topic Re: Positioning of ISE and WLC in Network Access Control

Positioning of ISE and WLC

techno.it — Wed, 30 Aug 2023 16:39:12 GMT

We are currently in discussions with our vendor regarding the installation of Cisco WLCs and ISE in our organisation. We've got a multi-site setup with a mix of corporate and guest access needs.

Before finalizing the deployment, I'd like to tap into the collective wisdom here to ensure we're on the right track with our design.

At HQ:

ISE - distributed deployment with 2x PSN for HQ, 2x MNT and 2xPAN.

Users- 20, 000

Remote Sites (3 in total): Each remote site has 2x PSN for ISE.

Users- 10,000 at each site

WLC:
2x WLCs at each remote site for corporate wireless and guest access.

We've chosen to deploy WLC and AP as FlexConnect for both corporate wireless and Guest access with captive portal

My question to the community is: Based on similar requirements and setups, where do you recommend positioning the WLC and ISE within the network?

For those interested in the details, I've shared our current design in this link.

HQ - https://imgur.com/a/NUtoeL7

Remote - https://imgur.com/a/2vZ5mLf

Thanks in advance!

Re: Positioning of ISE and WLC

balaji.bandi — Wed, 30 Aug 2023 16:48:59 GMT

what WLC and AP you looking to deploy ? is the network SD-Access ?

some guide lines where to place WLC placement :

https://www.cisco.com/c/en/us/td/docs/solutions/CVD/Campus/cisco-campus-lan-wlan-design-guide.html

for ISE deployment i go below presentation and where to place :

https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2020/pdf/DGTL-BRKSEC-3432-reference.pdf

Note : some how not able to open that URL may be restrictions my side i guess.

Re: Positioning of ISE and WLC

jadromepso — Wed, 30 Aug 2023 16:49:13 GMT

Hmm

Re: Positioning of ISE and WLC

techno.it — Wed, 30 Aug 2023 17:00:43 GMT

Hi @balaji.bandi

Without SD-Access

WLC-9800

AP- 9120 and 9115

I have attached the network designs

Re: Positioning of ISE and WLC

ahollifield — Wed, 30 Aug 2023 19:34:19 GMT

Why have local PSNs at all? Is the plan to do AAA configuration for local 802.1X from the AP to the PSN? Do you also have local Active Directory? Or any local compute? Even if the users are able to join the network would they actually be able to do anything

What do you mean by "Based on similar requirements and setups, where do you recommend positioning the WLC and ISE within the network?" I would just deploy wherever you deploy all of your other server footprint.

Re: Positioning of ISE and WLC

techno.it — Wed, 30 Aug 2023 19:50:39 GMT

@ahollifield

We plan to use the Local PSN at each site for authenticating both wireless and wired users using methods such as 802.1x, MAB, and Guest Captive Portal.

Additionally, we intend to use TACACS+ authentication for our network devices.

It's important to note that we have Active Directory (servers, applications, databases, and more at each site.

Our proposed setup is connecting the ISE and WLC directly to the access switch, which will have an uplink to the Core Switch. We will allocate separate VLANs for ISE, WLC, and AP, without implementing a firewall between them.

We're considering whether there are any advantages to placing ISE behind a firewall. For the guest network, we plan to establish a separate VLAN with its Layer 2 gateway on the Perimeter Firewall

Re: Positioning of ISE and WLC

ahollifield — Thu, 31 Aug 2023 11:03:09 GMT

Why not plug ISE and the WLC into the core? What happens if that access switch fails? Do you plan on redundancy here at the local level? Are you buying SNS appliances? Or are these VMs?

For the guest network yes, protect ISE properly with a firewall. For the internal network, I don't see the firewall as a requirement.

Re: Positioning of ISE and WLC

techno.it — Thu, 31 Aug 2023 12:47:30 GMT

Thank you @ahollifield

We have SNS appliances. Redundancy is paramount. I can't connect ISE appliance to Core because ISE don't have SFP+ fiber ports on 3655 and 3615 appliances.

I believe ISE is only required to protect from Guest Access Portal. For that we would pop a hole in the firewall to allow traffic from the Guest VLAN to reach ISE on TCP/8443 (or whatever port number you use for the guest portal). I guess it's simple and more secure than bridging the firewall with a 2nd interface from the ISE node.

Re: Positioning of ISE and WLC

ahollifield — Thu, 31 Aug 2023 13:03:32 GMT

So what happens if that access switch fails? Do you have proper redundancy at the access layer? You could always purchase copper SFPs for the core.
Either approach is acceptable from the firewall policy, depending on your security requirements/policy.

Re: Positioning of ISE and WLC

techno.it — Thu, 31 Aug 2023 13:14:32 GMT

Catalyst 9300 access switch is configured as a Stack with uplinks to Primary and Secondary Core.

We are planning to use a service switch Catalyst 9300 to connect ISE and WLC controllers on it.

I have a concern what about the MAC table size when connecting the WLC controllers to 9300. Does the trunk port connecting to the WLC learn all the MAC addresses of devices associated with an AP when the SSID is configured as Flex Connect?

Re: Positioning of ISE and WLC

ahollifield — Thu, 31 Aug 2023 13:27:32 GMT

No, the MAC addresses are learned by the local switch the AP is plugged into. If the SSID has FlexConnect local switching enabled.

Re: Positioning of ISE and WLC

techno.it — Thu, 31 Aug 2023 13:32:23 GMT

In that case, I think the Cisco 9300 should suffice for our requirements, as it will be used to connect 2 ISE Nodes, 2 WLCs, and a cluster of 3 DNACs.