Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1012
Views
0
Helpful
5
Replies

ISE Deployment Options

Go to solution
mohsayee
Cisco Employee
Cisco Employee

‎12-20-2019 09:58 PM

I have a Customer, planning to purchase Cisco ISE. 

There 500 users distributed across 9 locations(8 in India and 1-US). In US there are only 50 Users.  Around 100 Users are mobile workers who frequently travel across this locations. They need Complete NAC solution with dotlx, Profiling and posturing. They have Mixed End points(Windows, Mac and Linux). AD is hosted in Central Location India.

All the branches are connected via P2P link and they also have WAN redundancy.

 

My Question is:

1. whether i need to Choose Centralized deployment with HA? (Both ISE appliance in India)

2. Or I need to Suggest Separate ISE instances in India and US as latency can be a factor to be considered?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to mohsayee

‎12-21-2019 09:43 AM

Splitting the deployment would be viable if they meet a couple requirements.
1. Less than 300 ms round trip time between the primary admin node and all other nodes. For US to India this is often quite close to the limit.
2. If you were going to have an ISE node or two in the US with a small user base, then you would also need Active Directory, or local access to the directory you are authenticating users with. If you have an ISE node, but no user/machine lookup, then it wouldn't help much in a WAN outage.

The link and live session brksec-3432 Jason shared covers a lot of this in more detail. If you end up planning more than 2 nodes (standalone deployment), then keep in mind that the hybrid deployment would require 2x PAN/MNT, then 2 or more dedicated PSNs. You are not supposed to run PSN services on the hybrid PAN/MNT.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎12-20-2019 10:14 PM

Due to the layout of users and sites I would lean towards two 3615 appliances in India. Opting to not deploy US based nodes. It largely would depend on the WAN connection reliability and latency.

The latency between India and the USA is more of an issue for ISE deployment node to node communication between themselves, rather than endpoint authentication latency. We want to keep node to node latency under 300 ms, and that's pretty close to what I have seen going between the two countries.

Endpoint authentication is less susceptible to latency, and we can plan for it with the radius timers. Typical timers are set between 5 - 10 seconds, often not needing anywhere near that much time for responses.
0 Helpful

Go to solution
mohsayee
Cisco Employee
Cisco Employee
In response to Damien Miller

‎12-21-2019 02:37 AM

Hi Damien,

Thanks for all the information.

 

Just in case, what is your opinion on proposing Split deployment? One ISE is US and one in India?

Customer is just worried because there were some outcomes of Internet B.W outage.

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to mohsayee

‎12-21-2019 09:43 AM

Splitting the deployment would be viable if they meet a couple requirements.
1. Less than 300 ms round trip time between the primary admin node and all other nodes. For US to India this is often quite close to the limit.
2. If you were going to have an ISE node or two in the US with a small user base, then you would also need Active Directory, or local access to the directory you are authenticating users with. If you have an ISE node, but no user/machine lookup, then it wouldn't help much in a WAN outage.

The link and live session brksec-3432 Jason shared covers a lot of this in more detail. If you end up planning more than 2 nodes (standalone deployment), then keep in mind that the hybrid deployment would require 2x PAN/MNT, then 2 or more dedicated PSNs. You are not supposed to run PSN services on the hybrid PAN/MNT.
0 Helpful

Go to solution
mohsayee
Cisco Employee
Cisco Employee
In response to Damien Miller

‎12-21-2019 10:17 PM

Thanks Damien for all the information shared. It was of great help

 

Thanks Jason for sharing the live session link. I have gone through it and got a better picture interms of deployment 

 

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Damien Miller

‎12-21-2019 06:58 AM

@Damien Miller wrote:
Due to the layout of users and sites I would lean towards two 3615 appliances in India. Opting to not deploy US based nodes. It largely would depend on the WAN connection reliability and latency.

The latency between India and the USA is more of an issue for ISE deployment node to node communication between themselves, rather than endpoint authentication latency. We want to keep node to node latency under 300 ms, and that's pretty close to what I have seen going between the two countries.

Endpoint authentication is less susceptible to latency, and we can plan for it with the radius timers. Typical timers are set between 5 - 10 seconds, often not needing anywhere near that much time for responses.

Also look at http://cs.co/ise-training and watch BRKSEC-3432, there are slides explaining different models

0 Helpful
Customers Also Viewed These Support Documents