Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5085
Views
0
Helpful
10
Replies

ISE 2.4 High availability questions

Go to solution
nguyenlam
Level 1
Level 1

‎10-25-2018 08:48 AM - edited ‎03-11-2019 01:51 AM

Dear buddy,

 

I started deploy ISE 2.4 in my lab before go to real deployment. Now i'm setup 2 ISE nodes in stand alone HA deployment. I have some question need you guys help:

1. I want to deploy two ISE nodes in different DC for redundancy, but i don't know which TCP/IP ports two ones use to communicate with each other for registration and replication data. I need those ports for open firewall rule.

2. What's extract data replicated between two nodes? Database/configuration/...? How frequency it is synchronized between them?

3. How can i monitor heath of those nodes? (my company only purchase two VMs license so we can not deploy automatic heath check nodes). Can i monitor those node by network monitor tool using SNMP?

4. My company want to migrate from ACS 4.2 to ISE 2.4 for device administrator. Can i export username/password/network device group/policy from ACS to ISE?

5. Which data can i backup from ISE for restoring in the future? Configuration/database/...?

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎10-25-2018 09:13 AM

1. I want to deploy two ISE nodes in different DC for redundancy, but i don't know which TCP/IP ports two ones use to communicate with each other for registration and replication data. I need those ports for open firewall rule.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_0110.html

 

2. What's extract data replicated between two nodes? Database/configuration/...? How frequency it is synchronized between them?

There is a significant number of different data streams that will pass between these two nodes.  I would look at the link above for ports and communication between node roles.  Your configuration replication between the two nodes is essentially real time as will authentication logs.  

 

3. How can i monitor heath of those nodes? (my company only purchase two VMs license so we can not deploy automatic heath check nodes). Can i monitor those node by network monitor tool using SNMP?

There are a number of SNMP polls supported, you can also enable smtp email alerts for a long list of issues.  Look at my previous post here for more info on SNMP monitoring.
https://community.cisco.com/t5/identity-services-engine-ise/monitor-ise-process-through-snmp/m-p/3718768/highlight/true#M18685

 

4. My company want to migrate from ACS 4.2 to ISE 2.4 for device administrator. Can i export username/password/network device group/policy from ACS to ISE?

You will not be able to migrate ACS 4.2 to 2.4 via the migration tool Cisco has built. This would be possible if you were running ACS 5.5 or newer.  

You will not be able to migrate user accounts from ACS to ISE

You can import ACS NADs to ISE via a CSV file.  You will have to manipulate the data.

You will have to build your ACS policies manually in ISE

 

 

5. Which data can i backup from ISE for restoring in the future? Configuration/database/...?

You can backup the ISE configuration (all GUI and ADE-OS config) based on the backup/restore page.  You will create a schedule, and ISE will backup itself and export to a repository of your choosing.  This can be restored to a new standalone ISE node if you deployment was to fail. 

You can also backup your radius/tacacs logs via the same backup restore portal, this is called the operation data.

If you build your ISE deployment in the lab, you can backup the config, restore it on a new node in production, then join the second production node to the deployment.  

 

 

As an additional note, you need to make sure you stay under 300ms round trip time latency between your two ISE nodes. 

View solution in original post

0 Helpful
10 Replies 10

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎10-25-2018 09:13 AM

1. I want to deploy two ISE nodes in different DC for redundancy, but i don't know which TCP/IP ports two ones use to communicate with each other for registration and replication data. I need those ports for open firewall rule.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_0110.html

 

2. What's extract data replicated between two nodes? Database/configuration/...? How frequency it is synchronized between them?

There is a significant number of different data streams that will pass between these two nodes.  I would look at the link above for ports and communication between node roles.  Your configuration replication between the two nodes is essentially real time as will authentication logs.  

 

3. How can i monitor heath of those nodes? (my company only purchase two VMs license so we can not deploy automatic heath check nodes). Can i monitor those node by network monitor tool using SNMP?

There are a number of SNMP polls supported, you can also enable smtp email alerts for a long list of issues.  Look at my previous post here for more info on SNMP monitoring.
https://community.cisco.com/t5/identity-services-engine-ise/monitor-ise-process-through-snmp/m-p/3718768/highlight/true#M18685

 

4. My company want to migrate from ACS 4.2 to ISE 2.4 for device administrator. Can i export username/password/network device group/policy from ACS to ISE?

You will not be able to migrate ACS 4.2 to 2.4 via the migration tool Cisco has built. This would be possible if you were running ACS 5.5 or newer.  

You will not be able to migrate user accounts from ACS to ISE

You can import ACS NADs to ISE via a CSV file.  You will have to manipulate the data.

You will have to build your ACS policies manually in ISE

 

 

5. Which data can i backup from ISE for restoring in the future? Configuration/database/...?

You can backup the ISE configuration (all GUI and ADE-OS config) based on the backup/restore page.  You will create a schedule, and ISE will backup itself and export to a repository of your choosing.  This can be restored to a new standalone ISE node if you deployment was to fail. 

You can also backup your radius/tacacs logs via the same backup restore portal, this is called the operation data.

If you build your ISE deployment in the lab, you can backup the config, restore it on a new node in production, then join the second production node to the deployment.  

 

 

As an additional note, you need to make sure you stay under 300ms round trip time latency between your two ISE nodes. 

0 Helpful

Go to solution
nguyenlam
Level 1
Level 1
In response to Damien Miller

‎10-25-2018 10:14 AM

Great  Damien Miller, your answer help me a lot!

 

For backup/restore question. Can i backup/restore local user/user group, certificate, NAD,...?

 

 

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to nguyenlam

‎10-25-2018 10:20 AM - edited ‎10-25-2018 10:21 AM

You have to back up the certificates, both trusted and system, from either the gui export or via the CLI export. The BU has provided a very thorough backup and restore documentation guide.  The certificate stores are not backed up with the config backup. 
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_01100.html

The local users/groups will be included in the standard ISE config backup you run.

0 Helpful

Go to solution
leolink1
Level 1
Level 1
In response to Damien Miller

‎01-28-2019 06:03 AM

Hi,

 

Does it mean that for production environment, we can setup two standalone virtual ISE in high availability?

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to leolink1

‎01-28-2019 07:01 AM

Yes, you would deploy two ISE VM's and they would be registered together in a single deployment. Both nodes will host everything you need for HA, Admin (primary/secondary), Monitoring (primary/secondary), Policy Service (TACACS and RADIUS). If one node goes down, the other node can assume the admin and monitoring duties. The policy service role is active on all nodes, active/active.
0 Helpful

Go to solution
leolink1
Level 1
Level 1
In response to Damien Miller

‎01-28-2019 07:15 AM

Hi Damien,
Many thanks for your reply. Is there a helpful link that can help with this high availability deployment for Virtual ISE.

Please share. Thank you.
0 Helpful

Go to solution
leolink1
Level 1
Level 1
In response to Damien Miller

‎01-28-2019 09:55 AM

Hi Damien,
Will the virtual ISE VM require separate licenses or will only one license be sufficient for the two ISE? for one admin license for both.
0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to leolink1

‎01-28-2019 10:10 AM

You require a VM license per node. For two nodes you need either 2x R-ISE-VMS-K9= or R-ISE-VMM-K9= depending on the scale you want.

TACACS will also be licenses per node now. So if you want to enable TACACS on two nodes, you would need 2x L-ISE-TACACS-ND=.

Technically old licensing can be ordered for another two weeks, but I'm not going to muddy the water going in to something that is effectively gone.
0 Helpful

Go to solution
leolink1
Level 1
Level 1
In response to Damien Miller

‎01-29-2019 09:00 AM

Hi Damien,

I found the pieces of information you provided very helpful.
Thank you.
0 Helpful
Customers Also Viewed These Support Documents