09-07-2022 03:45 AM
Hello,
I have a small question about the deployment of Cisco ISE.
Actually we are running a cluster of 2 members, each hosting PAN-MnT-PSN.
We want to extend the ISE functions to our "industrial network" separated by a DMZ.
To limit the trafic between the 2 zones, I would like to add one (or 2 for redundancy) server running only PSN server.
Is this kind of deployment allowed and supported by TAC ? If yes do I need a full ISE license or there are licenses to only run specific services of ISE ?
Thanks for your help.
Herve
Solved! Go to Solution.
09-07-2022 05:28 AM
You will need to move to the Medium deployment as mentioned here: https://www.cisco.com/c/en/us/td/docs/security/ise/performance_and_scalability/b_ise_perf_and_scale.html#Cisco_Concept.dita_67b428f0-2240-4383-bd49-5eb7a7b98a35
You will need the following to remain in a supported Topology:
09-07-2022 06:25 AM
For any additional PSN you deploy (if virtual) you need to get a VM License (either VMS or VMC - see ordering guide).
It it not supported to go with 2x PSN, and 2x PSN,PAN,MNT. You need a medium deployment with separate PSN nodes from your PAN/MNT nodes.
See here: https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/guide-c07-656177.html
BG
Rick
09-07-2022 05:28 AM
You will need to move to the Medium deployment as mentioned here: https://www.cisco.com/c/en/us/td/docs/security/ise/performance_and_scalability/b_ise_perf_and_scale.html#Cisco_Concept.dita_67b428f0-2240-4383-bd49-5eb7a7b98a35
You will need the following to remain in a supported Topology:
09-07-2022 06:25 AM
For any additional PSN you deploy (if virtual) you need to get a VM License (either VMS or VMC - see ordering guide).
It it not supported to go with 2x PSN, and 2x PSN,PAN,MNT. You need a medium deployment with separate PSN nodes from your PAN/MNT nodes.
See here: https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/guide-c07-656177.html
BG
Rick
09-07-2022 07:13 AM
Other question, does ISE support this:
OT network DMZ OT/IT IT Network
LDAP 2x PSN 2x PAN/MNT
2x PSN
LDAP
or
OT network DMZ OT/IT IT Network
LDAP 2x PAN/MNT 2x PSN
2x PSN LDAP
Does the PAN server need to contact LDAP in both zones (OT/IT) or just the PSE need to contact it ?
09-07-2022 07:37 AM
Assuming LDAP means AD? Then its best practice to have all ISE nodes joined to the domain so you can do RBAC login to ISE using AD. If LDAP will strictly be for network authentication only (not AD or used for ISE admin login) then only the PSNs will need to talk to the LDAP server.
09-09-2022 12:05 AM
Indeed I mean AD and it's a different domain in IT and OT.
What would be the best practice in this case as we are using RBAC in the IT side ?
PAN/MnT server installed in DMZ (able to reach AD at both side), PSN in OT and IT zone reaching their "local" AD ?
09-09-2022 07:35 AM
You should integrate all ISE nodes with both ADs. A properly configured AD sites and services would allow the ISE nodes to contact their local domain controllers.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide