Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
441
Views
1
Helpful
3
Replies

Cisco ISE Cluster Design (across several countries)

Go to solution
Jay233
Level 1
Level 1

‎11-29-2023 09:02 AM

Hi All,

Looking for some design guides for an ISE deployment using Azure across multiple counties. 

Any assistance would be appreciated.

Cheers,

 

 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎11-29-2023 09:45 AM

Check below guides can help you :

https://www.cisco.com/c/en/us/td/docs/security/ise/performance_and_scalability/b_ise_perf_and_scale.html

Azure specific :

https://www.cisco.com/c/en/us/td/docs/security/ise/ISE_on_Cloud/b_ISEonCloud/m_ISEonAzureServices.html

 

https://www.youtube.com/watch?v=BqGmQBgQJw0

 

https://www.youtube.com/watch?v=YZ1SYN1LbeQ

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

ISE in a Hybrid Cloud Environment
ISE in a Hybrid Cloud Environment
youtube.com/watch?v=YZ1SYN1LbeQ
Cisco ISE TME Charlie Moreton shows us how to provision and securely connect a distributed, 8-node ISE deployment on 7 platforms across on-premises hypervisors and multiple cloud providers! 00:00 Intro and Agenda 01:00 Previous Related ISE Webinars for Prerequisites: - ISE On-Premises ...
ISE Deployment Architectures: Nodes, Services & Scale
ISE Deployment Architectures: Nodes, Services & Scale
youtube.com/watch?v=BqGmQBgQJw0
The Identity Services Engine (ISE) network access control application is designed to scale from a single, standalone instance to 54 distributed nodes. Learn from TME Thomas Howard about how we do this with nodes and services across our many supported platforms. 00:00 Intro 00:55 Agenda 01:46 ISE ...
0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎11-29-2023 01:55 PM

If you're considering deploying ISE VMs in Azure, you should also be aware of this issue.
https://learn.microsoft.com/en-us/answers/questions/996062/azure-drops-my-udp-fragmentated-packets-when-they

I've been that MS is now refusing to enable this feature for customers, which will break EAP-TLS due to the normal fragmentation that happens with the large payload required for certificates. MS suggests dropping the MTU to 1300 on the network devices as a workaround, but that may not be suitable for all environments (like Meraki or other cloud-managed devices).

I would highly recommend testing your use cases extensively before moving to Azure. If you have a hybrid cloud environment, you might also consider deploying ISE in AWS as they do not have this issue.

View solution in original post

3 Replies 3

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎11-29-2023 09:45 AM

Check below guides can help you :

https://www.cisco.com/c/en/us/td/docs/security/ise/performance_and_scalability/b_ise_perf_and_scale.html

Azure specific :

https://www.cisco.com/c/en/us/td/docs/security/ise/ISE_on_Cloud/b_ISEonCloud/m_ISEonAzureServices.html

 

https://www.youtube.com/watch?v=BqGmQBgQJw0

 

https://www.youtube.com/watch?v=YZ1SYN1LbeQ

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ISE in a Hybrid Cloud Environment
ISE in a Hybrid Cloud Environment
youtube.com/watch?v=YZ1SYN1LbeQ
Cisco ISE TME Charlie Moreton shows us how to provision and securely connect a distributed, 8-node ISE deployment on 7 platforms across on-premises hypervisors and multiple cloud providers! 00:00 Intro and Agenda 01:00 Previous Related ISE Webinars for Prerequisites: - ISE On-Premises ...
ISE Deployment Architectures: Nodes, Services & Scale
ISE Deployment Architectures: Nodes, Services & Scale
youtube.com/watch?v=BqGmQBgQJw0
The Identity Services Engine (ISE) network access control application is designed to scale from a single, standalone instance to 54 distributed nodes. Learn from TME Thomas Howard about how we do this with nodes and services across our many supported platforms. 00:00 Intro 00:55 Agenda 01:46 ISE ...
0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎11-29-2023 01:55 PM

If you're considering deploying ISE VMs in Azure, you should also be aware of this issue.
https://learn.microsoft.com/en-us/answers/questions/996062/azure-drops-my-udp-fragmentated-packets-when-they

I've been that MS is now refusing to enable this feature for customers, which will break EAP-TLS due to the normal fragmentation that happens with the large payload required for certificates. MS suggests dropping the MTU to 1300 on the network devices as a workaround, but that may not be suitable for all environments (like Meraki or other cloud-managed devices).

I would highly recommend testing your use cases extensively before moving to Azure. If you have a hybrid cloud environment, you might also consider deploying ISE in AWS as they do not have this issue.

Go to solution
Jay233
Level 1
Level 1
In response to Greg Gibbs

‎12-08-2023 01:06 AM

Hi Greg,

Following on from your reply regarding EAP-TLS challenges using Azure, which BTW was very helpful. 

I have 1 forest with 14 child domains spread across the globe, what would be the correct approach for ISE in this instance? Hybrid with PAN, SPAN and M&T's in Azure having on-prem PSN VM/appliances depending on client count per child domain?

Would this alter if we turned to Meraki cloud as opposed to traditional NAD placements? Would this approach just be ISE cloud based with all personas in the Azure?      

0 Helpful
Customers Also Viewed These Support Documents