topic Re: ISE Deployment in Network Access Control

ISE Deployment

Eugen Bitca — Wed, 06 Oct 2021 10:24:27 GMT

Hi,

We have the following ISE deployment with maximum number of session 5000:

Node 1 - Running Admin(Primary) + MnT (Secondary) + PSN [CPU 14, RAM 24GB, Disk 600GB]
Node 2 - Running Admin(Secondary) + MnT (Primary) + PSN [CPU 14, RAM 24GB, Disk 600GB]
Node 3 - PSN [CPU 14, RAM 20GB, Disk 400GB]

with 2 small VM licenses and 1 medium VM license.

ISE Version: 2.7.0.356. patch 2

According to the Cisco documentation this is not a supported scenario.
Once you install a PSN outside of the node running admin and/or MNT then its a distributed hybrid model and policy services needs to be disabled on any node running admin and/or MNT.

Also this is a medium deployment and per node we should have at least
CPU 24, RAM 96G, Disk Capacity 600G.

But all 3 nodes work properly and I have No license warning.

Can we add one more PSN(small VM license) with hw options identical to Node 3 and what deployment model should be used?

Thank you

Re: ISE Deployment

Rob Ingram — Wed, 06 Oct 2021 11:52:21 GMT

@Eugen Bitca

As you've only got 5000 maximum sessions, use nodes 3 and 4 as dedicated PSN and use nodes 1 & 2 as Primary PAN/MnT and Secondary PAN/MnT.

Where did you get those VM specs from? For ISE 2.7 it's 16CPU and 32GB RAM for small.

300GB should suffice for a dedicated PSN node.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/InstallGuide27/b_ise_InstallationGuide27/b_ise_InstallationGuide27_chapter_01.html

https://www.cisco.com/c/en/us/td/docs/security/ise/performance_and_scalability/b_ise_perf_and_scale.html

Re: ISE Deployment

Eugen Bitca — Wed, 06 Oct 2021 13:29:28 GMT

hi Rob,

If I understand correctly, in a 4-nodes deployment I can have Node 1 as Primary PAN/MnT, Node 2 as a Secondary PAN/MnT, and Node 3 & 4 dedicated PSN and for all 4 nodes we may have small VM licenses(qty 4) with hw specs per each node 16CPU and 32GB RAM.

I was thinking because it is more than 2 Nodes then it is Medium Deployment which require to have medium VM licences with hw specs CPU 24, RAM 96.

Thank you

Re: ISE Deployment

Marcelo Morais — Wed, 06 Oct 2021 20:23:13 GMT

Hi @Eugen Bitca ,

have you considered the possibility of having 2x Small Deployment Clusters?

Cluster A and Cluster B (all Nodes SNS 3615😞

Node 1: PPAN, PMnT and PSN

Node 2: SPAN, SMnT and PSN

Note: for details of SNS 3615 ... please take a look at: Performance and Scalability Guide for ISE.

Hope this helps !!!

Re: ISE Deployment

Eugen Bitca — Thu, 07 Oct 2021 04:15:16 GMT

Hi,

Having 2x small deployment cluster means having 2x licenses(base, plus..) per each deployment.

In the existing deployment:

with 2 small VM licenses and 1 medium VM license.

as per design it is a medium deployment(more than 2 nodes) but hw specs are for small deployment, and this mix work perfectly, i have no problem at all, so seems that in a medium deployment there is no need to have medium VM licenses.

Thank you

Re: ISE Deployment

Marcelo Morais — Thu, 07 Oct 2021 12:28:08 GMT

Hi @Eugen Bitca ,

if you use Smart Licensing then both Clusters are able to get "one pool of licenses".

Hope this helps !!!

Re: ISE Deployment

ComputerRick — Thu, 07 Oct 2021 17:34:22 GMT

I'm not sure where in the documentation that you found that your deployment would not be supported. Per the 2.7 Admin Guide (linked below) it states "Depending on your performance needs, you can scale your deployment. Each Cisco ISE node in a deployment can assume any of the following personas: Administration, Policy Service, and Monitoring." You should keep in mind that the Admin and Monitoring nodes do have additional workloads, so you should consider that when configuring Network Access Devices and the order of RADIUS or TACACS servers.

You can absolutely have 2 nodes with all three personas and still add a couple dedicated PSNs as needed.

Also, licensing is based on the VM Sizing or resources allocated, not the deployment overall. A small VM can absolutely be used in a deployment of 20+ ISE nodes. Typically, you should scale the VM resources based on the persona and number of sessions that it'll be authenticating.

Hope this clears it up for you. Please mark the correct solution.

Admin Guide: https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/admin_guide/b_ise_27_admin_guide/b_ISE_admin_27_overview.html

Re: ISE Deployment

Eugen Bitca — Fri, 08 Oct 2021 04:26:05 GMT

Hi,

"You can absolutely have 2 nodes with all three personas and still add a couple dedicated PSNs as needed."

This is what I was looking for, it is clear now.

So I can add one more PSN to the existing deployment with small VM license.

Thank you very much.

Re: ISE Deployment

Greg Gibbs — Fri, 08 Oct 2021 04:59:51 GMT

I apologise that you seem to be getting differing information, but I can assure you that running 2x nodes with all 3 personas (PAN, MnT, PSN) plus additional dedicated PSN nodes (even if only one additional PSN) is NOT a design/architecture that has been validated by the ISE developer/BU teams and is therefore against Cisco best practice. If you run into performance issues in the future and need to seek support by TAC, they will very likely request that you change your architecture to a validated one for support.

The current guidance from the BU is documented in the https://cs.co/ise-scale guide.

It is possible to use the 'small' platform based on the SNS-3615 in a Hybrid model, but it would depend on the maximum number of concurrent sessions you need to support.

You can find much more detailed information on scaling ISE (directly from the BU) in the Cisco Live presentation for Advanced ISE Architect, Design and Scale ISE for your Production Networks - DGTL-BRKSEC-3432

Re: ISE Deployment

Eugen Bitca — Fri, 08 Oct 2021 05:24:38 GMT

Hi Greg,

In a 4-nodes deployment:

Node 1 as Primary PAN/MnT,

Node 2 as a Secondary PAN/MnT

Node 3 & 4 dedicated PSN

Maximum number of concurrent sessions - 5000.

Can we have small VM licenses(qty 4) with hw specs per each node 16CPU and 32GB RAM(SNS-3615)?

Do a medium deployment require medium VM licenses?

Thank you

Re: ISE Deployment

ComputerRick — Fri, 08 Oct 2021 16:56:30 GMT

@Greg Gibbs - It may not be a validated design, but does function. In reaching out to fellow TAC engineers, we'd follow the evidence if there's an issue, prior to denying support based solely on a 3 node design.

I also reached out to the BU and discussed it, there are no issues with a design that includes 3 nodes.

That being said, there is certainly consideration based on load and sessions, as well as the sizing. Cisco Best Practice is a guideline, that for specific use cases often requires modification.

I was the security engineer for a health organization spread out over a chain of islands. We had a standalone deployment, with the Adm/MnT nodes in our 2 data centers. We had a couple of smaller sites that would often lose network access due to weather, being connected by microwave. Putting PSNs at those sites was recommended and supported by Cisco, so that we could maintain security without compromising access. When that site lost network access, the PSN could still perform dot1x using a local DC. To be clear, we didn't exceed the Small Deployment session guidelines at any point.

I would be aware that adding one or two PSNs is fine, but as sessions and endpoints increase, you keep in mind moving to a medium deployment.

Re: ISE Deployment

ComputerRick — Fri, 08 Oct 2021 16:50:24 GMT

I should ask this: Are you adding a PSN to increase total number of sessions, for geographic reasons, or something else?
I would caution that if you are adding PSNs to increase the max sessions, that it will likely need a design review. If you're doing it for something else, like geographic or redundancy, like in my post below, then it would be less likely to have performance issues.

Re: ISE Deployment

Eugen Bitca — Fri, 08 Oct 2021 17:04:03 GMT

Hi,

We want to add a PSN not to increase number of session(max.5000) but for redundancy, we have WAN divided into 2 geographical area so I would like to have a PSN in each one.

Thank you

Re: ISE Deployment

ComputerRick — Fri, 08 Oct 2021 17:15:24 GMT

Do you only have 2 locations and having the 2 standalone nodes, 1 at each isn't sufficient? Also, max sessions for 2 small VMs should be 10k.
As I mentioned above, putting a dedicated PSN at a remote site is a great use case for redundancy. In my situation, I used small vms and it was more than capable.

Based on the limited info you've shared, it does seem like it would be a good idea for you to something like what we've been discussing.

Re: ISE Deployment

Eugen Bitca — Fri, 08 Oct 2021 17:44:24 GMT

I have attached the topology of ISE deployment.

Re: ISE Deployment

ComputerRick — Fri, 08 Oct 2021 17:59:25 GMT

That is a great example. Are you using Active Directory for users? If so, you'll need an AD server (or any other external ID source) at the remote site to ensure functionality if your WAN link goes down. Otherwise, the PSN would fail authentications.

As Greg said above, if there are performance issues, it may require a design review.
Do you have users authenticating directly against the ISE nodes in the DC, just keep the session limits in mind, there is heavy IO on the Admin & Monitoring nodes, so if you have a lot of devices, removing the Policy Service from those and adding a PSN in the DC might be needed at some point.

Re: ISE Deployment

Eugen Bitca — Sat, 09 Oct 2021 09:12:24 GMT

Yes, AD on each site, as for the sessions, in DC - 1000 sessions, and 2000 sessions for each WAN region.

Thank you

Re: ISE Deployment

Marcelo Morais — Sat, 09 Oct 2021 12:35:13 GMT

Hi @Eugen Bitca ,

putting all together, please consider the following options:

1) 2x Small Deployment Clusters using Smart Licensing ("one pool of licenses")?

Cluster A (all Nodes SNS 3615):😞

Node 1: PPAN, PMnT and PSN1

Node 2: SPAN, SMnT and PSN2

Cluster B (all Nodes SNS 3615):😞

Node 1: PPAN, PMnT and PSN1

Node 2: SPAN, SMnT and PSN2

2) 1x Hybrid Deployment (all Nodes SNS 3615😞

Cluster (all Nodes SNS 3615 - max concurrent session of 10K):😞

Node 1: PPAN & PMnT

Node 2: SPAN & SMnT

Node 3: PSN1

Node 4: PSN2

Note: for details of the design ... please take a look at: Performance and Scalability Guide for ISE.

Hope this helps !!!

Re: ISE Deployment

ComputerRick — Mon, 11 Oct 2021 13:42:24 GMT

You should be able to have a 4th node, if you can increase the specs to the 2.7 small VM, which should be 16 CPU/32 GB.

Be aware, this isn't Cisco Best Practice. That being said, you are well within the number of endpoints for a standalone deployment. There are also scenarios where best practice doesn't meet the cu needs and can be tailored.

The biggest factor to consider here is that the Admin and Monitoring nodes are transactionally heavy and there is extra IO to the hard disks. If you're within the standalone endpoints and session maximums, you should be able to add a PSN. Just keep in mind that there is a performance concern.

I would not split the deployment for several reasons, but if you do encounter performance issues or if the Admin node seems to be struggling or sluggish, you may need to change the personas on the nodes to distribute it out a little more. This can also manifest with logs or reports taking a long time to generate.

HTH and please mark the solution.