topic Re: ISE high level design in Network Access Control

ISE high level design

xili5 — Tue, 30 Jul 2019 14:52:33 GMT

Hi Expert,

I am seeking the best practice of ISE design.

1. From ISE design guide, the maximum number of PSN nodes are 5 when PAN&MnT is on a single node and PSN is on dedicated node. How about if PSN role is on the primary/secondary PAN&MnT node in the distributed deployment, how many dedicate PSN nodes could have in this kind of cube? Is it possible to design like

Node1: Pri PAN&MnT+PSN

Node2: Sec PAN&MnT+PSN

Node3-7: 5 dedicated PSNs

Node1: Pri PAN&MnT+PSN

Node2: Sec PAN&MnT+PSN

Node3-5: 3 dedicated PSNs

2. I have a customer that there are 20 PSN nodes needed in one distributed deployment. So from design guide, we need separate PAN and MNT on dedicated ise nodes and could have up to 50 dedicated PSNs supported. Which appliance or equivalent VM should I choose for PAN and MNT node if I only need 20 dedicated PSNs? I only see 3595 and 3695 as PAN in the guide. What is the recommendation of appliance or equivalent VM of PAN/MNT in a separate PAN, MnT and PSN nodes design if the number of PSNs node is not near 50?

Re: ISE high level design

Nidhi — Tue, 30 Jul 2019 14:58:26 GMT

1- None. if you run PAN+ MnT+ PSN in same appliance. you cannot add more PSNs.

If you have a setup like node 1- PAN+MnT , node 2- PSN, in this case you can add 5 PSNs.

2- For 20 dedicated PSNs , you need a distributed deployment with personas running on seperate Nodes.

the sizing of the deployment depends on the number of concurrent sessions in teh deployment.

I suggest starting with ciscoLive session BRKSEC-3432 from SanDiego 2019 to understand teh best practices

Thanks,

Nidhi

Re: ISE high level design

paul — Tue, 30 Jul 2019 15:01:12 GMT

There are only 4 supported ISE deployment models:

Stand alone node running all personas.
Two node deployment running all personas.
4-7 node deployment where the PAN/M&Ts are running on two nodes (no PSN functionality) and 2-5 PSNs.
6-54 node deployment. Two dedicated PANs, two dedicated M&Ts and up to 50 PSNs based on your needs.

Once you move to #3 or #4 you cannot run PSN functionality on the PAN/M&Ts and still be running a supported model.

Re: ISE high level design

xili5 — Wed, 31 Jul 2019 03:08:16 GMT

Thanks, Paul.

But how about my second question? Design guide only mentioned separate PAN and MnT on 3695 and 3595 could support up to 50 dedicated PSNs. Does it mean only 3595 and 3695 are supported in this kind of design? Or if we only need 10 or 20 dedicated PSNs, we could use 3615 or 3655 as PAN and MNT?

Re: ISE high level design

xili5 — Wed, 31 Jul 2019 03:13:44 GMT

Thanks, Nidhi.

I went through BRKSEC-3432 and no answer was found for my second question. I just wanted to confirm that whether we have to choose 3595 and 3695 as PAN and MnT when we only need maybe 10 or 20 dedicated PSNs.

Re: ISE high level design

Damien Miller — Wed, 31 Jul 2019 03:22:16 GMT

You can choose the 3595, 3655, or 3695 templates/appliances, all three would be suitable for admin nodes in a dedicated deployment. The 3695 for admin nodes is geared towards 2,000,000 active endpoint deployments, both the 3595 and 3655 are supported for deployment of up to 50 PSN's and 500k active endpoints.

Re: ISE high level design

xili5 — Wed, 31 Jul 2019 04:42:38 GMT

Thank, Damien.

I found this in 2.6 installation guide.

But it is not the same for 2.4 which mentioned 3695 PAN supports maximum of 500K, not 2,000,000 like 2.6.

Also hope the team could update ISE Performance & Scale page soon to clear the confusion when making ISE design.

https://community.cisco.com/t5/security-documents/ise-performance-amp-scale/ta-p/3642148#toc-hId-1418220509

Re: ISE high level design

Johannes Luther — Wed, 31 Jul 2019 05:59:52 GMT

Of course it will work. From my point of view, there's no hard enforcement for these type of stuff.

The only thing which is enforced from my point of view is, that there are max. 2 PAN and 2 MNT nodes and that's it.

I guess even the max. sessions outlined in these papers are no hard limit.

The values are the validated and supported scenarios by Cisco.

The problem is, that there are no estimations of how many sessions, PSN nodes and endpoints are supported on a full distributed deployment using small appliances.

Again: I'm pretty sure it will work (heck, it works with tiny dimensioned VMs in my lab 🙂 ). However if there are no reliable scale numbers and there is no support by Cisco I would only use the outlined designs from the Cisco documentation.

Re: ISE high level design

chenwujun — Wed, 31 Jul 2019 06:42:50 GMT

Hi Nidhi,

1- Actually, we could do this without any warnings. All of PSNs are working. Are there any problems?

I think this deployment can be used for use case that dedicated PSNs are primary role and the PSNs of PAN+ MnT+ PSN node are backup role.

2- Does ISE deployment type depends on the number of PSN nodes rather than the number of RADIUS sessions？

How about the case below：

If our customer has total 10 x locations(2 x DC and 8 x remote offices).
They would like to deploy ISE at each site，and the latency between DCs and remote sites is lower than 100ms.

They only have around 50-100 user sessions at each site, total 1000 sessions.
What deployment type will you propose and why ? Please take more attention to the total sessions in this case is only 1000.