Solved: Re: Cisco ISE deployment with Device admin and guest

Bhardwajp · ‎04-09-2023

Hi All

Hope you are doing well

Im planning to deploy Cisco ISE 3.0 for Device admin and guest access. Planning to install and pair of PAN,MNT and PSN will be installed at 2 location for redundancy.

I was just going through few documents which says for guest access best practice is to deploy PSN in DMZ.

Want to confirm if as i have already ordered 4 ISE VM with Tacacs and Advantage Subscription can you please suggest the best way to deploy ISE with Device admin and Guest access

Rob Ingram · ‎04-11-2023

@Bhardwajp it depends how you need to scale the ISE cluster. If you run all the personas on one node then you limit the amount of concurrent sessions.

How many concurrent sessions do you envisage?

https://www.cisco.com/c/en/us/td/docs/security/ise/performance_and_scalability/b_ise_perf_and_scale.html

Note - there are the new 37xx series now available.

View solution in original post

Rob Ingram · ‎04-09-2023

@Bhardwajp refer to the ISE Guest deployment guide, this has several deployment options. You could either have dedicated PSN in the DMZ or the PSN in the LAN with an interface in the DMZ. It depends on your environment and what you requirements from a security perspective.

https://community.cisco.com/t5/security-knowledge-base/ise-guest-access-prescriptive-deployment-guide/ta-p/3640475#toc-hId-1418163900

Rodrigo Diaz · ‎04-09-2023

hi @Bhardwajp, it would depend mostly on the kind of deployment you want to create and your needs, in any case you might need to review that the ports related to guess/radius and tacacs are not being blocked among your network, please refer to https://www.cisco.com/c/en/us/td/docs/security/ise/3-0/install_guide/b_ise_InstallationGuide30/b_ise_InstallationGuide27_chapter_0110.pdf

As per the licensing that you acquired, this is ok as the Guess flows uses essential licensing which is already contained on the Advantage licensing you got, and the device administration ones are the ones that will be used by tacacs, for your reference https://www.cisco.com/c/en/us/td/docs/security/ise/3-0/admin_guide/b_ISE_admin_3_0/m_Licensing30.html .

Rate and comment if that helped you.

Bhardwajp · ‎04-09-2023

@Rob Ingram @Rodrigo Diaz Thanks for your valuable feedback

Can you please help me with the image i can use when PAN.PSN and MNT(pair 1 for Active(PAN,MNT and PSN) and Standby(Standby PAN and MNT (Active PSN)) ) will be on same node out of the below :

ISE-3.1.0.518b-virtual-SNS3615-SNS3655-300.ova

ISE-3.1.0.518b-virtual-SNS3615-SNS3655-600.ova

ISE-3.1.0.518b-virtual-SNS3655-SNS3695-1200.ova

ISE-3.1.0.518b-virtual-SNS3695-1800.ova

ISE-3.1.0.518b-virtual-SNS3695-2400.ova

ISE-3.1.0.518b-ESXi-6.5-virtual-SNS3615-SNS3655-300.ova

ISE-3.1.0.518b-ESXi-6.5-virtual-SNS3615-SNS3655-600.ova

ISE-3.1.0.518b-ESXi-6.5-virtual-SNS3655-SNS3695-1200.ova

ISE-3.1.0.518b-ESXi-6.5-virtual-SNS3695-1800.ova

ISE-3.1.0.518b-ESXi-6.5-virtual-SNS3695-2400.ova

balaji.bandi · ‎04-09-2023

Looking at the sizing guide depends on the business requirement and Future growth (since there is no option for increasing the capacity without re-image VM)

https://www.cisco.com/c/en/us/td/docs/security/ise/performance_and_scalability/b_ise_perf_and_scale.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Rob Ingram · ‎04-10-2023

@Bhardwajp what version of Vmware are you using? Assuming you are using Vmware

If using Vmware 6.5 you must use the OVA templates with ESXi-6.5 in the filenames, if using a newer version of Vmware use the OVA template with virtual. https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/install_guide/b_ise_InstallationGuide31/b_ise_InstallationGuide31_chapter_2.html

3615/3655/3695 relates to the specification (CPU/Memory) of the VM, you need to determine how many sessions this cluster will support, that will determine the required specifications.

300/600/1200 relates to the size of the disk. 300 should suffice for the PSN nodes, 600 or 1200 for the PAN/MnT nodes, again this relates to the requirements this cluster is scaled for.

Refer to the Performance and Scale guide already provided elsewhere for more on the information provided.

Bhardwajp · ‎04-11-2023

Hi Rob,

I will be running PAN,MNT and PSN of one VM so im just asking if i run 3 prosonas on one VM with SNS3615-SNS3655-600.ova or SNS3655-SNS3695-1200.ova. Which one will be better option

Rob Ingram · ‎04-11-2023

@Bhardwajp it depends how you need to scale the ISE cluster. If you run all the personas on one node then you limit the amount of concurrent sessions.

How many concurrent sessions do you envisage?

https://www.cisco.com/c/en/us/td/docs/security/ise/performance_and_scalability/b_ise_perf_and_scale.html

Note - there are the new 37xx series now available.

Bhardwajp · ‎04-11-2023

Hi Rob,

concurrent sessions will not be more then 4000

Rob Ingram · ‎04-11-2023

@Bhardwajp for 4000 concurrent sessions, a small deployment (3615 or 3715) should suffice with all personas enabled.

Marcelo Morais · ‎04-12-2023

Hi @Bhardwajp ,

1st if you are using Cisco ISE 3.0, remember that " ... Cisco ISE 3.1 Patch 6 and later versions support Cisco SNS 3700 series appliances ... " (at Cisco ISE Release Notes 3.1).

2nd please take a look at Performance and Scalability Guide for Cisco Identity Services Engine, search for ISE Deployment Scale.

Hope this helps !!!!