https://community.cisco.com/t5/network-access-control/ise-nodes-deployment-question/m-p/3345052#M549814 <P>Thank you both for your tips.</P> <P>&nbsp;</P> <P>I won’t be using the 3495 at all.&nbsp;&nbsp; All of my ISE VM’s will be based off the 3595 OVA.&nbsp; All will be thick provisioned as well.&nbsp; I will be using ISE 2.3.</P> Thu, 08 Mar 2018 18:29:05 GMT Tim Glen 2018-03-08T18:29:05Z https://community.cisco.com/t5/network-access-control/ise-nodes-deployment-question/m-p/3344863#M549810 <P>Hi All,</P> <P>&nbsp;</P> <P>I have two sites.&nbsp; Corp and Remote. &nbsp;</P> <P>Corp has about 500 wired users &amp; 50 wired printers copiers.</P> <P>Corp has about 1000 wireless users devices. At Corp, I will configure ISE for wireless, wired &amp; VPN profiling, and wireless self-registration portal.</P> <P>Corp has an ASA that has SSL VPN configured. ISE will authenticate via RADIUS the Remote Access VPN Clients. About 30 authentications per hour.</P> <P>Corp has about 100 Cisco devices. ISE will be the TACACS server that authenticates \ authorizes admin logins,&nbsp; about 20 per day.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Remote has about 50 wired users \ devices and no wireless.</P> <P>Remote has an ASA that has SSL VPN configured. ISE will authenticate via RADIUS the Remote Access VPN Clients. About 100 authentications per day.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>I’m planning on a distributed deployment this way.</P> <P><STRONG>Corp – 2 Nodes</STRONG></P> <P>Node 1 will be Primary Admin &amp; Policy Service</P> <P>Node 2 will be Primary Monitoring &amp; Policy Service</P> <P>&nbsp;</P> <P><STRONG>Remote – 1 Node</STRONG></P> <P>Node 1 will be Secondary Admin, Secondary Monitoring &amp; Policy Service</P> <P>&nbsp;</P> <P>The Network Deployments in Cisco ISE recommends Monitoring and Policy Service not be on the same node so I’m concerned about this setup at the Remote site, even though the policy service will not be <EM>too</EM><EM>&nbsp;</EM>busy.</P> <P>&nbsp;</P> <P>Is this deployment model suggested? If you would do it differently please say so and state why.</P> <P>&nbsp;</P> <P>Thank you all very much!</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 21 Feb 2020 18:47:57 GMT https://community.cisco.com/t5/network-access-control/ise-nodes-deployment-question/m-p/3344863#M549810 Tim Glen 2020-02-21T18:47:57Z https://community.cisco.com/t5/network-access-control/ise-nodes-deployment-question/m-p/3344963#M549811 <P>Hi,</P> <P>You don't have a large deployment and I don't believe you should have a problem running PAN + MnT + PSN roles on 1 node in Corp and then the same again in Remote, or just implement what you've suggested, that should be fine depending on the ISE node resources (hardware or VM) in use.</P> <P>&nbsp;</P> <P>Check out this ISE scaling/performance webpage&nbsp;<A href="https://communities.cisco.com/docs/DOC-68347" target="_self">https://communities.cisco.com/docs/DOC-68347</A> it has good information, it indicates the maximums for each model of ISE model, you should be within the limits of even the older hardware models.</P> Thu, 08 Mar 2018 16:34:29 GMT https://community.cisco.com/t5/network-access-control/ise-nodes-deployment-question/m-p/3344963#M549811 Rob Ingram 2018-03-08T16:34:29Z https://community.cisco.com/t5/network-access-control/ise-nodes-deployment-question/m-p/3344975#M549812 <P>1.-Do not use 3495 running multiple personas no matter you do not have much traffic. I have seen&nbsp; operational issues.</P> <P>2.-Looks like you can combine multiple personas on the same node based on the number of transactions you have even though you would also integrate TACACS and RADIUS on the same ISE. Take a look on the following tables.</P> <P>3.-I would suggest you to use ISE 2.3 instead of 2.2.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="deploy3.png" style="width: 733px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/8644i14F03DE790119D4B/image-size/large?v=v2&amp;px=999" role="button" title="deploy3.png" alt="deploy3.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="deploy4.png" style="width: 748px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/8645i956512CBFC818FB2/image-size/large?v=v2&amp;px=999" role="button" title="deploy4.png" alt="deploy4.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="deploy.png" style="width: 790px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/8643i63EFE6205C4B209A/image-size/large?v=v2&amp;px=999" role="button" title="deploy.png" alt="deploy.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="deploy1.png" style="width: 787px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/8642i97FAD24E6923E019/image-size/large?v=v2&amp;px=999" role="button" title="deploy1.png" alt="deploy1.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 08 Mar 2018 16:41:09 GMT https://community.cisco.com/t5/network-access-control/ise-nodes-deployment-question/m-p/3344975#M549812 ajc 2018-03-08T16:41:09Z https://community.cisco.com/t5/network-access-control/ise-nodes-deployment-question/m-p/3345052#M549814 <P>Thank you both for your tips.</P> <P>&nbsp;</P> <P>I won’t be using the 3495 at all.&nbsp;&nbsp; All of my ISE VM’s will be based off the 3595 OVA.&nbsp; All will be thick provisioned as well.&nbsp; I will be using ISE 2.3.</P> Thu, 08 Mar 2018 18:29:05 GMT https://community.cisco.com/t5/network-access-control/ise-nodes-deployment-question/m-p/3345052#M549814 Tim Glen 2018-03-08T18:29:05Z