Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
875
Views
10
Helpful
3
Replies

ISE Nodes Deployment Question

Tim Glen
Cisco Employee
Cisco Employee

‎03-08-2018 06:51 AM - edited ‎02-21-2020 10:47 AM

Hi All,

 

I have two sites.  Corp and Remote.  

Corp has about 500 wired users & 50 wired printers copiers.

Corp has about 1000 wireless users devices. At Corp, I will configure ISE for wireless, wired & VPN profiling, and wireless self-registration portal.

Corp has an ASA that has SSL VPN configured. ISE will authenticate via RADIUS the Remote Access VPN Clients. About 30 authentications per hour.

Corp has about 100 Cisco devices. ISE will be the TACACS server that authenticates \ authorizes admin logins,  about 20 per day.

 

 

Remote has about 50 wired users \ devices and no wireless.

Remote has an ASA that has SSL VPN configured. ISE will authenticate via RADIUS the Remote Access VPN Clients. About 100 authentications per day.

 

 

I’m planning on a distributed deployment this way.

Corp – 2 Nodes

Node 1 will be Primary Admin & Policy Service

Node 2 will be Primary Monitoring & Policy Service

 

Remote – 1 Node

Node 1 will be Secondary Admin, Secondary Monitoring & Policy Service

 

The Network Deployments in Cisco ISE recommends Monitoring and Policy Service not be on the same node so I’m concerned about this setup at the Remote site, even though the policy service will not be too busy.

 

Is this deployment model suggested? If you would do it differently please say so and state why.

 

Thank you all very much!

 

 

 

Labels:
0 Helpful
3 Replies 3

Rob Ingram
VIP
VIP

‎03-08-2018 08:34 AM

Hi,

You don't have a large deployment and I don't believe you should have a problem running PAN + MnT + PSN roles on 1 node in Corp and then the same again in Remote, or just implement what you've suggested, that should be fine depending on the ISE node resources (hardware or VM) in use.

 

Check out this ISE scaling/performance webpage https://communities.cisco.com/docs/DOC-68347 it has good information, it indicates the maximums for each model of ISE model, you should be within the limits of even the older hardware models.

ajc
Level 7
Level 7

‎03-08-2018 08:41 AM

1.-Do not use 3495 running multiple personas no matter you do not have much traffic. I have seen  operational issues.

2.-Looks like you can combine multiple personas on the same node based on the number of transactions you have even though you would also integrate TACACS and RADIUS on the same ISE. Take a look on the following tables.

3.-I would suggest you to use ISE 2.3 instead of 2.2.

 

deploy3.pngdeploy4.pngdeploy.pngdeploy1.png

 

 

Tim Glen
Cisco Employee
Cisco Employee
In response to ajc

‎03-08-2018 10:29 AM

Thank you both for your tips.

 

I won’t be using the 3495 at all.   All of my ISE VM’s will be based off the 3595 OVA.  All will be thick provisioned as well.  I will be using ISE 2.3.

0 Helpful
Customers Also Viewed These Support Documents