Solved: ISE Solution design questions?

Manoj Gupta · ‎02-07-2015

Is it possible to setup ISE in the following way:

3 Locations: Main campus, Site 1 (DR Site) & Site2

4 ISE Appliances.

Main Campus: 2 Appliances:

Appliance 1: PAN(P) + MnT(P) + PSN (Just for fallback, Will be configured as Second Radius on all NAD's)

Appliance 2: PSN (Will be configured as First Radius server on Main Campus NAD's

Site 1 (DR Site): 1 Appliance

Appliance 1: PAN(S) + MnT(S) + PSN (First Radius server for local NADs, Third Radius on all other NAD's)

Site 2: 1 Appliance

Appliance 1: PSN (First Radius server for local NADs)

Due to some constraints I am not able to test this setup in lab and when I look at the document, though not mentioned specifically theoretically it seems its possible to implement ISE in this way, any assistance comments or support is highly appreciated.

nspasov · ‎02-08-2015

Thank you for the info Manoj. Overall, your design is OK for the number of endpoints that you are planning on running. Ideally though, in a distributed deployment, you would dedicate 2 x ISE servers for the Admin/M&T personas and then 2 x ISE servers for the Policy Services personal. You can also make one of the nodes primary for Admin but backup for M&T and vice-versa for a better load distribution .So in your situation you could do:

Site A:

ISE Server #1 - Primary Admin and Secondary M&T

ISE Server #1 - Primary PSN for Site A and Secondary PSN for Site B

Site B:

ISE Server #1 - Secondary Admin and Primary M&T

ISE Server #1 - Primary PSN for Site B and Secondary PSN for Site A

Again, you won't have that many concurrent endpoints so you will be OK going with the design that you have outlined. However, if you want to follow the Cisco design guide and future proof your architecture then I would follow my suggestion :)

I hope this helps!

Thank you for rating helpful posts!

View solution in original post

nspasov · ‎02-08-2015

Before I can confirm if this design would work please answer the following questions:

- How many total active and concurrent endpoints do you plan to support

- What type of links are you using to interconnect all of the sites and what is the total (available) bandwidth

- What is the max round trip delay on the connections between the sites

Thank you for rating helpful posts!

Manoj Gupta · ‎02-08-2015

Hi Neno,

Following are the answers to your questions:

1. maximum active users would be 3500 whereas the concurrent users will be maximum 1000

2. sites are connected using MPLS where bandwidth is 256 + 512 mbps respectively.

3. Its around 30 - 40 ms.

Reagrds,

Manoj

nspasov · ‎02-08-2015

Thank you for the info Manoj. Overall, your design is OK for the number of endpoints that you are planning on running. Ideally though, in a distributed deployment, you would dedicate 2 x ISE servers for the Admin/M&T personas and then 2 x ISE servers for the Policy Services personal. You can also make one of the nodes primary for Admin but backup for M&T and vice-versa for a better load distribution .So in your situation you could do:

Site A:

ISE Server #1 - Primary Admin and Secondary M&T

ISE Server #1 - Primary PSN for Site A and Secondary PSN for Site B

Site B:

ISE Server #1 - Secondary Admin and Primary M&T

ISE Server #1 - Primary PSN for Site B and Secondary PSN for Site A

Again, you won't have that many concurrent endpoints so you will be OK going with the design that you have outlined. However, if you want to follow the Cisco design guide and future proof your architecture then I would follow my suggestion :)

I hope this helps!

Thank you for rating helpful posts!