Solved: Re: Cisco ISE Cluster Design (across several countries)

Jay233 · ‎11-29-2023

Hi All,

Looking for some design guides for an ISE deployment using Azure across multiple counties.

Any assistance would be appreciated.

Cheers,

balaji.bandi · ‎11-29-2023

Check below guides can help you :

https://www.cisco.com/c/en/us/td/docs/security/ise/performance_and_scalability/b_ise_perf_and_scale.html

Azure specific :

https://www.cisco.com/c/en/us/td/docs/security/ise/ISE_on_Cloud/b_ISEonCloud/m_ISEonAzureServices.html

https://www.youtube.com/watch?v=BqGmQBgQJw0

https://www.youtube.com/watch?v=YZ1SYN1LbeQ

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

Greg Gibbs · ‎11-29-2023

If you're considering deploying ISE VMs in Azure, you should also be aware of this issue.
https://learn.microsoft.com/en-us/answers/questions/996062/azure-drops-my-udp-fragmentated-packets-when-they

I've been that MS is now refusing to enable this feature for customers, which will break EAP-TLS due to the normal fragmentation that happens with the large payload required for certificates. MS suggests dropping the MTU to 1300 on the network devices as a workaround, but that may not be suitable for all environments (like Meraki or other cloud-managed devices).

I would highly recommend testing your use cases extensively before moving to Azure. If you have a hybrid cloud environment, you might also consider deploying ISE in AWS as they do not have this issue.

View solution in original post

balaji.bandi · ‎11-29-2023

Check below guides can help you :

https://www.cisco.com/c/en/us/td/docs/security/ise/performance_and_scalability/b_ise_perf_and_scale.html

Azure specific :

https://www.cisco.com/c/en/us/td/docs/security/ise/ISE_on_Cloud/b_ISEonCloud/m_ISEonAzureServices.html

https://www.youtube.com/watch?v=BqGmQBgQJw0

https://www.youtube.com/watch?v=YZ1SYN1LbeQ

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Greg Gibbs · ‎11-29-2023

If you're considering deploying ISE VMs in Azure, you should also be aware of this issue.
https://learn.microsoft.com/en-us/answers/questions/996062/azure-drops-my-udp-fragmentated-packets-when-they

I've been that MS is now refusing to enable this feature for customers, which will break EAP-TLS due to the normal fragmentation that happens with the large payload required for certificates. MS suggests dropping the MTU to 1300 on the network devices as a workaround, but that may not be suitable for all environments (like Meraki or other cloud-managed devices).

I would highly recommend testing your use cases extensively before moving to Azure. If you have a hybrid cloud environment, you might also consider deploying ISE in AWS as they do not have this issue.

Jay233 · ‎12-08-2023

Hi Greg,

Following on from your reply regarding EAP-TLS challenges using Azure, which BTW was very helpful.

I have 1 forest with 14 child domains spread across the globe, what would be the correct approach for ISE in this instance? Hybrid with PAN, SPAN and M&T's in Azure having on-prem PSN VM/appliances depending on client count per child domain?

Would this alter if we turned to Meraki cloud as opposed to traditional NAD placements? Would this approach just be ISE cloud based with all personas in the Azure?