Table H-1 Cisco ISE Services and Ports
Cisco ISE Node
|
ISE Service
|
Ports on Gigabit Ethernet 0
|
Ports on Gigabit Ethernet 1
|
Ports on Gigabit Ethernet 2
|
Ports on Gigabit Ethernet 3
|
Administration ISE node
|
Administration
|
• TCP: 22 (Secure Shell [SSH] server)
•TCP: 801 (HTTP)
•TCP: 4431 (HTTPS)
Note Port 80 is redirected to port 443 (not configurable).
Note Ports 80 and 443 support Admin web applications and are enabled by default.
|
Cisco ISE management is restricted to Gigabit Ethernet 0.
|
Cisco ISE management is restricted to Gigabit Ethernet 0.
|
Cisco ISE management is restricted to Gigabit Ethernet 0.
|
Administration ISE node (continued)
|
Replication and Synchronization
|
•TCP: 443 (HTTPS SOAP)
•TCP: 15212 (Database Listener and AQ)
•Internet Control Message Protocol (ICMP) (Heartbeat)
|
•TCP:15212 (Database Listener and AQ)
|
•TCP:15212 (Database Listener and AQ)
|
•TCP:15212 (Database Listener and AQ)
|
Monitoring
|
•UDP: 161 (Simple Network Management Protocol [SNMP] QUERY)
Note This port is route table dependent.
|
|
|
|
Monitoring ISE node
|
Administration
|
•TCP: 22 (SSH server)
•TCP: 801 (HTTP)
•TCP: 4431 (HTTPS)
|
|
|
|
Replication and Synchronization
|
•TCP: 443 (HTTPS)
•TCP: 15212 (Database Listener and AQ)
•ICMP (Heartbeat)
|
•TCP: 15212 (Database Listener and AQ)
|
•TCP: 15212 (Database Listener and AQ)
|
•TCP: 15212 (Database Listener and AQ)
|
Logging
|
•UDP: 20514 (Syslog)
Note Default ports are configurable for external logs.
|
•UDP: 20514 (Syslog)
Note Default ports are configurable for external logs.
|
•UDP: 20514 (Syslog)
Note Default ports are configurable for external logs.
|
•UDP: 20514 (Syslog)
Note Default ports are configurable for external logs.
|
Policy Service ISE node
|
Administration
|
•TCP: 22 (SSH server)
•TCP: 801 (HTTP)
•TCP: 4431 (HTTPS)
|
|
|
|
Replication and Synchronization
|
•TCP: 443 (HTTPS)
•TCP: 15212 (Database Listener and AQ)
•ICMP (Heartbeat)
|
•TCP: 15212 (Database Listener and AQ)
|
•TCP: 15212 (Database Listener and AQ)
|
•TCP: 15212 (Database Listener and AQ)
|
Policy Service ISE node (continued)
|
Session
|
•UDP: 1645,1812 (RADIUS Authentication)
•UDP: 1646, 1813 (RADIUS Accounting)
•UDP: 1700, 3799 (RADIUS change of authorization [CoA])
Note UDP port 1700 is not configurable.
•TCP: 88, 389, 464 (Outbound AD and Lightweight Directory Access Protocol [LDAP])
•UDP: 30514 (Syslog))
Note This is internal via session services.
•UDP: 45588, 45590
Note UDP ports 45588 and 45590 support Policy Service communicat-ion for clustering support.
|
•UDP: 1645,1812 (RADIUS Authentication)
•UDP: 1646, 1813 (RADIUS Accounting)
•UDP: 1700, 3799 (RADIUS change of authorization [CoA])
Note UDP port 1700 is not configurable.
•TCP: 88, 389, 464 (Outbound AD and Lightweight Directory Access Protocol [LDAP])
•UDP: 30514 (Syslog)
Note This is internal via session services.
•UDP: 45588, 45590
Note UDP ports 45588 and 45590 support Policy Service communicat-ion for clustering support.
|
•UDP: 1645,1812 (RADIUS Authentication)
•UDP: 1646, 1813 (RADIUS Accounting)
•UDP: 1700, 3799 (RADIUS change of authorization [CoA])
Note UDP port 1700 is not configurable.
•TCP: 88, 389, 464 (Outbound AD and Lightweight Directory Access Protocol [LDAP])
•UDP: 30514 (Syslog)
Note This is internal via session services.
•UDP: 45588, 45590
Note UDP ports 45588 and 45590 support Policy Service communicat-ion for clustering support.
|
•UDP: 1645,1812 (RADIUS Authentication)
•UDP: 1646, 1813 (RADIUS Accounting)
•UDP: 1700, 3799 (RADIUS change of authorization [CoA])
Note UDP port 1700 is not configurable.
•TCP: 88, 389, 464 (Outbound AD and Lightweight Directory Access Protocol [LDAP])
•UDP: 30514 (Syslog)
Note This is internal via session services.
•UDP: 45588, 45590
Note UDP ports 45588 and 45590 support Policy Service communicat-ion for clustering support.
|
Policy Service ISE node (continued)
|
Guest and Sponsor Portal
|
•TCP: 8443 (HTTPS)
Note TCP port 8443 is enabled by default and configurable.
|
|
|
|
Client Provisioning
|
•TCP: 80, 8443 (web or Cisco NAC agent installation)
Note TCP port 8443 is enabled by default, configurable, and corresponds to a configuration for Guest.
•TCP: 8905 (Cisco NAC agent update)
•TCP: 8909 and UDP: 8909 (web, Cisco NAC Agent, supplicant provisioning wizard installation)
|
•TCP: 8905 (Cisco NAC agent update)
•TCP: 8909 and UDP: 8909 (web, Cisco NAC Agent, supplicant provisioning wizard installation)
|
•TCP: 8905 (Cisco NAC agent update)
•TCP: 8909 and UDP: 8909 (web, Cisco NAC Agent, supplicant provisioning wizard installation)
|
•TCP: 8905 (Cisco NAC agent update)
•TCP: 8909 and UDP: 8909 (web, Cisco NAC Agent, supplicant provisioning wizard installation)
|
Posture and Heartbeat
|
•TCP: 8905 Discovery (HTTPS)
•UDP: 8905 (Layer 2) Discovery (SWISS)
•UDP: 8905 PRA/Keep-alive (SWISS)
|
•TCP: 8905 Discovery (HTTPS)
•UDP: 8905 (Layer 2) Discovery (SWISS)
•UDP: 8905 PRA/Keep-alive (SWISS)
|
•TCP: 8905 Discovery (HTTPS)
•UDP: 8905 (Layer 2) Discovery (SWISS)
•UDP: 8905 PRA/Keep-alive (SWISS)
|
•TCP: 8905 Discovery (HTTPS)
•UDP: 8905 (Layer 2) Discovery (SWISS)
•UDP: 8905 PRA/Keep-alive (SWISS)
|
Policy Service ISE node (continued)
|
Profiler
|
•UDP: 9996 (NetFlow)
Note This port is configurable.
•UDP: 67, 68 (DHCP)
Note This port is configurable.
•TCP: 80, 8080 (DHCPSPAN probe and HTTP)
•UDP: 30514 (RADIUS)
Note This is internal via session services.
•NMAP uses ports 0-655353 (outbound).
•UDP: 53 (DNS lookup)
Note This port is route table dependent.
•UDP: 161 (SNMP QUERY)
Note This port is route table dependent.
•UDP: 162 (SNMP trap)
Note This port is configurable.
|
•UDP: 9996 (NetFlow)
Note This port is configurable.
•UDP: 67, 68 (DHCP)
Note This port is configurable.
•TCP: 80, 8080 (DHCPSPAN probe and HTTP)
•UDP: 30514 (RADIUS)
Note This is internal via session services.
•NMAP uses ports 0-655353 (outbound).
•UDP: 53 (DNS lookup)
Note This port is route table dependent.
•UDP: 161 (SNMP QUERY)
Note This port is route table dependent.
•UDP: 162 (SNMP trap)
Note This port is configurable.
|
•UDP: 9996 (NetFlow)
Note This port is configurable.
•UDP: 67, 68 (DHCP)
Note This port is configurable.
•TCP: 80, 8080 (DHCPSPAN probe and HTTP)
•UDP: 30514 (RADIUS)
Note This is internal via session services.
•NMAP uses ports 0- 655353 (outbound).
•UDP: 53 (DNS lookup)
Note This port is route table dependent.
•UDP: 161 (SNMP QUERY)
Note This port is route table dependent.
•UDP: 162 (SNMP trap)
Note This port is configurable.
|
•UDP: 9996 (NetFlow)
Note This port is configurable.
•UDP: 67, 68 (DHCP)
Note This port is configurable.
•TCP: 80, 8080 (DHCPSPAN probe and HTTP)
•UDP: 30514 (RADIUS)
Note This is internal via session services.
•NMAP uses ports 0- 655353 (outbound).
•UDP: 53 (DNS lookup)
Note This port is route table dependent.
•UDP: 161 (SNMP QUERY)
Note This port is route table dependent.
•UDP: 162 (SNMP trap)
Note This port is configurable.
|
Clustering
|
•UDP: 45588, 45590
|
•UDP: 45588, 45590
|
•UDP: 45588, 45590
|
•UDP: 45588, 45590
|
Inline Posture ISE node
|
Administration
|
•TCP: 22 (SSH server)
•TCP: 8443 (HTTPS)
Note It is used by the Administrat- ion ISE node.
|
—
|
—
|
—
|
Inline Posture
|
•UDP: 1645, 1812 (RADIUS proxy for authentication)
•UDP: 1646, 1813 (RADIUS proxy for accounting)
•UDP: 1700, 3799 (RADIUS CoA)
|
•UDP: 1645, 1812 (RADIUS proxy for authentication)
•UDP: 1646, 1813 (RADIUS proxy for accounting)
•UDP: 1700, 3799 (RADIUS CoA)
|
—
|
—
|
Note High Availability and Management services are Inline Posture-specific and do not apply to any other Cisco ISE node types.
|
| |
High Availability
|
—
|
—
|
UDP: 694 (Heartbeat)
|
UDP: 694 (Heartbeat)
|
Management
|
TCP: 9090 (Redirect)
|
TCP: 9090 (Redirect)
|
—
|
—
|
Feedback