Hi @ahollifield thanks for the response - based on our current environment, if we was to go down the route of a medium deployment (i.e 3 nodes) how would you split the roles for resiliency and HA? or would you go to a 4 node deployment and how would you then split the roles? 

3 nodes is not a medium deployment.  Its an "expanded" small deployment:  PAN/MnT/PSN + PAN/MnT/PSN + PSN

A medium deployment with four nodes would be: PAN/MnT + PAN/MnT + PSN + PSN

https://www.cisco.com/c/en/us/td/docs/security/ise/performance_and_scalability/b_ise_perf_and_scale.html

Really helpful, thanks for the advice.

Hi @Greg Gibbs thanks for the heads up regarding the Microsoft issue. We have expressroute connection from our office to Azure vWAN, have other customers been able to get Microsoft to enable the workaround with a similar setup to ours? I've been reading this evening, and it looks like the MTU issue is the same on both VPNs and SD-WAN so i'm hopeful we can get MS to resolve otherwise it's a non-starter! 

For the issue with MS dropping out of sequence UDP, my understanding is that MS has agreed to enable the workaround for customers using Cisco ISE. However, I don't have visibility of other customer deployments.

If you get pushback from MS support, I would suggest doing everything you can to escalate within MS as this is an issue they clearly have created by not understanding (or caring) how standard protocols work.

Hi @Greg Gibbs,

Understood, we will raise it with MS when we setup our test environment.  

I have a couple more questions i am hoping you can help me with or at least point me in the right direction:

• With regards to profiling, the majority of our profile policies are using the MAC or DHCP as the type, looking at the documentation it suggests that CDP and LLDP are not supported in Azure however it doesn't confirm whether other profiling types are supported, do you have a list of supported types?
  • In addition to this, what would be the quickest way to run a report to see which devices are using the CDP or LLDP for profiling or this a manual process? 
• In terms of licensing, we currently have 2 on premise VMs but we want to replace them eventually with 4 VMs in Azure, can we just purchase 2 VMs to take our total count to 4 and migrate and if so how would we achieve this when there will be a short period where we need to run them side by side? 
• Lastly, in terms of getting all of the config and data from our on-premise nodes to Azure, whats the easiest and cleanest way of achieving this? Is this just a case of backup and restore of the configuration and operational data? what happens to other config like names/personas etc? 

1. I assume you're talking about this reference... "For example, working with DHCP SPAN profiler probes and CDP protocol functions through the Cisco ISE CLI are functions that are currently not supported."
CDP/LLDP for profiling of endpoints comes from the Device Sensor on the switch. The above limitation has no bearing on that function.

2. You would need enough VM licenses in your smart account to cover any concurrent VMs you intend to use. See the ISE Licensing Guide for more details on licensing.

3. You would use the config backup/restore (without restoring the ADE-OS). The new nodes will have different FQDNs, so you'll need new certificates, etc. See the backup procedures in the ISE Upgrade Journey guide for additional pre- and post-backup/restore steps required.

Please submit a new post for any additional questions that are not specifically related to the original topic and refrain from using the same post for multiple topics/questions in the future. Doing so makes it more difficult for others with similar questions to find the answers.