cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1080
Views
0
Helpful
5
Replies

ISE Deployment Options

mohsayee
Cisco Employee
Cisco Employee

I have a Customer, planning to purchase Cisco ISE. 

There 500 users distributed across 9 locations(8 in India and 1-US). In US there are only 50 Users.  Around 100 Users are mobile workers who frequently travel across this locations. They need Complete NAC solution with dotlx, Profiling and posturing. They have Mixed End points(Windows, Mac and Linux). AD is hosted in Central Location India.

All the branches are connected via P2P link and they also have WAN redundancy.

 

My Question is:

1. whether i need to Choose Centralized deployment with HA? (Both ISE appliance in India)

2. Or I need to Suggest Separate ISE instances in India and US as latency can be a factor to be considered?

1 Accepted Solution

Accepted Solutions

Splitting the deployment would be viable if they meet a couple requirements.
1. Less than 300 ms round trip time between the primary admin node and all other nodes. For US to India this is often quite close to the limit.
2. If you were going to have an ISE node or two in the US with a small user base, then you would also need Active Directory, or local access to the directory you are authenticating users with. If you have an ISE node, but no user/machine lookup, then it wouldn't help much in a WAN outage.

The link and live session brksec-3432 Jason shared covers a lot of this in more detail. If you end up planning more than 2 nodes (standalone deployment), then keep in mind that the hybrid deployment would require 2x PAN/MNT, then 2 or more dedicated PSNs. You are not supposed to run PSN services on the hybrid PAN/MNT.

View solution in original post

5 Replies 5

Damien Miller
VIP Alumni
VIP Alumni
Due to the layout of users and sites I would lean towards two 3615 appliances in India. Opting to not deploy US based nodes. It largely would depend on the WAN connection reliability and latency.

The latency between India and the USA is more of an issue for ISE deployment node to node communication between themselves, rather than endpoint authentication latency. We want to keep node to node latency under 300 ms, and that's pretty close to what I have seen going between the two countries.

Endpoint authentication is less susceptible to latency, and we can plan for it with the radius timers. Typical timers are set between 5 - 10 seconds, often not needing anywhere near that much time for responses.

Hi Damien,

Thanks for all the information.

 

Just in case, what is your opinion on proposing Split deployment? One ISE is US and one in India?

Customer is just worried because there were some outcomes of Internet B.W outage.

Splitting the deployment would be viable if they meet a couple requirements.
1. Less than 300 ms round trip time between the primary admin node and all other nodes. For US to India this is often quite close to the limit.
2. If you were going to have an ISE node or two in the US with a small user base, then you would also need Active Directory, or local access to the directory you are authenticating users with. If you have an ISE node, but no user/machine lookup, then it wouldn't help much in a WAN outage.

The link and live session brksec-3432 Jason shared covers a lot of this in more detail. If you end up planning more than 2 nodes (standalone deployment), then keep in mind that the hybrid deployment would require 2x PAN/MNT, then 2 or more dedicated PSNs. You are not supposed to run PSN services on the hybrid PAN/MNT.

Thanks Damien for all the information shared. It was of great help

 

Thanks Jason for sharing the live session link. I have gone through it and got a better picture interms of deployment 

 


@Damien Miller wrote:
Due to the layout of users and sites I would lean towards two 3615 appliances in India. Opting to not deploy US based nodes. It largely would depend on the WAN connection reliability and latency.

The latency between India and the USA is more of an issue for ISE deployment node to node communication between themselves, rather than endpoint authentication latency. We want to keep node to node latency under 300 ms, and that's pretty close to what I have seen going between the two countries.

Endpoint authentication is less susceptible to latency, and we can plan for it with the radius timers. Typical timers are set between 5 - 10 seconds, often not needing anywhere near that much time for responses.

Also look at http://cs.co/ise-training and watch BRKSEC-3432, there are slides explaining different models