Mixed deployment of SNS3595 and SNS3495 as admin or monitoring node supported ?

holger.moersfelder@global.ntt · ‎08-17-2017

hello,

Im facing an ISE migration project where the client designed the new ISE setup.

Now we want to clarify if this intended setup of SNS appliances is supported.

Current ISE deployment running ISE 1.4
SNS3495 (PAN,SMNT)
SNS3495 (SAN,PMNT) -> the migration will start with this node !
VM ISE3415 (PSNs)

planed new ise deployment (reuse old SNS3495 and new SNS3595) running ISE 2.2 P2
SNS3595 (Pri Admin node)
SNS3495 (Sec Admin node)

SNS3595 (Pri Monitor node)
SNS3495 (Sec Monitor node)

Is this kind of node deployment supported ?

What about the Monitoring Database sizing ? Will the new deployment benefit of the SNS3595 ?
What is the recommendation ?
Alternative node deployment of SNS3595 and SNS3495 ?

I found no comment on this topic if it is supported or not.

Maybe I missed a site note from craig during a CL breakout.

Regards Holger

Marvin Rhoads · ‎08-21-2017

As far as support you will be fine.

What are your expectations regarding scaling? I believe you will be limited by:

a. the smallest appliance among your PAN and MnT nodes. So 250k max sessions for the deployment (vs. 500k if they were all SNS-3595 and you had enough PSNs).

b. the number of PSNs. SNS-3415 supports up to 5k sessions per PSN. So as long as all 32 PSNs are available you can accomodate 15k sessions. You didn't mention if your PSNs are load balanced or such - this is most likely your limiting design factor since, for instance, a Cisco wireless controller does not load balance between AAA servers (for a given SSID)..

I'm basing this on Craig's reference deck from BRKSEC-3699 Cisco Live US 2017. Pages 39-40

ajc · ‎08-23-2017

I will provide my 2 cents:

We are combining 3495 and 3595 in our new 2.2 version deployment.

1.-we moved from 1.4 to 2.2 because of our 6+ 3395 old devices unable to support 2.2

2.-we are having issues (bugs) with 2.2 so we are currently working on that because it is not what we expected.

3.-for the size of our network 90-100K sessions in average x day, we had significant issues with our 3495 MNT node in terms of troubleshooting and running reports. That is another reason we moved to the 3595 for the PRIMARY PAN/MNT Nodes

4.-Be careful because if you DO NOT have 2 secondary nodes for each persona (MNT/PAN) the whole performance of your network goes down if PRIMARY PAN fails. See attached table.

5.-Round Robin DNS does NOT work properly on WLC if you have multiple entries as AAA Servers on each SSID AND using 1 PSN x WLC/SSID is not efficient. So we implemented an F5 solution following the Cisco Guide (which we found by ourselves is NOT accurate in the F5 configuration part) and it has worked fine since implementation 3 months ago.

The following bug is not listed in the 2.2 release notes but affects the primary PAN = CSCva07358

6.-Our 2.2 implementation is recent so we are still monitoring a few things we are not quite convinced about them. I mean, still troubleshooting.

ajc · ‎08-23-2017

Another suggestion,

Reimage the 3495 to version 2.2 if that is your final decision using CIMC/KVM (comes with the Cisco UCS Servers as ISE Appliances 3495/3595). I downloaded the ISO and using Daemon Tools Lite to mount the virtual CD for the reimage and it worked perfectly. Important to mention that BIOS version on Cisco UCS servers only provides the Java option access (not the html which is much better) so reimaging the box something is a little bit annoying but not difficult because you need to download Java 7 SE 67 or lower.

Take a configuration backup from 1.4 INCLUDING the certificates for EAP-TLS, WEBAUTH, PORTALS, ETC before reimaging and do the corresponding restore.

Check that you DO NOT HAVE duplicated certificates on the 1.4 version for the trusted certificate list because it causes issues on 2.2.

Let me think if I am not missing anything else useful.