04-09-2023 01:27 AM
Hi All
Hope you are doing well
Im planning to deploy Cisco ISE 3.0 for Device admin and guest access. Planning to install and pair of PAN,MNT and PSN will be installed at 2 location for redundancy.
I was just going through few documents which says for guest access best practice is to deploy PSN in DMZ.
Want to confirm if as i have already ordered 4 ISE VM with Tacacs and Advantage Subscription can you please suggest the best way to deploy ISE with Device admin and Guest access
Solved! Go to Solution.
04-11-2023 07:03 AM
@Bhardwajp it depends how you need to scale the ISE cluster. If you run all the personas on one node then you limit the amount of concurrent sessions.
How many concurrent sessions do you envisage?
Note - there are the new 37xx series now available.
04-09-2023 01:36 AM
@Bhardwajp refer to the ISE Guest deployment guide, this has several deployment options. You could either have dedicated PSN in the DMZ or the PSN in the LAN with an interface in the DMZ. It depends on your environment and what you requirements from a security perspective.
04-09-2023 11:17 AM
hi @Bhardwajp, it would depend mostly on the kind of deployment you want to create and your needs, in any case you might need to review that the ports related to guess/radius and tacacs are not being blocked among your network, please refer to https://www.cisco.com/c/en/us/td/docs/security/ise/3-0/install_guide/b_ise_InstallationGuide30/b_ise_InstallationGuide27_chapter_0110.pdf
As per the licensing that you acquired, this is ok as the Guess flows uses essential licensing which is already contained on the Advantage licensing you got, and the device administration ones are the ones that will be used by tacacs, for your reference https://www.cisco.com/c/en/us/td/docs/security/ise/3-0/admin_guide/b_ISE_admin_3_0/m_Licensing30.html .
Rate and comment if that helped you.
04-09-2023 11:21 PM
@Rob Ingram @Rodrigo Diaz Thanks for your valuable feedback
Can you please help me with the image i can use when PAN.PSN and MNT(pair 1 for Active(PAN,MNT and PSN) and Standby(Standby PAN and MNT (Active PSN)) ) will be on same node out of the below :
ISE-3.1.0.518b-virtual-SNS3615-SNS3655-300.ova
ISE-3.1.0.518b-virtual-SNS3615-SNS3655-600.ova
ISE-3.1.0.518b-virtual-SNS3655-SNS3695-1200.ova
ISE-3.1.0.518b-virtual-SNS3695-1800.ova
ISE-3.1.0.518b-virtual-SNS3695-2400.ova
ISE-3.1.0.518b-ESXi-6.5-virtual-SNS3615-SNS3655-300.ova
ISE-3.1.0.518b-ESXi-6.5-virtual-SNS3615-SNS3655-600.ova
ISE-3.1.0.518b-ESXi-6.5-virtual-SNS3655-SNS3695-1200.ova
ISE-3.1.0.518b-ESXi-6.5-virtual-SNS3695-1800.ova
ISE-3.1.0.518b-ESXi-6.5-virtual-SNS3695-2400.ova
04-09-2023 11:29 PM
Looking at the sizing guide depends on the business requirement and Future growth (since there is no option for increasing the capacity without re-image VM)
04-10-2023 12:14 AM
@Bhardwajp what version of Vmware are you using? Assuming you are using Vmware
If using Vmware 6.5 you must use the OVA templates with ESXi-6.5 in the filenames, if using a newer version of Vmware use the OVA template with virtual. https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/install_guide/b_ise_InstallationGuide31/b_ise_InstallationGuide31_chapter_2.html
3615/3655/3695 relates to the specification (CPU/Memory) of the VM, you need to determine how many sessions this cluster will support, that will determine the required specifications.
300/600/1200 relates to the size of the disk. 300 should suffice for the PSN nodes, 600 or 1200 for the PAN/MnT nodes, again this relates to the requirements this cluster is scaled for.
Refer to the Performance and Scale guide already provided elsewhere for more on the information provided.
04-11-2023 06:45 AM - edited 04-11-2023 06:46 AM
Hi Rob,
I will be running PAN,MNT and PSN of one VM so im just asking if i run 3 prosonas on one VM with SNS3615-SNS3655-600.ova or SNS3655-SNS3695-1200.ova. Which one will be better option
04-11-2023 07:03 AM
@Bhardwajp it depends how you need to scale the ISE cluster. If you run all the personas on one node then you limit the amount of concurrent sessions.
How many concurrent sessions do you envisage?
Note - there are the new 37xx series now available.
04-11-2023 08:17 AM
Hi Rob,
concurrent sessions will not be more then 4000
04-11-2023 08:28 AM
@Bhardwajp for 4000 concurrent sessions, a small deployment (3615 or 3715) should suffice with all personas enabled.
04-12-2023 09:22 PM
Hi @Bhardwajp ,
1st if you are using Cisco ISE 3.0, remember that " ... Cisco ISE 3.1 Patch 6 and later versions support Cisco SNS 3700 series appliances ... " (at Cisco ISE Release Notes 3.1).
2nd please take a look at Performance and Scalability Guide for Cisco Identity Services Engine, search for ISE Deployment Scale.
Hope this helps !!!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide