LTM(s) as NAD(s) for RADIUS Health Monitoring
Administration > Network Resources > Network Devices

• Configure Self IP address of LTM Internal


interface connected to PSN RADIUS
interfaces.
10.1.99.1
• Enable Authentication and set RADIUS
shared secret.
PSN

ISE-PSN-1

10.1.99.1
PSN

F5 LTM ISE-PSN-2

PSN

ISE-PSN-3
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 73
Configure Internal User for RADIUS Health Monitoring
Administration > Identity Management > Identities > Users

• This step optional if plan to use external ID store for health monitoring account. Still
recommended for testing and troubleshooting.
• User authorization for this account should be granted no network access.

• F5 LTM monitor accepts both Access-Accept and Access-Reject as healthy responses

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 74
Configure DNS and Certs to Support PSN Load Balancing
• Configure DNS entry for PSN cluster(s) and assign VIP IP address.
Example: psn-cluster.company.com
DNS SERVER: DOMAIN = COMPANY.COM
PSN-CLUSTER IN A 10.1.98.8
SPONSOR IN A 10.1.98.8
MYDEVICES IN A 10.1.98.8
ISE-PSN-1 IN A 10.1.99.5
ISE-PSN-2 IN A 10.1.99.6
ISE-PSN-3 IN A 10.1.99.7

• Configure ISE PSN server certs with Subject Alternative


Name configured for other FQDNs to be used by LB VIP
or optionally use wildcards (available in ISE 1.2).
Example
Example certificate SAN: ise-psn-1.company.com certificate with
psn-cluster.company.com multiple FQDN
sponsor.company.com values in SAN.
guest.company.com
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 75
ISE Certificate without SAN
Certificate Warning - Name Mismatch

DNS
http://sponsor.company.com DNS Lookup = sponsor.company.com Server
PSN
DNS Response = 10.1.98.8 10.1.99.5

ISE-PSN-1
10.1.98.8
SPONSOR http://sponsor.company.com
PSN
10.1.99.6
https://sponsor.company.com:8443/sponsorportal
ISE Certificate ISE-PSN-2
F5 LTM
Subject =
ise-psn-3.company.com
PSN
Name Mismatch! 10.1.99.7
Requested URL = sponsor.company.com
Certificate Subject = ise-psn-3.company.com ISE-PSN-3

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 76
ISE Certificate with SAN
No Certificate Warning

DNS
http://sponsor.company.com DNS Lookup = sponsor.company.com Server
PSN
DNS Response = 10.1.98.8 10.1.99.5

ISE-PSN-1
10.1.98.8
SPONSOR http://sponsor.company.com
PSN
10.1.99.6
https://sponsor.company.com:8443/sponsorportal
ISE-PSN-2
ISE Certificate F5 LTM
Subject =
ise-psn.company.com
PSN
SAN= Certificate OK! 10.1.99.7
ise-psn-1.company.com Requested URL = sponsor.company.com
ise-psn-2.company.com Certificate SAN = sponsor.company.com ISE-PSN-3
ise-psn-3.company.com
sponsor.company.com

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 77
General Best Practices for Universal Certificates
• Use a common FQDN for Subject CN:
Examples: ise.company.com
aaa.company.com
• If Subject CN contains FQDN, add same
FQDN to SAN
• Multi-Domain/UCC* Certificate: Update
SAN with all FQDNs serviced by PSN
• OR
Wildcard Certificate: Update SAN with
wildcard domain using syntax
*.company.local
• If required for static IP hosting, add IP
addresses as both DNS and IP entries
(increases device compatibility)
*UCC = Unified Communications Certificate
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 78
Forwarding Non-LB Traffic

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 79
High-Level Load Balancing Diagram
DNS
NTP
External SMTP
ISE-PAN-1 ISE-MNT-1 Logger MDM AD/LDAP

VLAN 98 VLAN 99 10.1.99.5


(10.1.98.0/24) (10.1.99.0/24) ISE-PSN-1

NAS IP: 10.1.50.2 VIP: 10.1.98.8 LB: 10.1.99.1


10.1.99.6
Network Access ISE-PSN-2
End User/Device Device F5 LTM

10.1.99.7
ISE-PSN-3

ISE-PAN-2 ISE-MNT-2
80
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 80
Non-LB Traffic that Requires IP Forwarding
Inter-node/Management/Repository/ID Stores/Feeds/Profiling/Redirected Web/RADIUS CoA

• PAN/MnT node communications

• All management traffic to/from the PSN real IP addresses such as HTTPS, SSH, SNMP, NTP,
DNS, SMTP, and Syslog.
• Repository and file management access initiated from PSN including FTP, SCP, SFTP, TFTP,
NFS, HTTP, and HTTPS.
• All external AAA-related traffic to/from the PSN real IP addresses such as AD, LDAP, RSA,
external RADIUS servers (token or foreign proxy), and external CA communications (CRL
downloads, OCSP checks, SCEP proxy).
• All service-related traffic to/from the PSN real IP addresses such as Posture and Profiler Feed
Services, partner MDM integration, pxGrid, and REST/ERS API communications.
• Client traffic to/from PSN real IP addresses resulting from Profiler (NMAP, SNMP queries) and
URL-Redirection such as CWA, DRW/Hotspot, MDM, Posture, and Client Provisioning.
• RADIUS CoA from PSNs to network access devices.
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 81
Virtual Server to Forward General Inbound IP Traffic
General Properties

• Applies to connections initiated from


outside (external) network
• Type = Forwarding (IP)

• Source = All traffic (0.0.0.0/0) or limit to


specific network.
• Destination = PSN Network Addresses

• Service Port = 0 (All Ports)

• Availability = Unknown (No service


validation via health monitors)

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 82
Virtual Server to Forward General Inbound IP Traffic
Configuration (Advanced)

• Protocol = All Protocols

• Protocol Profile = fastL4

• Optionally limit to specific


ingress VLAN(s).
• No SNAT

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 83
Virtual Server to Forward General Outbound IP Traffic
General Properties

• Applies to connections initiated from


PSN (internal) network
• Type = Forwarding (IP)

• Source = PSN Network Addresses

• Destination = All traffic (0.0.0.0/0.0.0.0) or


limit to specific network.
• Service Port = 0 (All Ports)

• Availability = Unknown (No service


validation via health monitors)

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 84
Virtual Server to Forward General Outbound IP Traffic
Configuration (Advanced)

• Protocol = All Protocols

• Protocol Profile = fastL4

• Optionally limit to specific


ingress VLAN(s).
• No SNAT

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 85
Example Inbound / Outbound IP Forwarding Servers

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 86
Inbound IP Forwarding for 2nd PSN Interface VLAN 91
(Web Portals)
2nd PSN Interface for Web Services
10.1.91.1

• LTM sends Web Services traffic F5 LTM


on separate PSN interface. 10.1.99.1 10.1.99.5 10.1.91.5
10.1.98.2
VIP: 10.1.98.8 ISE-PSN-1
VLAN 98 VLAN 99
(External) (Internal) 10.1.99.6 10.1.91.6

NAS IP: 10.1.98.1


ISE-PSN-2
10.1.50.2
L3
Switch 10.1.99.7 10.1.91.7
Network Access
End User/Device Device
ISE-PSN-3

• For ISE 1.2 (and optionally 1.3), LTM can perform SNAT on Web Services traffic

• ISE 1.3+ supports symmetric traffic responses, so SNAT not required


(Set default gateway per interface)

© 2013-2014 Cisco and/or its affiliates. All rights reserved. 87 Cisco Confidential 87
Virtual Server to Forward Inbound Redirected Web Traffic
General Properties

• Applies to connections initiated from


URL-redirected clients on outside
(external) network to 2nd PSN
interface
• Type = Forwarding (IP)

• Source = All traffic (0.0.0.0/0)


or limit to specific client networks.
• Destination = PSN Network Addresses
for Web Portals
• Service Port = 8443 (configurable)
Optionally set wildcard value of 0 for
multiple portal ports or services.
(NSP and Posture work on port 8905)
• Availability = Unknown (No service
validation via health monitors)
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 88
Virtual Server to Forward Inbound Redirected Web Traffic
Configuration (Advanced)

• Protocol = TCP
Optionally set to * (All Protocols) for
multiple services.
• NSP requires TCP/8905, but
Posture requires both TCP and
UDP/8905.
• Protocol Profile = fastL4

• Optionally limit to specific ingress


VLAN(s).
• For ISE 1.2, enable SNAT

• For ISE 1.3, SNAT optional if


enabled symmetric traffic routing
(default route per interface).

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 89
Load Balancing RADIUS

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 90
Policy Service Node Scaling and Redundancy
• NADs can be configured with sequence of redundant RADIUS servers (PSNs).

• Policy Service nodes can also be configured in a cluster, or “node group”, behind a
load balancer. NADs send requests to LB virtual IP for Policy Services.
• Policy Service nodes in node group maintain heartbeat to verify member health.
Administration PAN PAN
Administration
Node (Primary) Node (Secondary)
N+1 node redundancy
Policy Services Node
assumed to support total
Policy PSN PSN PSN PSN
endpoints during:
Group (Same
Replication • Unexpected single
multicast domain)
server outage
AAA connection F5 BIG-IP • Scheduled server
LTM Load maintenance
Virtual Balancers
IP Also provides additional
scaling buffer.
Network
Access
Devices
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 91
Load Balancing RADIUS
Sample Flow
VLAN 98 (10.1.98.0/24) VLAN 99 (10.1.99.0/24)

PSN
10.1.99.5
1 radius-server host 10.1.98.8
VIP: ISE-PSN-1
2 RADIUS AUTH request to 10.1.98.8
10.1.98.8
RADIUS ACCTG request to 10.1.98.8
5 PSN
10.1.99.6
NAD RADIUS AUTH response from 10.1.99.7 4
User
RADIUS ACCTG response from 10.1.99.7 6 F5 LTM
ISE-PSN-2

1. NAD has single RADIUS server defined (10.1.98.8) PSN


10.1.99.7
2. RADIUS Auth requests sent to VIP @ 10.1.98.8 3
3. Requests for same endpoint load balanced to same PSN via sticky based ISE-PSN-3
on RADIUS Calling-Station-ID, Framed-IP-Address, or NAS-IP-Address
4. RADIUS Auth Response received from real server ise-psn-3 @ 10.1.99.7
5. Successive RADIUS Accounting sent to VIP @ 10.1.98.8
6. RADIUS Accounting Response received from same PSN based on sticky.

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 92
NAT Restrictions for RADIUS Load Balancing
Why Source NAT Fails for NADs SNAT also results in less visibility as all requests appear
sourced from LB – makes troubleshooting more difficult.
• With SNAT, LB appears as the Network
Access Device (NAD) to PSN.
• CoA sent to wrong IP address

NAS IP Address is correct,


but not currently used for CoA

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 93
SNAT of NAD Traffic: Live Log Example
Auth Succeeds/CoA Fails: CoA Sent to BIG-IP LTM and Dropped

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 94
Allow Source NAT for PSN CoA Requests
Simplifying Switch CoA Configuration

• Match traffic from PSNs to UDP/1700 (RADIUS CoA) and translate to PSN cluster VIP.

• Access switch config:


CoA SRC=10.1.99.5 PSN
• Before: 10.1.99.5

aaa server radius dynamic-author ISE-PSN-1


CoA SRC=10.1.98.8
client 10.1.99.5 server-key cisco123
client 10.1.99.6 server-key cisco123 PSN
10.1.99.6
client 10.1.99.7 server-key cisco123 10.1.98.8
client 10.1.99.8 server-key cisco123 Access ISE-PSN-2
F5 LTM
client 10.1.99.9 server-key cisco123 Switch
client 10.1.99.10 server-key cisco123 PSN
10.1.99.7
<…one entry per PSN…>
• After: ISE-PSN-3

aaa server radius dynamic-author PSN


10.1.99.x
client 10.1.98.8 server-key cisco123
ISE-PSN-X

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 95
Allow NAT for PSN CoA Requests
Simplifying WLC CoA Configuration

• Before: • After

One RADIUS Server entry One RADIUS Server entry


required per PSN that may send required per load balancer VIP.
CoA from behind load balancer

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 96
Load Balancer General NAT Guidelines
To NAT or Not To NAT?
ISE-PAN-1 ISE-MNT-1 No NAT
That is the Question!
PAN MnT

PSN
10.1.99.5
VLAN 98 VLAN 99
(10.1.98.0/24) (10.1.99.0/24)
ISE-PSN-1
F5 LTM
NAS IP: 10.1.50.2 VIP: 10.1.98.8 LB: 10.1.99.1
PSN
10.1.99.6
Access Device
ISE-PSN-2
User RADIUS AUTH RADIUS AUTH COA
NAS-IP =10.1.50.2 Remove
NAD is
SNAT for NAS-IP =10.1.50.2
SRC-IP =10.1.50.2 Source
Source =10.1.99.1
SRC-IP =10.1.50.2 PSN
NAD is BAD! 10.1.99.7
DST-IP =10.1.98.8 NAT
NATted DST-IP =10.1.99.7
ISE-PSN-3
RADIUS COA RADIUS COA
SNAT for
SRC-IP =10.1.98.8 SRC-IP =10.1.99.7
CoA is Okay! DST-IP =10.1.50.2
DST-IP =10.1.50.2
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 97
Load Balancer Persistence (Stickiness) Guidelines
Persistence Attributes

• Common RADIUS Sticky Attributes


o Client Address
MAC Address=00:C0:FF:1A:2B:3C
 Calling-Station-ID IP Address=10.1.10.101 PSN

 Framed-IP-Address Device

o NAD Address 10.1.50.2 VIP: 10.1.98.8 ISE-PSN-1


 NAS-IP-Address Session: 00aa…99ff
 Source IP Address PSN

o Session ID Network Access


Device F5 LTM ISE-PSN-2
 RADIUS Session ID
User Username=jdoe@company.com
 Cisco Audit Session ID
PSN

• Best Practice Recommendations (depends on LB support and design)


1. Calling-Station-ID for persistence across NADs and sessions ISE-PSN-3

2. Source IP or NAS-IP-Address for persistence for all endpoints connected to same NAD
3. Audit Session ID for persistence across re-authentications
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 98
Configuring RADIUS Persistence
RADIUS Profile Example

• RADIUS Sticky on Calling-Station-ID (client


MAC address)
• Simple option but does not support advanced
logging and other enhanced parsing options like
iRule
• Profile must be applied to Standard Virtual
Server based on UDP Protocol
ltm profile radius /Common/radiusLB {
app-service none
clients none
persist-avp 31
subscriber-aware disabled
subscriber-id-type 3gpp-imsi

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 99
iRule for RADIUS Persistence Based on Client MAC (1of2)
Persistence based on Calling-Station-Id (MAC Address) with fallback to NAS-IP-Address

• iRule assigned to Persistence Profile

• Persistence Profile assigned to Virtual Server under Resources section

when CLIENT_DATA {
# 0: No Debug Logging 1: Debug Logging
set debug 0 • Optional debug logging
• Enable for troubleshooting only to
reduce processing load
# Persist timeout (seconds)
set nas_port_type [RADIUS::avp 61 "integer"]
if {$nas_port_type equals "19"}{
set persist_ttl 3600 • Configurable persistence timeout
if {$debug} {set access_media "Wireless"} based on media type
} else { oWireless Default = 1 hour
set persist_ttl 28800 oWired Default = 8 hours
if {$debug} {set access_media "Wired"}
}
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 100
iRule for RADIUS Persistence Based on Client MAC (2of2)
if {[RADIUS::avp 31] ne "" }{
set mac [RADIUS::avp 31 "string"]
# Normalize MAC address to upper case
set mac_up [string toupper $mac]
persist uie $mac_up $persist_ttl
if {$debug} {
set target [persist lookup uie $mac_up]
log local0.alert "Username=[RADIUS::avp 1] MAC=$mac Normal
MAC=$mac_up MEDIA=$access_media TARGET=$target"
}
} else {
set nas_ip [RADIUS::avp 4 ip4]
persist uie $nas_ip $persist_ttl
if {$debug} {
set target [persist lookup uie $nas_ip]
log local0.alert "No MAC Address found - Using NAS IP as persist
id. Username=[RADIUS::avp 1] NAS IP=$nas_ip MEDIA=$access_media TARGET=$target"
}
}
}
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 101
iRule for RADIUS Persistence – Sample Debug Output
Sat Sep 27 13:55:43 EDT 2014 alert f5 tmm[9443]
Rule /Common/radius_mac_sticky <CLIENT_DATA>: Username=6c205613e9fc MAC=6C-20-
56-13-E9-FC Normal MAC=6C-20-56-13-E9-FC MEDIA=Wired
TARGET=/Common/radius_auth_pool 10.1.99.6 1812

Sat Sep 27 13:55:40 EDT 2014 alert f5 tmm[9443]


Rule /Common/radius_mac_sticky <CLIENT_DATA>: Username=employee1 MAC=7c-6d-62-
e3-d5-05 Normal MAC=7C-6D-62-E3-D5-05 MEDIA=Wireless
TARGET=/Common/radius_acct_pool 10.1.99.7 1813

Sat Sep 27 13:55:38 EDT 2014 alert f5 tmm[9443]


Rule /Common/radius_mac_sticky <CLIENT_DATA>: Username=00-50-56-A0-0B-3A
MAC=00-50-56-A0-0B-3A Normal MAC=00-50-56-A0-0B-3A MEDIA=Wired TARGET=

Sat Sep 27 13:55:37 EDT 2014 alert f5 tmm[9443]


Rule /Common/radius_mac_sticky <CLIENT_DATA>: No MAC Address found - Using NAS
IP as persist id. Username=#ACSACL#-IP-CENTRAL_WEB_AUTH-5334c9a5 NAS
IP=10.1.50.2 MEDIA=Wired TARGET=

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 102
Ensure NAD Populates RADIUS Attributes
Catalyst Switch Example

Cisco Catalyst IOS Command Description

radius-server attribute 8 include-in-access-req Include Framed-IP-Address


(if available) in RADIUS
Access Requests
radius-server attribute 31 send nas-port-detail Include client IP address for
remote console (vty)
connections to the switch
radius-server attribute 31 mac format ietf upper-case Set the MAC address format
to 00-00-40-96-3E-4A
(all upper case letters)

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 103
Ensure NAD Populates RADIUS Attributes
Cisco WLC Example

• WLC sets Calling-


Station-ID to MAC
Address for
RADIUS NAC-
enabled WLANs
• General
recommendation is
to set Acct Call
Station ID to
System MAC
Address
• Auth Call Station ID
Type may not be
present in earlier
software versions
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 104
RADIUS Health Monitors
Load Balancer Probes Determine RADIUS Server Health Status

• BIG-IP LTM RADIUS monitor has two key timer settings:


o Interval = probe frequency (default = 10 sec)
o Timeout = total time before monitor fails (default = 31 seconds)

Timeout = (3 * Interval) + 1 Sample LTM RADIUS Health Monitor Config:


(Four health checks are attempted ltm monitor radius /Common/radius_1812 {
before declaring a node failure) debug no
defaults-from /Common/radius
• Timers: Set low enough to ensure destination *:1812
efficient failover but long enough
interval 10
to avoid excessive probing (AAA load);
password P@$$w0rd
Start with defaults then tune to network.
secret P@$$w0rd
• User Account: If valid user account to be time-until-up 0
used for monitor, be sure to configure timeout 31
user in ISE or external ID store with username f5-probe
limited/no network access privileges. }
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 105
Successful Health Monitor Requests using Valid Account
Yay! It Works!....But now what do I do about all that “noise” in my Live Log?

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 106
ISE Collection Filters
Filter Successful LTM Health Checks

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 107
F5 LTM Configuration Components for RADIUS LB

• RADIUS Auth
UDP Profile
• RADIUS Acct • RADIUS CoA

RADIUS Profile SNAT Pool

iRule Persistence Virtual Server


Virtual Server
(Persistence) Profile

Health Monitor Pool List

Member Nodes

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 108
Configure RADIUS Health Monitor
Local Traffic > Monitors

• Same monitor can be leveraged for RADIUS


Auth, Accounting, and Profiling to reduce
probe load for multiple services.
• Be sure BIG-IP LTM configured as ISE NAD.

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 109
Optional: Configure UDP Profile for RADIUS
Local Traffic > Profiles > Protocol > UDP

• Start with default Idle Timeout

• Using a custom profile allows for tuning


later if needed without impacting other
services based on same parent UDP profile
• Disable Datagram LB

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 110
Optional: Configure RADIUS Profile
Local Traffic > Profiles > Services > RADIUS

• Start with default settings

• Using a custom profile allows for tuning


later if needed without impacting other
services based on same parent radiusLB
profile

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 111
Configure iRule for RADIUS Persistence
Local Traffic > iRules > iRule List

• Recommend iRule based on


client MAC address
• RADIUS Attribute/Value Pair =
31 = Calling-Station-Id
• Recommend copy and paste
working iRule into text area.

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 112
F5 iRule Editor
https://devcentral.f5.com/d/tag/irules%20editor

• Manage
iRules and
config files
• Syntax
checker
• Generate
HTTP
traffic
• Quick links
to tech
resources

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 113
Configure Persistence Profile for RADIUS
Local Traffic > Profiles > Persistence

• Enable Match Across Services

• If different Virtual Server IP


addresses used for RADIUS Auth
and Accounting, then enable Match
Across Virtual Servers (not
recommended)
• Specify RADIUS Persistence iRule

• iRule persistence timer overrides


profile setting.

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 114
Configure Server Pool for RADIUS Auth
Local Traffic > Pools > Pool List

• Health Monitor = RADIUS Monitor

• SNAT = No

• Action on Service Down = Reselect


• Ensures existing connections are
moved to an alternate server.

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 115
Configure Member Nodes in RADIUS Auth Pool
Local Traffic > Pools > Pool List > Members

• Load Balancing
Method options:
• Least Connections
(node)
• Least Connections
(member)
• Server Port:
1812 or 1645

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 116
Configure Server Pool for RADIUS Accounting
Local Traffic > Pools > Pool List

• Health Monitor = RADIUS Monitor


(same monitor used for RADIUS
Auth)
• SNAT = No

• Action on Service Down = Reselect


• Ensures existing connections are
moved to an alternate server.

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 117
Configure Member Nodes in RADIUS Accounting Pool
Local Traffic > Pools > Pool List > Members

• Load Balancing
Method options:
• Least Connections
(node)
• Least Connections
(member)
• Fastest (application)
• Server Port:
1813 or 1646

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 118
Configure Virtual Server for RADIUS Auth (Properties)
Local Traffic > Virtual Servers > Virtual Server List

• Type = Standard

• Source = 0.0.0.0/0 (all hosts) or


specific network address.
• Destination = RADIUS Virtual IP

• Service Port = 1812 or 1645

RADIUS VIP

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 119
Configure Virtual Server for RADIUS Auth (Advanced)
Local Traffic > Virtual Servers

• Protocol = UDP

• Protocol Profile = udp or


custom UDP profile
• RADIUS Profile = radiusLB or
custom RADIUS profile
• Optional: Limit traffic to specific
VLAN(s)
• SNAT = None

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 120
Configure Virtual Server RADIUS Auth (Resources)
Local Traffic > Virtual Servers > Virtual Server List > Resources

• Default Pool = RADIUS Auth Pool

• Default Persistence Profile =


RADIUS persistence profile
• Fallback Persistence Profile:
• RADIUS iRule setting overrides
value set here.
• If not configured in iRule, set
optional value here. Example:
radius_source_addr

Recommend create new


persistence profile based on
Source Address Affinity to allow
custom timers and match settings.
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 121
Configure Virtual Server for RADIUS Accounting
Local Traffic > Virtual Servers > Virtual Server List
• Same settings as RADIUS Auth Virtual
Server but different service port and pool

RADIUS VIP

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 122
Configure SNAT Pool List for RADIUS CoA
Local Traffic > Address Translation > SNAT Pool List

• CoA traffic is initiated by PSN to


NADs on UDP/1700
• Define SNAT Pool List with RADIUS
Server Virtual IP as a pool member

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 123
Configure Virtual Server to SNAT RADIUS CoA (Properties)
Local Traffic > Virtual Servers > Virtual Server List

• CoA traffic is initiated by PSN to NADs on


UDP/1700
• Type = Standard

• Source = PSN Network

• Destination = 0.0.0.0 / 0.0.0.0 (all hosts)


or specific network for all NADs
• Service Port = 1700

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 124
Configure Virtual Server to SNAT RADIUS CoA (Advanced)
Local Traffic > Virtual Servers

• Protocol = UDP

• Optional: Limit traffic to specific


VLAN(s)
• Source Address Translation = SNAT

• SNAT Pool = CoA SNAT Pool List

• Resources = None

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 125
Scaling Profiling and Database
Replication

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 126
Significant Attributes vs. Whitelist Attributes
Attributes that impact profile
Significant Attributes AAA-Server NADAddress FirstCollection
• Change triggers global replication Calling-Station-ID NAS-IP-Address TimeToProfile
Certificate Expiration Date NAS-Port-Id Total Certainty Factor
MACADDRESS Certificate Issue Date NAS-Port-Type User-Agent
ENDPOINTIP Certificate Issuer Name LastNmapScanTime AC_User_Agent
MATCHEDVALUE Certificate Serial Number NmapScanCount cdpCacheAddress
ENDPOINTPOLICY Description NmapSubnetScanID cdpCacheCapabilities
ENDPOINTPOLICYVERSION DestinationIPAddress 161-udp cdpCacheDeviceId
STATICASSIGNMENT Device Identifier OS Version cdpCachePlatform
Device Name OUI cdpCacheVersion
STATICGROUPASSIGNMENT
DeviceRegistrationStatus PolicyVersion ciaddr
NMAPSUBNETSCANID PortalUser dhcp-class-identifier
EndPointPolicy
PORTALUSER EndPointPolicyID PostureApplicable dhcp-requested-address
DEVICEREGISTRATIONSTATUS EndPointProfilerServer Product host-name
EndPointSource RegistrationTimeStamp hrDeviceDescr
Whitelist Attributes FQDN StaticAssignment
StaticGroupAssignment
ifIndex
ip
Framed-IP-Address
• Change triggers PSN-PSN replication IdentityGroup MDMImei lldpCacheCapabilities
and global ownership change IdentityGroupID MDMManufacturer lldpCapabilitiesMapSupported
IdentityStoreGUID MDMModel lldpSystemDescription
IdentityStoreName MDMOSVersion operating-system
Other Attributes L4_DST_PORT MDMPhoneNumber sysDescr
• Dropped if whitelist filter enabled; MACAddress MDMSerialNumber AUPAccepted
MatchedPolicy CreateTime BYODRegistration
Otherwise, only locally saved by PSN MatchedPolicyID UpdateTime
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 127
Inter-Node Communications
TCP/12001 JGroups Tunneled
JGroup Connections – Global Cluster
MnT (P) MnT (S)
MnT MnT
• All Secondary nodes* establish
connection to Primary PAN (JGroup
Controller) over tunneled connection
(TCP/12001) for config/database sync.
PAN PAN
Admin (P) Admin (S) • Secondary Admin also listens on
GLOBAL TCP/12001 but no connection
JGROUP established unless primary
CONTROLLER fails/secondary promoted
• All Secondary nodes participate in the
PSN PSN
PSN1 PSN2 Global JGroup cluster.

*Secondary node = All nodes


except Primary Admin node;
PSN includes PSNs, MnT and Secondary
Admin nodes
PSN3
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 128
Inter-Node Communications TCP/7800 JGroup Peer Communication
TCP/7802 JGroup Failure Detection
Local JGroups and Node Groups TCP/12001 JGroups Tunneled
MnT (P) MnT (S)
MnT MnT
• Node Groups can be used to define
local JGroup* clusters where
members exchange heartbeat and
sync profile data multicast or SSL.
PAN PAN
Admin (P) Admin (S) • PSN claims endpoint ownership only if
GLOBAL PSN1 isincurrent
change endpoint
whitelist owner
attribute; –
triggers
JGROUP DHCP
IP no database
inter-PSN sync replication even
of attributes. if
Whitelist
CONTROLLER Update
Address checkwhitelist
alwaysattribute changes of
occurs regardless
t=1
t=0
Change global attribute filter setting.
PSN
Fetch Attributes PSN
PSN1 PSN2 • Replication to PAN occurs if
Change PSN2 gets more current update
significant attribute changes, then
LOCAL Ownership for same endpoint and takes
sync all attributes via PAN; if whitelist
JGROUP ownership – fetches all attributes
CONTROLLER NODE GROUP A filter enabled, only whitelist attributes
from PSN1
(JGROUP A) synced to all nodes.
PSN

PSN3
*JGroups: Java toolkit for reliable multicast
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
communications between group/cluster members.
Cisco Confidential 129
Inter-Node Communications TCP/7800 JGroup Peer Communication
TCP/7802 JGroup Failure Detection
Local JGroups and Node Groups TCP/12001 JGroups Tunneled

• General classification data for given endpoint should stay


local to node group = whitelist attributes • Node groups continue to provide original
• Only certain critical data needs to be shared across entire function of session recovery for failed PSN.
deployment = significant attributes • Profiling sync leverages JGroup channel
• Each LB cluster should be a node group,
LB is NOT a
Load but LB is NOT required for node groups.
requirement for
Balancer
Node Group • Node group members should have GE LAN
NODE GROUP A
(JGROUP A) connectivity (L2 or L3)
• ISE 1.3 no longer uses UDP multicast
for JGroup
PSN1
PSN PSN
PSN2 • ISE 1.2 uses multicast with TTL=2;
max 1 hop)
L2 or L3 LAN
Switching • Reduces sync updates even if different
PSNs receive data – expect few whitelist
PSN
changes and even fewer critical attribute
changes. [IP change is significant attribute]
PSN3
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 130
Inter-Node Communications TCP/7800 JGroup Peer Communication
TCP/7802 JGroup Failure Detection
Local JGroups and Node Groups TCP/12001 JGroups Tunneled

MnT MnT

PAN PAN

• Profiling sync leverages JGroup channels


• All replication outside node group must
traverse PAN!
• If local Multicast fails, then nodes fall
back to Global JGroup communication
channel.

PSN1 PSN PSN PSN2 PSN4


PSN PSN PSN5
L2 or L3 LAN
Switching
NODE GROUP A NODE GROUP B
(JGROUP A) (JGROUP B)

PSN PSN

PSN3 PSN6
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 131
Configuring Node Groups
Recommended for ALL local PSNs! 2) Assign name and available multicast addres
• Administration > System > Deployment

1) Create node group

3) Add individual PSNs to node group

• Node group members may be L2 / L3 connected


• Multicast no longer required in ISE 1.3.
• ISE 1.2 uses multicast (TTL=2) and requires
multicast configuration on intermediate switches if separated by L3 hop
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 132
ISE Profiling Best Practices
Whenever Possible…

• Use Device Sensor on Cisco switches & Wireless Controllers to optimize data collection.
• Ensure profile data for a given endpoint is sent to a single PSN (or maximum of 2)
Do NOT send profile data to multiple PSNs !
• Sending same profile data to multiple PSNs increases inter-PSN traffic and contention for endpoint ownership.
• For redundancy, consider Load Balancing and Anycast to support a single IP target for RADIUS or profiling using…
• DHCP IP Helpers
• SNMP Traps
DO send profile data to single and same PSN or Node
• DHCP/HTTP with ERSPAN (Requires validation)
• Ensure profile data for a given endpoint is sent to the same PSN
Group !
• Same issue as above, but not always possible across different probes
• Use node groups and ensure profile data for a given endpoint is sent to same node
DO use Device Sensor !
group.
• Node Groups reduce inter-PSN communications and need to replicate endpoint changes outside of node group.

DO enable the Profiler Attribute Filter !
Avoid probes that collect the same endpoint attributes
• Example: Device Sensor + SNMP Query/IP Helper
• Enable Profiler Attribute Filter
© 2013-2014 Cisco and/or its affiliates. All rights reserved. 135 Cisco Confidential 135
ISE Profiling Best Practices
General Guidelines for Probes

• HTTP Probe:
• Use URL Redirects instead of SPAN to centralize collection and reduce traffic load related to SPAN/RSPAN.
• Avoid SPAN. If used, look for key traffic chokepoints such as Internet edge or WLC connection; use intelligent
SPAN/tap options or VACL Capture to limit amount of data sent to ISE. Also difficult to provide HA for SPAN.
• DHCP Probe:


Do NOT enable all probes by default !
Use IP Helpers when possible—be aware that L3 device serving DHCP will not relay DHCP for same!
Avoid DHCP SPAN. If used, make sure probe captures traffic to central DHCP Server. HA challenges.

Avoid
• SNMP SPAN,
Probe: SNMP Traps, and NetFlow probes !
• Be careful of high SNMP traffic due to triggered RADIUS Accounting updates as a result of high re-auth (low
session/re-auth timers) or frequent interim accounting updates.
• For polled SNMP queries, avoid short polling intervals. Be sure to set optimal PSN for polling in ISE NAD config.
• SNMP Traps primarily useful for non-RADIUS deployments like NAC Appliance—Avoid SNMP Traps w/RADIUS
auth.
• NetFlow Probe:
Use only for specific use cases in centralized deployments—Potential for high load on network devices and ISE.

© 2013-2014 Cisco and/or its affiliates. All rights reserved. 137 Cisco Confidential 137
Profiling Redundancy – Duplicating Profile Data
Sending Profile Data for the Same Endpoint to the Same Node Group / PSN

• Common config is to duplicate IP helper


data at each NAD to two different PSNs PSN-CLUSTER1
PSN
PSN1 (10.1.99.5)
or PSN LB Clusters (10.1.98.8)
DC #1 PSN
PSN2 (10.1.99.6)
• Different PSNs receive data and may
contend for ownership—increases
F5 LTM
PSN PSN3 (10.1.99.7)
replication
int Vlan10
DHCP Request PSN
PSN-CLUSTER2 PSN1 (10.2.101.5)
User (10.2.100.2)
PSN PSN2 (10.2.101.6)
DC #2
interface Vlan10 PSN PSN3 (10.2.101.7)
F5 LTM
ip helper-address <real_DHCP_Server
ip helper-address 10.1.98.8
ip helper-address 10.2.100.2
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 139
Scaling Profiling and Replication
Using Anycast to Limit Profile Data to a Single PSN and Node Group

• Load Balancer VIPs host same target


IP for DHCP profile data PSN-CLUSTER1
PSN
PSN1 (10.1.99.5)
(10.1.98.8)
• Routing metrics determine which VIP DC #1 PSN
PSN2 (10.1.99.6)
receives DHCP from NAD
F5 LTM
PSN PSN3 (10.1.99.7)

int Vlan10
DHCP Request PSN
PSN1 (10.2.101.5)
User PSN-CLUSTER2
(10.1.98.8)
PSN PSN2 (10.2.101.6)
DC #2
interface Vlan10 PSN PSN3 (10.2.101.7)
F5 LTM
ip helper-address <real_DHCP_Server
ip helper-address 10.1.98.8

© 2013-2014 Cisco and/or its affiliates. All rights reserved. 140 Cisco Confidential 140
Load Balancing Profiling
Services

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 141
For Your
Profiling Services using Load Balancers Reference

Which PSN Services Processes Profile Data?

• Profiling Probes
The following profile data can be load balanced to PSN VIP but may not be processed by same PSN that
terminated RADIUS:
• DHCP IP Helper to DHCP probe
• NetFlow export to NetFlow Probe Option to leverage Anycast to reduce
log targets and facilitate HA
• SNMP Traps

• SNMP Query Probe (triggered)


PSNs configured to send SNMP Queries will send query to NAD that sent RADIUS or SNMP Trap which
triggered query. Therefore, SNMP Query data processed by same PSN that terminated RADIUS request for
endpoint.

• SNMP Query Probe (polled)


Not impacted by load balancing, although possible that PSN performing polled query is not same PSN that
terminates RADIUS for newly discovered endpoints. PSN will sync new endpoint data with Admin. Since poll
typically conducted at longer intervals, this should not impact more real-time profiling of endpoints.

© 2013-2014 Cisco and/or its affiliates. All rights reserved. 142 Cisco Confidential 142
For Your
Profiling Services using Load Balancers (Cont.) Reference

Which PSN Services Process Profile Data?

• DNS Probe
Submitted by same PSN which obtains IP data for endpoint. Typically the same PSN that processes RADIUS,
DHCP, or SNMP Query Probe data.

• NMAP Probe
Submitted by same PSN which obtains data which matches profile rule condition.

• HTTP (via URL redirect)


URL redirect will point to PSN that terminates RADIUS auth so HTTP data will be parsed by same PSN.

• DHCP SPAN or HTTP SPAN


Since mirror port is associated to a specific interface on real PSN, cannot provide HA for SPAN data unless
configure multiple SPAN destinations to separate PSNs. No guarantee that same PSN that collects SPAN data
terminates RADIUS session.

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 143
Load Balancing Profiling Services
Sample Flow

DHCP Request to Helper IP 10.1.1.10 10.1.1.10


2 DHCP PSN
10.1.99.5
DHCP Response returned from DHCP Server Server
3
ISE-PSN-1
DHCP Request to Helper IP 10.1.98.8
1 2 PSN
10.1.99.6
VIP: 10.1.98.8
Access ISE-PSN-2
Device F5 LTM
User

4 PSN
10.1.99.7
1. Client OS sends DHCP Request
2. Next hop router with IP Helper configured forwards DHCP request to ISE-PSN-3
real DHCP server and to secondary entry = LB VIP
3. Real DHCP server responds and provide client a valid IP address
4. DHCP request to VIP is load balanced to PSN @ 10.1.99.7 based on
source IP stick (L3 gateway) or DHCP field parsed from request.

© 2013-2014 Cisco and/or its affiliates. All rights reserved. 144 Cisco Confidential 144
Load Balancing Sticky Guidelines
Ensure DHCP and RADIUS for a Given Endpoint Use Same PSN

Persistence Cache:
11:22:33:44:55:66 -> PSN-3
10.1.99.5

MAC: 11:22:33:44:55:66 ISE-PSN-1


F5 LTM
RADIUS request to VIP
1 2
User 10.1.99.6
NAD RADIUS response from PSN-3
ISE-PSN-2
VIP: 10.1.98.8
DHCP Request IP Helper sends DHCP to VIP
3 4
10.1.99.7
5
1. RADIUS Authentication request sent to VIP @ 10.1.98.8.
ISE-PSN-3
2. Request is Load Balanced to PSN-3, and entry added to Persistence Cache
3. DHCP Request is sent to VIP @ 10.1.98.8
4. Load Balancer uses the same “Sticky” as RADIUS based on client MAC address
5. DHCP is received by same PSN, thus optimizing endpoint replication

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 145
iRule for DHCP Persistence Based on Client MAC (1of2)
Persistence based on DHCP Option 61 – Client Identifier (MAC Address)

• iRule assigned to Persistence Profile

• Persistence Profile assigned to Virtual Server under Resources section

when CLIENT_ACCEPTED priority 100 {

# Rule Name and Version shown in the log


set static::RULE_NAME "Simple DHCP Parser v0.3"
set static::RULE_ID "dhcp_parser"
• Optional debug logging
# 0: No Debug Logging 1: Debug Logging • Enable for troubleshooting only to
set debug 1 reduce processing load
# Persist timeout (seconds)
set persist_ttl 7200 • Configurable persistence timeout

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 146
iRule for DHCP Persistence Based on Client MAC (2of2)
# extract value filed in hexadecimal format
binary scan $dhcp_option_payload x[expr $i + 2]a[expr { $length * 2
}] value_hex
set value ""
switch $option { Note: Example is excerpt
61 { # Client Identifier only—Not complete iRule
binary scan $value_hex a2a* ht id
switch $ht {
01 {
binary scan $id a2a2a2a2a2a2 m(a) m(b) m(c) m(d) m(e) m(f)
set value "$m(a)-$m(b)-$m(c)-$m(d)-$m(e)-$m(f)"
set option61 "$value"
set mac_up [string toupper $option61] # Normalize MAC
} default {
set value "$id"
persist uie $mac_up $persist_ttl
if {$debug}{
set target [persist lookup uie $mac_up]
log local0.debug "$log_prefix_d ***** iRule: $static::RULE_NAME
competed ***** MAC=$option61 Normal MAC=$mac_up TARGET=$target“
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 147
iRule for DHCP Persistence – Sample Debug Output
Sat Sep 27 13:40:08 EDT 2014 debug f5 tmm[9443]
Rule /Common/dhcp_mac_sticky <CLIENT_ACCEPTED>: [dhcp_parser](10.1.10.1)(debug)
***** iRule: Simple DHCP Parser v0.3 competed *****
MAC=00-50-56-a0-0b-3a Normal MAC=00-50-56-A0-0B-3A TARGET=

Sat Sep 27 13:40:08 EDT 2014 debug f5 tmm[9443]


Rule /Common/dhcp_mac_sticky <CLIENT_ACCEPTED>: [dhcp_parser](10.1.10.1)(debug)
BOOTP: 0.0.0.0 00:50:56:a0:0b:3a

Sat Sep 27 13:40:08 EDT 2014 debug f5 tmm[9443]


Rule /Common/dhcp_mac_sticky <CLIENT_ACCEPTED>: [dhcp_parser](10.1.10.1)(debug)
***** iRule: Simple DHCP Parser v0.3 executed *****

Sat Sep 27 13:39:45 EDT 2014 debug f5 tmm[9443]


Rule /Common/dhcp_mac_sticky <CLIENT_ACCEPTED>: [dhcp_parser](10.1.40.1)(debug)
***** iRule: Simple DHCP Parser v0.3 competed *****
MAC=f0-25-b7-08-33-9d Normal MAC=F0-25-B7-08-33-9D TARGET=

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 148
Load Balancing Simplifies Device Configuration
L3 Switch Example for DHCP Relay

• Before !
interface Vlan10
description EMPLOYEE
ip address 10.1.10.1 255.255.255.0
ip helper-address 10.1.100.100 <--- Real DHCP Server
ip helper-address 10.1.99.5 <--- ISE-PSN-1 Settings
ip helper-address 10.1.99.6 <--- ISE-PSN-2 impact each
ip helper-address 10.1.98.7 <--- ISE-PSN-3
! L3 interface
servicing
• After ! DHCP
interface Vlan10 endpoints
description EMPLOYEE
ip address 10.1.10.1 255.255.255.0
ip helper-address 10.1.100.100 <--- Real DHCP Server
ip helper-address 10.1.98.8 <--- F5 VIP
!
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 149
Load Balancing Simplifies Device Configuration
Switch Example for SNMP Traps

• Before !
snmp-server trap-source GigabitEthernet1/0/24
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps mac-notification change move
snmp-server host 10.1.99.5 version 2c public mac-notification snmp
snmp-server host 10.1.99.6 version 2c public mac-notification snmp
snmp-server host 10.1.99.7 version 2c public mac-notification snmp
!

• After !
snmp-server trap-source GigabitEthernet1/0/24
snmp-server enable traps snmp linkdown linkup
snmp-server enable traps mac-notification change move
snmp-server host 10.1.98.8 version 2c public mac-notification snmp
!

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 150
F5 LTM Configuration Components for Profiling LB

UDP Profile

iRule Persistence
(Persistence) Profile
Virtual Server
Pool List

Member Nodes

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 151
Optional: Configure UDP Profile for Profiling
Local Traffic > Profiles > Protocol > UDP

• Start with default Idle Timeout

• Using a custom profile allows for


tuning later if needed without
impacting other services based on
same parent UDP profile
• Disable Datagram LB

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 152
Optional: Configure iRule for DHCP Profiling Persistence
Local Traffic > iRules > iRule List

• Alternative to basic Source


Address-based persistence
• Sample iRule based on
client MAC address parsed
from DHCP Request
packets
• Allows DHCP for given
endpoint to persist to same
PSN serving RADIUS for
same endpoint
• Recommend copy and paste
working iRule into text area.

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 153
Optional: Configure Persistence Profile for Profiling
Local Traffic > Profiles > Persistence

• Enable Match Across Services

• If different Virtual Server IP


addresses used for DHCP Profiling
and RADIUS, then enable Match
Across Virtual Servers.
(Recommend use same IP address)
• Specify DHCP Persistence iRule

• iRule persistence timer overrides


profile setting.

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 154
Configure Server Pool for DHCP Profiling
Local Traffic > Pools > Pool List

• Health Monitor = RADIUS Monitor


• If PSN not configured for User Services
(RADIUS auth), then can use default
gateway_icmp monitor.

• Action on Service Down = Reselect


• Ensures existing connections are moved
to an alternate server.

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 155
Configure Member Nodes in DHCP Profiling Pool
Local Traffic > Pools > Members

• Load Balancing Method


= Round Robin
• Server Port = 67
(DHCP Server)

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 156
Configure Server Pool for SNMP Trap Profiling
Local Traffic > Pools

• Same settings as
DHCP Profiling Pool
except members
configured for UDP
Port 162.

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 157
Configure Virtual Server for DHCP Profiling (Properties)
Local Traffic > Virtual Servers > Virtual Server List

• Type = Standard

• Source = 0.0.0.0/0 (all hosts) or


specific network address.
• Destination = Can be same as
RADIUS Virtual IP or unique IP.

Be sure to configure DHCP Relays/


IP Helpers to point to this IP address
• Service Port = 67

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 158
Configure Virtual Server for DHCP Profiling (Advanced)
Local Traffic > Virtual Servers

• Protocol = UDP

• Protocol Profile = udp or


custom UDP profile
• Optional: Limit traffic to specific
VLAN(s)

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 159
Configure Virtual Server for DHCP Profiling (Resources)
Local Traffic > Virtual Servers > Resources

• Default Pool = DHCP Profiling Pool

• Default Persistence Profile = Persistence


Profile based on Source Address Affinity, OR
DHCP persistence profile
• Fallback Persistence Profile:
o DHCP iRule setting overrides value set here.
o If not configured in iRule, set optional value
here. Example: profiling_source_addr
• If persistence profile based on Source
Address Affinity (source_addr), recommend
create new profile to allow custom timers
and “Match Across” settings.

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 160
Configure Virtual Server for SNMP Trap Profiling
Local Traffic > Virtual Servers
• Same settings as DHCP Profiling Virtual
Server but different service port and pool.

Additionally, Default Persistence Profile


should be based on Source Address
Affinity (NAD IP address).

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 161
Load Balancing Web Services

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 162
F5 Load Balancing and URL-Redirected Web Services
Sample Flow

DNS Lookup = ise-psn-3.company.com


DNS
4 DNS Response = 10.1.99.7 Server 10.1.99.5

ISE-PSN-1
F5 LTM
1 RADIUS request to RADIUS VIP @ 10.1.98.8

NAD 10.1.99.6
RADIUS response from 10.1.98.8

User
3 VIP: 10.1.98.8 ISE-PSN-2
https://ise-psn-3.company.com:8443/...
2
5 HTTPS response from ise-psn-3.company.com
10.1.99.7

1. RADIUS Authentication requests sent to VIP 10.1.98.8. ISE-PSN-3


2. Requests for same endpoint load balanced to same PSN via RADIUS sticky.
3. RADIUS Authorization received from ise-psn-3 @ 10.1.99.7 with URL Redirect to ISE Certificate
https://ise-psn-3.company.com:8443/...&sessionId=0a012c5a0000... Subject CN =
4. Client browser redirected and resolves FQDN in URL to real server address. ise-psn-3.company.com
5. User sends web request directly to same PSN that serviced RADIUS request.
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 163
F5 Load Balancing Non-Redirected Web Services
Sample Flow

DNS Lookup = sponsor.company.com


DNS
1 DNS Response = 10.1.98.8 Server 10.1.99.5

https://sponsor.company.com ISE-PSN-1
F5 LTM
2 https://sponsor. company.com @ 10.1.98.8
10.1.99.6
https response from ise-psn-3 @ 10.1.99.7
Access VIP: 10.1.98.8 ISE-PSN-2
Sponsor 4 Device

1. Browser resolves sponsor.company.com to VIP @ 10.1.98.8


10.1.99.7
2. Web request sent to https://sponsor.company.com @ 10.1.98.8 3
3. F5 load balances request to PSN based on IP or HTTP sticky
ISE-PSN-3
4. HTTPS response received from ise-psn-3 @ 10.1.99.7

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 164
Load Balancer NAT Guidelines for Web Traffic
URL-Redirected Traffic with Single PSN Interface

• No NAT Required
• Allow web portal traffic direct to PSN without NAT
10.1.99.0/24

10.1.98.0/24
.5 .6 .7 .x
.1 .8 .1
PSN PSN PSN PSN
10.1.10.0/24
.1
F5 LTM ISE-PSN-1 ISE-PSN-2 ISE-PSN-3 ISE-PSN-X
User

RADIUS session load-balanced to PSN @ 10.1.99.6

URL Redirect automatically includes FQDN/Interface IP of same PSN @ 10.1.99.6


https://ise-psn-2.company.com:8443/guestportal/Login...

Browser traffic redirected to IP for ise-psn-2.company.com:


https://10.1.99.6:8443/guestportal/Login...

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 166
SNAT on L3 Switch for Dedicated Web Interfaces (ISE 1.2)
URL-Redirected Traffic with Dedicated PSN Interface for Web Portals (Single F5 LTM interface)

• Source NAT portal traffic to simplify routing


• Maintains Path Isolation
10.1.99.0/24

10.1.98.0/24
.5 .6 .7 .x
.1 .8 .1
PSN PSN PSN PSN

10.1.10.0/24 .1
F5 LTM ISE-PSN-1 ISE-PSN-2 ISE-PSN-3 ISE-PSN-X
.5 .6 .7 .x

User
10.1.91.0/24
RADIUS session load-balanced to PSN @ 10.1.99.6.

URL Redirect automatically includes FQDN/Interface IP of Web Portal interface for same PSN @
10.1.91.6: https://ise-psn-2-guest.company.com:8443/guestportal/Login...

Source NAT web traffic from user networks destined to PSN web interfaces @ 10.1.91.x; translate to 10.1.91.x
(or any address block that can be statically added to PSN route table)
Ensures all Web requests received by PSN web interface are returned out same interface.
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 167
SNAT on F5 LTM for Dedicated Web Interfaces (ISE 1.2)
Direct Access and URL-Redirected Traffic with Dedicated PSN Web Interfaces

RADIUS session load-balanced to PSN @ 10.1.99.6.


10.1.99.0/24
L3
User A 10.1.10.0/24Switch 10.1.98.0/24
F5 LTM .5 .6 .7 .x
.1 .8 .1
PSN PSN PSN PSN

10.1.11.0/24
.1 ISE-PSN-1 ISE-PSN-2 ISE-PSN-3 ISE-PSN-X
.1
User B .5 .6 .7 .x
10.1.12.0/24
10.1.91.0/24

Direct-Access Portals: Enable SNAT on Virtual Servers for ISE Sponsor, My


User C Devices, and LWA portals.

URL-Redirected Web Portals/Services: Enable SNAT on F5 IP Forwarding


Virtual Servers.

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 168
Dedicated Web Interfaces under ISE 1.3
Direct Access and URL-Redirected Traffic with Dedicated PSN Web Interfaces

RADIUS session load-balanced to PSN @ 10.1.99.6.


10.1.99.0/24
L3
User A 10.1.10.0/24Switch 10.1.98.0/24
F5 LTM .5 .6 .7 .x
.1 .8 .1
PSN PSN PSN PSN

10.1.11.0/24
.1 ISE-PSN-1 ISE-PSN-2 ISE-PSN-3 ISE-PSN-X
.1
User B .5 .6 .7 .x
10.1.12.0/24
10.1.91.0/24

Response to traffic received on an interface sent out same interface if


User C
default route exists for interface: No SNAT required!

Default route 0.0.0.0/0 10.1.99.1 eth0


Default route 0.0.0.0/0 10.1.91.1 eth1

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 169
Dedicated Web Interfaces under ISE 1.3
Symmetric Traffic Flows

• Configure default routes for each interface to support symmetric return traffic
ise13-psn-x/admin# config t
Enter configuration commands, one per line. End with CNTL/Z.
ise13-psn-x/admin(config)# ip route 0.0.0.0 0.0.0.0 gateway 10.1.91.1

• Validate new default route


ise13-psn-x/admin# sh ip route

Destination Gateway Iface


----------- ------- -----

10.1.91.0/24 0.0.0.0 eth1


10.1.99.0/24 0.0.0.0 eth0
default 10.1.91.1 eth1
default 10.1.99.1 eth0

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 170
F5 LTM Configuration Components for HTTP/S LB

TCP Profile

Persistence
Profile
Virtual Server

Health Monitor Pool List

Member Nodes

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 174
Configure HTTPS Health Monitor
Local Traffic > Monitors

• Configure Send and Receive Strings appropriate to


ISE version
• Set UserName and Password to any value (does
not have to be valid user account)
• Alias Service Port = Portal Port configured in ISE

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 175
HTTPS Health Monitor Examples
Local Traffic > Monitors

• ISE 1.2 Example


• Send String: GET /sponsorportal/
• Receive String: HTTP/1.1 200 OK

• ISE 1.3 Example


• Send String:
GET /sponsorportal/PortalSetup.action?portal=Sponsor%20Portal%20%28default%29
• Receive String: HTTP/1.1 200 OK

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 176
Optional: Configure TCP Profile for HTTPS
Local Traffic > Profiles > Protocol > TCP

• Start with default Idle Timeout

• Using a custom profile allows for


tuning later if needed without
impacting other services based on
same parent TCP profile

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 177
Configure Persistence Profile for HTTPS
Local Traffic > Profiles > Persistence

• Enable Match Across Services

• If different Virtual Server IP


addresses used for Web Services,
then enable Match Across Virtual
Servers

Generally recommend use same


VIP address for all portals
• Timeout = Persistence timer

Value of 1200 seconds = 20


minutes (default Sponsor Portal idle
timeout setting in ISE)

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 178
Configure Server Pool for Web Services
Local Traffic > Pools > Pool List

• Health Monitor = HTTPS Monitor

• Action on Service Down = None

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 179
Configure Member Nodes in Web Services Pool
Local Traffic > Pools > Pool List > Members

• Load Balancing
Method options:
• Least Connections
(node)
• Least Connections
(member)
• Fastest (application)
• Server Port = 0
(all ports)

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 180
Configure Virtual Server for Web Portals (Properties)
Local Traffic > Virtual Servers > Virtual Server List

• Type = Standard

• Source = 0.0.0.0/0 (all hosts) or specific


network address.
• Destination = Web Portal Virtual IP

• Service Port = Web Portal Port


configured in ISE (default 8443)

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 181
Configure Virtual Server for HTTPS Portals (Advanced)
Local Traffic > Virtual Servers

• Protocol = TCP

• Protocol Profile = tcp or custom TCP


profile
• Optional: Limit traffic to specific
VLAN(s)
• Source Address Translation (SNAT)
• Single PSN interface: None
• Dedicated PSN interface (ISE 1.2): Auto
Map
• Dedicated PSN interface (ISE 1.3): None or
Auto Map

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 182
Configure Virtual Server HTTPS Portals (Resources)
Local Traffic > Virtual Servers > Virtual Server List > Resources

• Default Pool = Web Portals Pool

• Default Persistence Profile = HTTPS


persistence profile
• Fallback Persistence Profile: Not required

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 183
Configure Virtual Server for Web Portals on TCP/443
Local Traffic > Virtual Servers > Virtual Server List

• Virtual Server used to forward web


traffic sent to portal FQDN on default
HTTPS port 443
• PSNs will automatically redirect traffic
to FQDN to specific portal port / URL.
• Service Port = 443 (HTTPS)
Default HTTPS port used in initial
portal request by end user.
• All other Virtual Server settings the
same port-specific Virtual Server
(Example: ise_https8443_portals)

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 184
Configure Virtual Server for Web Portals on TCP/80
Local Traffic > Virtual Servers > Virtual Server List

• Virtual Server used to forward web traffic


sent to portal FQDN on default HTTP
port 80
• PSNs will automatically redirect traffic to
FQDN to specific portal port / URL.
• Service Port = 80 (HTTP)
Default HTTP port used in initial portal
request by end user.
• All other Virtual Server settings the same
port-specific Virtual Server
(Example: ise_https8443_portals)

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 185
Configure Virtual Server for Web Portals on TCP/80
Optional HTTP -> HTTPS Redirect by F5 LTM

To configure F5 LTM to perform automatic


HTTP to HTTPS redirect instead of PSNs:
• Configure new http profile under Profiles >
Services > HTTP using default settings
• Configure new http class under Profiles >
Protocol > HTTP Class. Under Actions, set
redirect URL.
• Under Virtual Server for HTTP (TCP/80):
• Specify HTTP Profile under Advanced
Configuration
• Specify new HTTP Class under Resources >
HTTP Class Profiles.

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 186
Virtual Server List

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 187
Server Pool List

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 188
Global Load Balancing
Considerations

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 189
F5 BIG-IP GTM: Load Balancing Web Requests
Client-Based Load Balancing/Distribution Based on DNS Response

• Integrate Global LB using F5 BIG-IP GTM with Local LB using F5 BIG-IP LTM

ISE-PSN-14 ISE-PSN-15
F5 LTM
F5 LTM
PSN PSN

10.1.99.12 10.2.100.14 10.2.100.15


sponsor IN A 10.1.99.12
sponsor IN A 10.1.99.13
What is IP address for sponsor IN A 10.2.100.14 What is IP address for
sponsor.company.com? sponsor IN A 10.2.100.15 sponsor.company.com?
DNS SOA for company.com

10.1.60.105 10.1.99.12 F5 BIG-IP GTM 10.2.100.15 10.2.5.221

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 191
F5 BIG-IP GTM: Load Balancing Web Requests
Global Load Balancing/Distribution Based on Routing and DNS Response

• Example combines Anycast as DNS response

ISE-PSN-14 ISE-PSN-15
F5 LTM
F5 LTM
PSN PSN

10.1.99.12 10.1.99.12 10.1.99.12


sponsor IN A 10.1.99.12
mydevices IN A 10.1.99.12
What is IP address for lwa-portal1 IN A 10.1.99.12 What is IP address for
sponsor.company.com? lwa-portal2 IN A 10.1.99.12 sponsor.company.com?
DNS SOA for company.com

10.1.60.105 10.1.99.12 F5 BIG-IP GTM 10.1.99.12 10.2.5.221

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 192
Basic NAD-Based RADIUS Server Redundancy
Multiple RADIUS Servers Defined in Access Device

• Configure Access Devices with multiple RADIUS Servers.

• Fallback to secondary servers if primary fails

RADIUS Auth PSN PSN1 (10.1.2.3)

PSN
PSN2 (10.4.5.6)
User Network Access
Device PSN
PSN3 (10.7.8.9)

radius-server host 10.1.2.3 auth-port 1812 acct-port 1813


radius-server host 10.4.5.6 auth-port 1812 acct-port 1813
radius-server host 10.7.8.9 auth-port 1812 acct-port 1813

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 193
NAD-Based Redundancy to Different LTM LB Clusters
RADIUS Example – Different RADIUS VIP Addresses

• Configure access devices with each PSN PSN


F5-LTM1 PSN1 (10.1.99.5)
LB cluster VIP as a RADIUS Server. (10.1.98.8)
DC #1
• Fallback to secondary DC PSN
PSN2 (10.1.99.6)
if primary DC fails
PSN PSN3 (10.1.99.7)
Network Access
Device
RADIUS Auth PSN
F5-LTM2 PSN1 (10.2.101.5)
User
(10.2.100.2)
PSN PSN2 (10.2.101.6)
DC #2
PSN PSN3 (10.2.101.7)

radius-server host 10.1.98.8 auth-port 1812 acct-port 1813


radius-server host 10.2.100.2 auth-port 1812 acct-port 1813
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 194
NAD-Based Redundancy to Different LTM LB Clusters
RADIUS Example – Single RADIUS VIP Address using Anycast

• Configure access devices with each PSN PSN


F5-LTM1 PSN1 (10.1.99.5)
LB cluster VIP as a RADIUS Server. (10.1.98.8)
DC #1
• Fallback to secondary DC PSN
PSN2 (10.1.99.6)
if primary DC fails
PSN PSN3 (10.1.99.7)
Network Access
Device
RADIUS Auth PSN
F5-LTM2 PSN1 (10.2.101.5)
User
(10.1.98.8)
PSN PSN2 (10.2.101.6)
DC #2
PSN PSN3 (10.2.101.7)

radius-server host 10.1.98.8 auth-port 1812 acct-port 1813


© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 195
NAD-Based Redundancy to Different LTM LB Clusters
Profiling Example – Different DHCP VIP Addresses

• Configure access devices with each PSN PSN


F5-LTM1 PSN1 (10.1.99.5)
cluster VIP as an IP Helper. (10.1.98.11)
DC #1
• Both Data Centers receive copy PSN
PSN2 (10.1.99.6)
of DHCP Profiling data
PSN PSN3 (10.1.99.7)
Network Access
Device
DHCP Relay PSN
F5-LTM2 PSN1 (10.2.101.5)
User
(10.2.100.3)
PSN PSN2 (10.2.101.6)
DC #2
interface VLAN 10 PSN PSN3 (10.2.101.7)
ip address A.B.C.D 255.255.255.0
ip helper-address X.X.X.X # Real
ip helper-address 10.1.98.11 # LTM1
ip helper-address 10.2.100.3 # LTM2
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 196
NAD-Based Redundancy to Different LTM LB Clusters
Profiling Example – Single DHCP VIP Address using Anycast

• Configure access devices with the single PSN


F5-LTM1 PSN1 (10.1.99.5)
PSN cluster VIP as an IP Helper. (10.1.98.11)
DC #1
• Fallback to secondary DC if routing to PSN
PSN2 (10.1.99.6)
primary DC fails
PSN PSN3 (10.1.99.7)
Network Access
Device
DHCP Relay PSN
F5-LTM2 PSN1 (10.2.101.5)
User
(10.1.98.11)
PSN PSN2 (10.2.101.6)
DC #2
PSN PSN3 (10.2.101.7)
interface VLAN 10
ip address A.B.C.D 255.255.255.0
ip helper-address X.X.X.X # Real
ip helper-address 10.1.98.11 # Anycast
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 197
Monitoring and
Troubleshooting

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 198
Live Log Output for Load Balanced Sessions
Synthetic Transactions

• Batch of test authentications generated from Catalyst switch:


# test aaa group radius radtest cisco123 new-code count 100

All RADIUS sent to


LB VIP @ 10.1.98.8

Requests evenly
distributed across
real servers:
ise-psn-1
ise-psn-2
ise-psn-3

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 199
Live Log Output for Load Balanced Sessions
Real Transactions

• All RADIUS sent to LB VIP @ 10.1.98.8

1• All phone auth is load balanced from VIP to ise-psn-3 @ 10.1.99.7


2• All PC auth is load balanced to ise-psn-1 @ 10.1.99.5; URL Redirect traffic sent to same PSN.

3• CoA is sent from same PSN that is handling the auth session.

4• dACL downloads are sent from switch itself without a Calling-Station-Id or Framed-IP-Address. Request can be
load balanced to any PSN. Not required to pull dACL from same PSN as auth.

3
4 2

1
© 2013-2014 Cisco and/or its affiliates. All rights reserved. 200 Cisco Confidential 200
Cisco ISE Monitoring and Troubleshooting

• Verify Operational Status of Cisco Components


• Validate ISE Nodes Online and Connected
• Check that PSNs are synchronized under Administration > Deployment.
• Verify the RADIUS Server status from the NADs.
• Verify Identity Stores such as AD and LDAP are connected to PSNs and traffic is not being dropped.

• ISE Authentications Live Log

• ISE Reports

• ISE Packet Capture using TCP Dump

• Logging Suppression and Collection Filters

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 201
Cisco ISE Monitoring and Troubleshooting
Verify ISE Node Status

• Check Node Status from ISE Dashboard and under Administration > Deployment

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 202
Cisco ISE Monitoring and Troubleshooting
Verify Health Monitor Is Authenticating Successfully

• Are Probes Failing?

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 203
Cisco ISE Monitoring and Troubleshooting
Verify Health Monitor Is Authenticating Successfully

• If internal user used, is account enabled? Is password correct?

• If external user store used, is identity store connected?

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 204
F5 BIG-IP LTM Monitoring and Troubleshooting

• Verify Operational Status of F5 Components


• Virtual Server Status
• Pool Member Status

• Health Monitors

• Persistence Records

• iRule Debug and View Local Traffic Logs

• Packet Capture using TCP Dump

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 205
F5 BIG-IP LTM Monitoring and Troubleshooting
Verify Virtual Server and Pool Member Status

• Virtual Server Status • Pool Member Status

If node down, cluster impacted but


Server is still up. If connections
fail, verify persist entries cleared.

If Virtual Server down, then


all Pool Members are down
© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 206
F5 BIG-IP LTM Monitoring and Troubleshooting
Viewing Persistence Records from the F5 Web Interface

• Persistence
Records
—Bad Example
• MAC addresses
are not
normalized so
separate persist
entries created

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 207
F5 BIG-IP LTM Monitoring and Troubleshooting
Viewing Persistence Records from the F5 Web Interface

• Persistence
Records
—Good Example

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 208
F5 BIG-IP LTM Monitoring and Troubleshooting
Viewing Persistence Records from the F5 BIG-IP LTM Console Interface

• Show Persistence Records for RADIUS Virtual Server


root@(f5)(cfg-sync Standalone)(Active)(/Common)(tmos)# show ltm persistence
persist-records virtual ise_radius_auth
Sys::Persistent Connections
universal 10.1.98.8:1812 10.1.99.15:1812 0
universal 10.1.98.8:1812 10.1.99.15:1812 0
universal 10.1.98.8:1812 10.1.99.16:1812 0
universal 10.1.98.8:1812 10.1.99.17:1812 0
universal 10.1.98.8:1812 10.1.99.17:1812 0
Total records returned: 5

• Show Persistence Records for Specific Client Based on MAC address as Persist Key
root@(f5)(cfg-sync Standalone)(Active)(/Common)(tmos)# show ltm persistence
persist-records virtual ise_radius_auth mode universal key 7C-6D-62-E3-D5-05
Sys::Persistent Connections
universal 10.1.98.8:1812 10.1.99.16:1812 0
Total records returned: 1

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 209
F5 BIG-IP LTM Monitoring and Troubleshooting
Clearing Persistence Records and Connections from the F5 BIG-IP LTM Console Interface

• Delete Persistence Records for RADIUS Virtual Server


root@(f5)(cfg-sync Standalone)(Active)(/Common)(tmos)# delete ltm persistence
persist-records virtual ise_radius_auth

• Delete All Persistence Records


root@(f5)(cfg-sync Standalone)(Active)(/Common)(tmos)# delete ltm persistence
persist-records

• Delete Connections for RADIUS Auth Services


root@(f5)(cfg-sync Standalone)(Active)(/Common)(tmos)# delete sys connection cs-
server-port 1812

• Delete All Connections


root@(f5)(cfg-sync Standalone)(Active)(/Common)(tmos)# delete sys connection

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 210
Network Topology, Routing, and Addressing Review
Key Components

• Clients / Endpoints

• Network Access Devices

• Intermediate infrastructure

• BIG-IP LTM appliances

• ISE PSN appliances

• Supporting services such as DNS, NTP, AD/LDAP, and Admin and MnT nodes

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 211
Network Topology, Routing, and Addressing Review
Other Troubleshooting Checklist Items

• Map out the expected path for each flow.

• Validate actual path taken by packets by reviewing configuration files, logs and packet
captures, routing tables, and ARP tables.
• Take into special consideration where NAT may be deployed and addresses change.

• If F5 appliance trunks multiple VLANs, note that packet captures may show both ingress
and egress packets where MAC addresses change but IP addresses do not. This can
sometimes cause confusion when analyzing packet captures.
• Verify symmetric path is taken and that no packets are being dropped using component
logs and debugs and packet captures.

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 212
Summary

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 214
Cisco ISE / F5 BIG-IP Load Balancing
Summary Review

• Cisco ISE is a comprehensive, context-based policy management system that can scale
services through the deployment of multiple Policy Service Nodes (PSNs).
• F5 BIG-IP Local Traffic Manager (LTM) is a sophisticated local load balancing solution that
incorporates many advanced security and traffic optimization features.
• F5 BIG-IP Global Traffic Manager (GTM) is a global load balancing solution that leverages
standard DNS to help ensure that users and applications are directed to the most available
and optimal server
• Integrating F5 BIG-IP load balancing solutions with ISE can:
• Significantly improve ISE RADIUS, Profiling, and Web Service performance, scalability, and availability
• Optimize ISE AAA, profiling, and database replication by ensuring same PSN services requests
• Simplify configuration management for network devices
• Improve overall user experience

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 215
Cisco Support References
 Your local Cisco Channel/Security SE
 Sales Assistance Center (SAC) -- 24 x 7 All countries, All timezones
Email: sac-support@cisco.com
Phone: +1-408-902-4872 (International)
800-225-0905 (US Toll Free )
8-902-4872 (within Cisco)
Live Chat: http://tinyurl.com/sacise
Website: sac.cisco.com (Cisco Internal)

 Cisco Support Communities: supportforums.cisco.com


 Tech Talks – Security Deep Dive Training Series: https://communities.cisco.com/docs/DOC-30977
 Tech Zone: https://techzone.cisco.com/t5/AAA-and-Identity-Management/ct-p/aaa
 ISE and TrustSec “How-To” and Design Guides:
http://www.cisco.com/c/en/us/solutions/enterprise/design-zone-security/landing_DesignZone_TrustSec.html

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 216
F5 Support References
• BIG-IP LTM Product Overview
http://www.f5.com/pdf/products/big-ip-local-traffic-manager-overview.pdf
• BIG-IP LTM Configuration Guide https://support.f5.com/kb/en-us/products/big-
ip_ltm/manuals/product/ltm_configuration_guide_10_0_0.html
• BIG-IP LTM Support forum
https://support.f5.com/kb/en-us/products/big-ip_ltm.html
• DevCentral Forum
https://devcentral.f5.com/
• iRules on F5 DevCentral
https://devcentral.f5.com/wiki/irules.ltmmaintenancepage.ashx
• F5 University – LTM Training
https://login.f5.com/resource/login.jsp?ctx=719748&referral=university

Follow us on Twitter @f5Networks  Official F5 Networks Channel

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 217
DevCentral F5 User Community
Over 105,000 Members in 191 Countries and Growing!
References
• Wikis
• API/SDK Documentation

Resources
• Sample Code
• Tech Tips
• Forums
• Podcasts
• Blogs

Tools and Frameworks


• iRule Editor
• iControl SDK
• .NET, Java, Python,
Powershell, ...
• VMware vSphere Management
Plug-in
• Microsoft SCOM Monitoring
Pack

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 218
 F5 BIG-IP Product Trials – Trial, Eval, and Lab Licenses:
https://f5.com/products/trials/product-trials

 Cisco dCloud: http://dcloud.cisco.com/


 ISE / NFR POC Kit on MarketPlace: http://cisco.mediuscorp.com/ise
 ISE Configured Limited Deployment (COLD) Program: https://communities.cisco.com/docs/DOC-32999

 QuickStart Demo Series on YouTube “CiscoISE” channel: https://www.youtube.com/user/CiscoISE


 Public – Scheduled and On-Demand ISE Demos:
http://www.cisco.com/c/en/us/products/security/identity-services-engine/ise_demos.html

© 2013-2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 220
Questions?
Thank you.