topic Re: ISE in the Cloud in Network Access Control

ISE in the Cloud

Damien Miller — Sat, 08 Sep 2018 18:49:33 GMT

I'm wondering if anyone has evaluated running ISE in AWS or Azure. It would be cool to see ISE as a service offering, but i'm not asking about that right now.

Earlier this year AWS/vmware teamed up to announce vmware cloud, building esxi hosts on a bare metal ec2 boxes. It appears AWS would be able to handle the workloads quite easily, no nested virtualization, 2xcpu /w 18x2.3GHz core each, 512 GB RAM, and 15 TB nvme storage.

I haven't looked as closely at Azure, but for some time they have offered nested hyper-v virtualization. I have not run ISE on hyper-v myself which mean I'm less familiar with the requirements.

I'm wondering if any one has evaluated either of these as an options for customers that can't/don't want any onsite hardware.

Re: ISE in the Cloud

Arne Bier — Sun, 09 Sep 2018 02:09:35 GMT

I have been playing around with Azure a while and even their smaller CPU builds can rack up the costs pretty quickly. I would go for the reserved instances to get the savings that would be needed when running an ISE node 24/7. At this point it would also be nice to have an ISE image that is not so RAM and CPU hungry. I'd say ISE is quite bloated and greedy (due to Java and Oracle running under the covers).

If a typical customer migrating from ACS to ISE, who wants a bit of wired and wireless 802.1x and perhaps Guest services, might benefit from an ISE node that only needs 8 GB of RAM and 4 vCPU's.

Do the math on what it would cost to run one "small" ISE node in Azure (even with reserved instance pricing). I have not done it but I have not had the need to.

Re: ISE in the Cloud

Damien Miller — Mon, 10 Sep 2018 06:37:06 GMT

Yeah, it doesn't seem as viable in Azure since it would have to be nested in another hyper-v capable VM. Maybe for a 3515 deployment it could potentially work, but with 3595's you would have to use massive dv3/ev3 service, Standard_E32_v3 or larger.

I don't see a great solution right now for deployments in environments where the compute is entirely cloud based.

Re: ISE in the Cloud

yadulla hussainks — Tue, 19 Dec 2023 20:45:01 GMT

Hello Everyone,

Can anyone share a link for migrating CISCO ISE to Azure

Re: ISE in the Cloud

Greg Gibbs — Tue, 19 Dec 2023 21:53:39 GMT

Deploy Cisco Identity Services Engine Natively on Cloud Platforms

The only 'migration' strategy would be to build the cluster in Azure, restore a backup from your on-prem ISE cluster, then re-configure your network devices to point to the new PSNs.

You should also be aware of this issue with Azure. This default behaviour will break EAP-TLS, so you would need to have MS support enable the workaround.
https://learn.microsoft.com/en-us/answers/questions/996062/azure-drops-my-udp-fragmentated-packets-when-they