Solved: Re: ISE deployments and VMs requisites

gugonza2 · ‎05-10-2019

Hi Team,

I have a customer who is thinking in ISE deployments, but they want to create 3 clusters:

1-. 1 PAN + 1 MnT + 9 PSN

2-. 1 PAN + 6 PSN

3-. 1 PAN + 6 PSN

I know when we deploy distribute environment we use to install 2 PANs and 2 MnTs for HA and the PSN according to endpoints or distribution, but I never see deployments without MnT nodes. Is this possible ?

Other point, what are the VMs requirements ? I found the details about CPU and Memory related to VMS or VMM, but the requirements about disks are not clear. What are the IOPs requirements for VMS or VMM in PAN, MnT or PSN ?

Thanks in advance.

Guillermo.

Damien Miller · ‎05-10-2019

A point of contention for me is no clear guidance on iops, but it's also different in every deployment based on load. ISE requires a minimum of 300 MB/s read, and 50 MB/s write but that's just a "good to have" number. I do not recommend raid 5, I have had issues where it passes the sequential 300/50 throughput test, but isn't able to write fast enough to keep up with logs. No disk alarms get sent but the MNT wasn't working. As for disk size, there is guidance in the install guide.

I would always want to run a deployment with 2 admin nodes in a deployment. If you have 1 PAN and it dies, you have to rebuild the deployment, I would want to avoid this because it's a huge work effort. I strongly recommend two admin nodes.

Having 1 MNT wouldn't be too bad since it's easy enough to rebuild and join, you would just lose historical logs. Having no MNT wouldn't be fun. You have no way to troubleshoot endpoint authentication issues or self monitor the deployment. I haven't even looked to see if it's possible to run with no MNT long term, I just know that when we have both MNTs down, it's an eerie feeling riding in the night, and I would not want to do this.

What active endpoint counts are you looking at for the three deployments? What is the reason for splitting them apart?

View solution in original post

Damien Miller · ‎05-10-2019

A point of contention for me is no clear guidance on iops, but it's also different in every deployment based on load. ISE requires a minimum of 300 MB/s read, and 50 MB/s write but that's just a "good to have" number. I do not recommend raid 5, I have had issues where it passes the sequential 300/50 throughput test, but isn't able to write fast enough to keep up with logs. No disk alarms get sent but the MNT wasn't working. As for disk size, there is guidance in the install guide.

I would always want to run a deployment with 2 admin nodes in a deployment. If you have 1 PAN and it dies, you have to rebuild the deployment, I would want to avoid this because it's a huge work effort. I strongly recommend two admin nodes.

Having 1 MNT wouldn't be too bad since it's easy enough to rebuild and join, you would just lose historical logs. Having no MNT wouldn't be fun. You have no way to troubleshoot endpoint authentication issues or self monitor the deployment. I haven't even looked to see if it's possible to run with no MNT long term, I just know that when we have both MNTs down, it's an eerie feeling riding in the night, and I would not want to do this.

What active endpoint counts are you looking at for the three deployments? What is the reason for splitting them apart?

gugonza2 · ‎05-12-2019

Thx Damien,

I´m checking with the customer to understand why this configuration of deployments.

I only suggest the 2xPAN and 2xMnT in deployments. It is the first time that I see this configuration, and the documentation don´t mention about the mandatory requirement of MnT. I´ll explain to the customer and I´ll suggest the MnT with HA in all deployments.

ISE deployments and VMs requisites

ISE Secure Wired Access Prescriptive Deployment Guide

ISE Posture Prescriptive Deployment Guide

ISE - What we need to know about SNS / VM

Cisco ISE VM deployment Licenses

ISE Appliances vs VMs vs Cloud Deployment Comparison