cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
575
Views
0
Helpful
5
Replies

ISE Passive ID WMI Distribution

paul
Level 10
Level 10

I am working on a large international ISE install that is going to use Passive ID to gather user to IP mapping to feed to FMC.  They have upwards of 150 DCs. I know each PSN can only support 100 DCs.  I have 5 PSNs spread around the globe running the passive ID service.  My questions are:

  1. How does ISE pick which PSN does the WMI probing to which DCs?
  2. How is the load shared to make sure no PSN goes over 100 DCs?

I couldn't find a document detailing this, but may be missing it.

 

Thanks.

1 Accepted Solution

Accepted Solutions

If I look at the scaling guide:



https://community.cisco.com/t5/security-documents/ise-performance-amp-scale/ta-p/3642148



The PSNs can poll up to 100 DCs with WMI. Since only one PSN polls that means I can support 100 DCs. If I use the DC Agent the recommended ratio of DCs to DC agent on a member server is 10:1. So if I want to scale to 150 DCs I need to do the garbage I used to do with SF User Agent and build a bunch of member servers running the DC agent? I guess I could combine the methods to create a hybrid model where some are WMI direct monitored and some are DC agent.



If I have two AD domains is passive ID able to map IPs to user mappings across both domains? I haven't tried that before.


View solution in original post

5 Replies 5

hslai
Cisco Employee
Cisco Employee
  • How does ISE pick which PSN does the WMI probing to which DCs?

Only one PSN is elected as active for the WMI probe in an ISE deployment. The election is based on Bully algorithm so it's somewhat random. The PassiveID report tells which PSN selected.

  • How is the load shared to make sure no PSN goes over 100 DCs?

No load sharing for WMI probe at present. For deployments using PassiveID only but not Easy Connect, we could spread the loads using PIC agent.

If I look at the scaling guide:



https://community.cisco.com/t5/security-documents/ise-performance-amp-scale/ta-p/3642148



The PSNs can poll up to 100 DCs with WMI. Since only one PSN polls that means I can support 100 DCs. If I use the DC Agent the recommended ratio of DCs to DC agent on a member server is 10:1. So if I want to scale to 150 DCs I need to do the garbage I used to do with SF User Agent and build a bunch of member servers running the DC agent? I guess I could combine the methods to create a hybrid model where some are WMI direct monitored and some are DC agent.



If I have two AD domains is passive ID able to map IPs to user mappings across both domains? I haven't tried that before.


Hsing,

 

Can you combine direct WMI probing with DC agents?

 

Say for example I have 200 DCs to poll:

 

  • I could poll 100 of them directly with WMI from the passive ID node in ISE.
  • I could setup 10 DC agent member servers and set them to poll the other 100.

 

Would that work?  Also how does passive ID work with multiple domains are involved?

Surendra
Cisco Employee
Cisco Employee
Yes, it is possible to have few of them monitored using WMI and rest using Agent. Passive ID is a feature which utilizes data from different Providers and provides that data collected to the subscribers. The providers being WMI, Agent, API, Syslogs etc. You can use any permutation and combination of these providers. And yes, you can have multiple domains and passive ID will still work based on the provider type you choose. Having said that, care should be taken that the data does not duplicate across multiple providers as that would only over load the ISE and also the subscribers. There is no inbuilt feature as such to filter out duplicates on the ISE.

The 10:1 DC Agent on member server to DCs is a recommended ratio. I am assuming that is the recommendation because that is the limit that has been tested or are there significant scaling issues once you go past 10? Customer I am working on has over 200 DCs in two domains. I am trying to cut down the number of DC agents required.


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: