topic Re: ISE 2.4 High availability questions in Network Access Control

ISE 2.4 High availability questions

nguyenlam — Mon, 11 Mar 2019 08:51:10 GMT

Dear buddy,

I started deploy ISE 2.4 in my lab before go to real deployment. Now i'm setup 2 ISE nodes in stand alone HA deployment. I have some question need you guys help:

1. I want to deploy two ISE nodes in different DC for redundancy, but i don't know which TCP/IP ports two ones use to communicate with each other for registration and replication data. I need those ports for open firewall rule.

2. What's extract data replicated between two nodes? Database/configuration/...? How frequency it is synchronized between them?

3. How can i monitor heath of those nodes? (my company only purchase two VMs license so we can not deploy automatic heath check nodes). Can i monitor those node by network monitor tool using SNMP?

4. My company want to migrate from ACS 4.2 to ISE 2.4 for device administrator. Can i export username/password/network device group/policy from ACS to ISE?

5. Which data can i backup from ISE for restoring in the future? Configuration/database/...?

Re: ISE 2.4 High availability questions

Damien Miller — Thu, 25 Oct 2018 16:13:08 GMT

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_0110.html

2. What's extract data replicated between two nodes? Database/configuration/...? How frequency it is synchronized between them?

There is a significant number of different data streams that will pass between these two nodes. I would look at the link above for ports and communication between node roles. Your configuration replication between the two nodes is essentially real time as will authentication logs.

3. How can i monitor heath of those nodes? (my company only purchase two VMs license so we can not deploy automatic heath check nodes). Can i monitor those node by network monitor tool using SNMP?

There are a number of SNMP polls supported, you can also enable smtp email alerts for a long list of issues. Look at my previous post here for more info on SNMP monitoring.
https://community.cisco.com/t5/identity-services-engine-ise/monitor-ise-process-through-snmp/m-p/3718768/highlight/true#M18685

4. My company want to migrate from ACS 4.2 to ISE 2.4 for device administrator. Can i export username/password/network device group/policy from ACS to ISE?

You will not be able to migrate ACS 4.2 to 2.4 via the migration tool Cisco has built. This would be possible if you were running ACS 5.5 or newer.

You will not be able to migrate user accounts from ACS to ISE

You can import ACS NADs to ISE via a CSV file. You will have to manipulate the data.

You will have to build your ACS policies manually in ISE

5. Which data can i backup from ISE for restoring in the future? Configuration/database/...?

You can backup the ISE configuration (all GUI and ADE-OS config) based on the backup/restore page. You will create a schedule, and ISE will backup itself and export to a repository of your choosing. This can be restored to a new standalone ISE node if you deployment was to fail.

You can also backup your radius/tacacs logs via the same backup restore portal, this is called the operation data.

If you build your ISE deployment in the lab, you can backup the config, restore it on a new node in production, then join the second production node to the deployment.

As an additional note, you need to make sure you stay under 300ms round trip time latency between your two ISE nodes.

Re: ISE 2.4 High availability questions

nguyenlam — Thu, 25 Oct 2018 17:14:44 GMT

Great Damien Miller, your answer help me a lot!

For backup/restore question. Can i backup/restore local user/user group, certificate, NAD,...?

Re: ISE 2.4 High availability questions

Damien Miller — Thu, 25 Oct 2018 17:21:19 GMT

You have to back up the certificates, both trusted and system, from either the gui export or via the CLI export. The BU has provided a very thorough backup and restore documentation guide. The certificate stores are not backed up with the config backup.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_01100.html

The local users/groups will be included in the standard ISE config backup you run.

Re: ISE 2.4 High availability questions

leolink1 — Mon, 28 Jan 2019 14:03:56 GMT

Hi,

Does it mean that for production environment, we can setup two standalone virtual ISE in high availability?

Re: ISE 2.4 High availability questions

Damien Miller — Mon, 28 Jan 2019 15:01:08 GMT

Yes, you would deploy two ISE VM's and they would be registered together in a single deployment. Both nodes will host everything you need for HA, Admin (primary/secondary), Monitoring (primary/secondary), Policy Service (TACACS and RADIUS). If one node goes down, the other node can assume the admin and monitoring duties. The policy service role is active on all nodes, active/active.

Re: ISE 2.4 High availability questions

leolink1 — Mon, 28 Jan 2019 15:15:21 GMT

Hi Damien,
Many thanks for your reply. Is there a helpful link that can help with this high availability deployment for Virtual ISE.

Please share. Thank you.

Re: ISE 2.4 High availability questions

Damien Miller — Mon, 28 Jan 2019 15:20:36 GMT

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_011.html

Re: ISE 2.4 High availability questions

leolink1 — Mon, 28 Jan 2019 17:55:20 GMT

Hi Damien,
Will the virtual ISE VM require separate licenses or will only one license be sufficient for the two ISE? for one admin license for both.

Re: ISE 2.4 High availability questions

Damien Miller — Mon, 28 Jan 2019 18:10:42 GMT

You require a VM license per node. For two nodes you need either 2x R-ISE-VMS-K9= or R-ISE-VMM-K9= depending on the scale you want.

TACACS will also be licenses per node now. So if you want to enable TACACS on two nodes, you would need 2x L-ISE-TACACS-ND=.

Technically old licensing can be ordered for another two weeks, but I'm not going to muddy the water going in to something that is effectively gone.

Re: ISE 2.4 High availability questions

leolink1 — Tue, 29 Jan 2019 17:00:44 GMT

Hi Damien,

I found the pieces of information you provided very helpful.
Thank you.