Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

ISE Network Interfaces


we have placed the ISE in a DMZ. The NIC 0 is used for Administration of the ISE.

The Switches send their RADIUS requests to the ISE via an out-of-band-management network which is connected to the DMZ though a Firewall.

What if I want to use CWA. I understand that the Guest/Sponsor Portal needs to be reachable via the Clients Network. I can use a dedicated NIC on the ISE for this connection. So GIG0 is mgmt (in DMZ) and GIG1 is Guest/Sponsor-Portal (not in DMZ).

What about security? Does the ISE route between the connected NICs? If it does, can I put a Firewall between the Client Network and the Guest-Portal NIC?

What is best Practise here?

Cisco Employee

Good question! I would like

Good question! I would like to know the answer to as well!

Thank you for rating helpful posts!

The ISE interfaces do not and

The ISE interfaces do not and should not route between it's interfaces. They have to exist on separate layer 3 networks and you can add routes on the cli if the clients exist multiple hops away from the interface itself.

Tarik Admani *Please rate helpful posts*
New Member

My situation is similar

My situation is similar however the opposite.  We have ISE in our Enterprise MNGT zone (not in DMZ). NIC0 for mngt and accessible for us to manage from inside our network. For the guests using CWA we've created a VRF for Guest-Users to route to ISE but using NIC3 only which resides in our DMZ and blocks access to our regulatory network. This is required because the client needs to reach ISE on "nic3" for it to present the Guest Portal (Layer3).  Also the client will need to receive a DHCP address beforehand to speak with ISE on its nic3, so we also have a DHCP server hanging off the guest VRF along with a interface on our WLC. The WLC on the DMZ is configured as an anchor controller and there is no need to poke any holes in our firewall.  To sum it up, we use NIC0 for mngt & radius requests but after the client connects to our WLC (Guest-WiFi) the controller talks to ISE layer2 via NIC0, after MAB is performed (mac filtering on the WLC) its get a permit back allowing the client to recieve DHCP and DNS, then after a web page is attempted our redirect ACL on the WLC sends the client to ISE NIC3 which hosts our Guest Portal.  So at no time do they touch our inside network.

We are running ISE 1.2 patch 8 for your reference.  Hopefully that helps some.  I'm still learning one phase at a time.


Hi,Yes, ISE cannot perform


Yes, ISE cannot perform routing between its interfaces, and the document link which Tarik shared, it is detailed installation guide, plz go through, it will definitely help you out.





CreatePlease to create content