Solved: Re: Cisco ISE 2.4 and vmware SRM COMPATIBILITY

amalitol81 · ‎05-06-2019

Guys,

I'm wondering if backups of entire nodes of Cisco ISE 2.4 could be enabled on a DR site using vmware Site Recovery Manager (SRM).

I'm sure this is not possible but I haven't found any reference of this topic on Cisco documentation. Cisco ISE do not support Snapshots for backup/restoration. The only reference for Backups and Restorations is done using the GUI/CLI.

Any ideas? thank you,

Arne Bier · ‎05-07-2019

I will put my Cisco Fanboy hat on for this part .... you can solve the ISE Licensing issue with Smart Licensing :-) yes, it's great. Put your ISE Licenses into Smart Licensing Portal and then point each deployment's PAN node to the portal. There might be some initial pain involved in getting your PAN nodes to talk to the internet. But the bottom line is that each deployment only consumes what it needs (base, tacacs, plus licenses). Each deployment eats out of the same licensing bucket.

That's the solution to the licensing dilemma. Well - partially - I think you will still need to buy 2 additional VM licenses. But you might want to have a chat with your friendly Cisco AM/SE to see if you can get a free pass- the license is not enforced in ISE 2.4 so you could argue that it's a DR site and may never be used - hence, why you didn't buy two VM licenses for those IDLE VMs :-)

As far as keeping the config in sync - if you perform daily config backups in your production ISE, then you could try to perform an automated config restore to the DR PAN node - I am guessing it won't be too easy but worth a shot - you can restore config via CLI -hence I reckon a scripted job might be able to ssh into the DR site and perform a config restore

e.g.

ise/admin# restore mybackup-100818-1502.tar.gpg repository myrepository encryption-key plain Lab12345

Worth a shot?

Failing that, why not deploy a backup ISE PAN/MNT node in the DR? it can also serve radius requests in event of failure.

View solution in original post

Arne Bier · ‎05-06-2019

Hi @amalitol81

Is the main objective to get back up and running as quickly as possible?

Not sure if SRM requires agents running on the host - if so then it's 100% not supported. if however it's all driven by the hypervisor then perhaps you can give it a go and let us know - but it may not be supported by Cisco even if you get it working (it has to be officially tested to get Cisco seal of approval). Maybe the best interim solution would be to spin up your DR site and perform periodic config restores on the PAN node running there. If that were automated then you could even run it every 24 hours. It's a lot better than having to build it all from scratch.

If only there was a public cloud offering that had a cloud-native version of ISE running ... that would be sweet :)

Damien Miller · ‎05-06-2019

Build HA in to the ISE deployment by traditional means offered in ISE. Two admin nodes, two mnt's, pans in each DC.

No need to try to use SRM. I am aligned with Arne, probably won't work and we have alternate methods we know work.

Arne Bier · ‎05-06-2019

@Damien Miller - I was fixated in the word DR (Disaster Recovery), and wondering whether @amalitol81 wanted a complete DR deployment that is separate from the customer's existing fully distributed PAN/MnT stuff. But you're right, the Secondary PAN/MnT could be located in the DR Site if that makes sense for the customer (geographic separation, latency, and all that stuff has to be appropriate).

amalitol81 · ‎05-06-2019

Guys,

You have brought in very interesting points of view, but let me explain why I'm asking for this compatibility between Cisco ISE and vmware SRM. Here is the thing.

We currently have 2 nodes PAM/PSN running in our network. The entire wired/wireless network access is done using AAA with certificates installed on each PC. So, wireless authentication is done by policies and completely seamless for the users. It's just open the laptop and you are in the network, almost plug-and-play.

On the other hand, we have a DRsite with all our servers replicated, including ISE nodes. We keep the same addressing over there and all the servers are off the entire year.

In an Emergency situation, my Manager asked me if it's possible to apply the same conditions we currently have: Turn on the ISE nodes at the DR site and the Wireless would be configured to work the same way we currently have in our campus. The laptops wouldn't need to access the network with a PSK. They could use the same AAA access.

The thing is that I don't think it's possible with Cisco ISE nodes replicated using vmware SRM. These nodes could have licensing issues (these are 2 new entities) and other operational errors and incompatibilities.

Do you guys have any other idea to accomplish the requirement?

thank you,

Arne Bier · ‎05-07-2019

I will put my Cisco Fanboy hat on for this part .... you can solve the ISE Licensing issue with Smart Licensing :-) yes, it's great. Put your ISE Licenses into Smart Licensing Portal and then point each deployment's PAN node to the portal. There might be some initial pain involved in getting your PAN nodes to talk to the internet. But the bottom line is that each deployment only consumes what it needs (base, tacacs, plus licenses). Each deployment eats out of the same licensing bucket.

That's the solution to the licensing dilemma. Well - partially - I think you will still need to buy 2 additional VM licenses. But you might want to have a chat with your friendly Cisco AM/SE to see if you can get a free pass- the license is not enforced in ISE 2.4 so you could argue that it's a DR site and may never be used - hence, why you didn't buy two VM licenses for those IDLE VMs :-)

As far as keeping the config in sync - if you perform daily config backups in your production ISE, then you could try to perform an automated config restore to the DR PAN node - I am guessing it won't be too easy but worth a shot - you can restore config via CLI -hence I reckon a scripted job might be able to ssh into the DR site and perform a config restore

e.g.

ise/admin# restore mybackup-100818-1502.tar.gpg repository myrepository encryption-key plain Lab12345

Worth a shot?

Failing that, why not deploy a backup ISE PAN/MNT node in the DR? it can also serve radius requests in event of failure.

Jason Kunst · ‎05-07-2019

I agree with Arne, I find it disturbing to run a critical service this way. Deploy secondaries at the site.

amalitol81 · ‎05-07-2019

Hi guys,

I'm agree with some of the points, but there are two things here:

1.- DRsite does not have internet access. Smart license wouldn't work.

2.- We run an Emergency Test every year, in that case we isolate the DR site environment form our Main DC and we check all our internal services. So at the same time (during the test) we have an isolated environment and our production servers running the same services.

The best idea for me is adding another Cisco ISE node (PAN/PSN) at the DR site that would work as secondary. That would mean an extra cost for that node and maybe it's not possible due to budget reasons.

The idea of my boss is simple. Replicate ISE nodes from the campus to the DR site, keep them off and during an Emergency, turn on the nodes and magically the DR-ISE nodes would serve DR-site Wireless user requests.

For me that is not possible, at least not without an extra work (not as turn-on-and-go).

Are you guys agree?

Thank you,

hslai · ‎05-11-2019

I agreed with you and what Arne Bier said.

No integration or test done with VMware SRM at present.