cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2645
Views
70
Helpful
9
Replies

need help in ISE designing and deployment Options

User_80617
Level 1
Level 1

Hello Guys,

 

Hope everyone is safe and fine. I need help in ISE designing and deployment Options.

 

Want to discuss the options to deploy ISE with redundancy between ISE at (AWS or Azzure) AND other at internal network (in DC).

1. Internal ISE with PAN+MnT and PSN on cloud

2. Internal ISE with PAN+MnT+PSN and PSN on cloud

How the failover/ redundancy would work in this scenario.

How the licensing would be.

What would be best approach to design this.

Our max user session count would be ~15K.

 

Thanks 

 

 

2 Accepted Solutions

Accepted Solutions

1) ISE doesn't work in an active/standby configuration beyond having Primary and Secondary Admin and Monitoring nodes.  You can have an AWS and on-site nodes as long as the deployment network and latency requirements are met.

 

2) As long as the network access devices are configured with both nodes and can reach at least one of them, then authentications should continue to function.  Already authenticated users would remain connected as long as they're within a reauth timer (if configured).

 

3) The cost question sounds right, but I am not sure

 

4) This is not a good question, given that ISE doesn't run in an active/standby configuration.  The NADs decide which ISE node to reach out to from the configuration.  A small deployment can have two standalone nodes with all 3 personas on them.  This comes down to terminology.

 

5) I would need to research this to be sure, I suspect that you're correct.

 

6) If you have a Primary Admin Node (PAN), standing a node up on AWS and joining it to the PAN would be all that's needed, as the configuration is pushed to any nodes being joined to a deployment.  There would be no restore on any new nodes.

View solution in original post

Hi @User_80617 ,

 beyond @ComputerRick said:

1. please take a look at: Performance and Scale Guide for ISE:

Maximum network latency between Primary PAN and any other Cisco ISE Node including the Secondary PAN, MnT, and PSNs: 300 milliseconds

3. Yes, please take a look at: ISE Ordering Guide, search for Migration from other older license to today and special attention to Table 16. Cisco ISE Virtual Machine licenses.

5. please take a look at ISE in AWS Webinar, at 43'47" - Demo, also special attention to 48'11" - Caveats.

 

Hope this helps !!!

 

View solution in original post

9 Replies 9

Hi @User_80617 ,

 1st, please take a look at Performance and Scalability Guide for ISE., search for:

1. Different Types of Cisco ISE Deployment

 - Small Deployment

PPAN, PMnT and PSN1

SPAN, SMnT and PSN2

 - Medium Deployment

PPAN & PMnT

SPAN & SMnT

xPSNs

2. Table 2. Maximum Concurrent Active Endpoints Based on PSN Type.

You are able to use a:

- SNS 3595

- SNS 3655

Note: search for Cisco ISE Hardware Platforms for HW specs !!!

 2nd, for ISE 3.0+ you MUST use a Smart Licensing.

 3rd, please take a look at Cisco ISE 3.1 on AWS.

 

Hope this helps !!!

ComputerRick
Cisco Employee
Cisco Employee

First, using the largest of the AWS ISE Nodes would support 25k sessions.  For redundancy, I would suggest that.

Next, for the Internal and the cloud based, I would suggest all 3 personas on both.  This just in-case you lose a node, you don't have to lose the deployment also.

Remember to reference the document that @marcellyc linked to for the AWS deployment, there are some important caveats there.

If you join the nodes, then licensing will be Smart Licensing and only the Pri Admin will communicate for the deployment licenses.  I won't provide more specific license info here.

 

For failover:

You won't have enough nodes to enable PAN auto failover, and I wouldn't suggest it.

Each node in ISE works independently of the others for authentications and authorizations, for the most part. 

If you're going to use an external ID source, such as AD or RSA, I'd have one of those each of the ISE locations also.

Your network devices decide which ISE server to contact based on config and reachability.  You'll need to consider which should be first and second for each device and then configure them appropriately.

 

HTH.

User_80617
Level 1
Level 1

Thanks @Marcelo Morais and @ComputerRick 

 

I have following queries. Need advice please.

 

1. Is it possible to deploy PPAN, PMnT and PSN1 and SPAN, SMnT and PSN2 in active standby fashion on aws? I couldnt find document related to that on aws deployment.

2. As another option to above, if we have PPAN, PMnT and PSN1 on aws and SPAN, SMnT and PSN2 on internal network. Latency around 50ms. But in case of connection gets broken for say 5-10 minutes due to high latency, packet drops etc, will the new users face issue in authentication? I believe, already authenticated users should have no issue.

2. Since our endpoint count is around 5K, c5.4xlarge instance would be ok for us.

3. Cost of the instance would be same irrespective of we use it as only PSN or all personas enabled?

3. I read in doc that in addition to above we need the vm license as well.

4. As per cisco doc -You can only set up standalone nodes through the CFT configurations. Can the instance deployed with CFM later changed from standby to active/passive. Which is ideal way to deploy it CFT or marketplace?

5. Following is the known limitation : You can only access and use Cisco ISE on AWS from your enterprise intranet through site-to-site VPN tunnels. I believe this is not true if we have direct connect to aws.

6. Can an ise instance deployed internally (with all personas except pxgrid) later migrated on aws as secondary by restoring backup etc.

 

Thanks in advance.

 

 

 

1) ISE doesn't work in an active/standby configuration beyond having Primary and Secondary Admin and Monitoring nodes.  You can have an AWS and on-site nodes as long as the deployment network and latency requirements are met.

 

2) As long as the network access devices are configured with both nodes and can reach at least one of them, then authentications should continue to function.  Already authenticated users would remain connected as long as they're within a reauth timer (if configured).

 

3) The cost question sounds right, but I am not sure

 

4) This is not a good question, given that ISE doesn't run in an active/standby configuration.  The NADs decide which ISE node to reach out to from the configuration.  A small deployment can have two standalone nodes with all 3 personas on them.  This comes down to terminology.

 

5) I would need to research this to be sure, I suspect that you're correct.

 

6) If you have a Primary Admin Node (PAN), standing a node up on AWS and joining it to the PAN would be all that's needed, as the configuration is pushed to any nodes being joined to a deployment.  There would be no restore on any new nodes.

Hi @User_80617 ,

 beyond @ComputerRick said:

1. please take a look at: Performance and Scale Guide for ISE:

Maximum network latency between Primary PAN and any other Cisco ISE Node including the Secondary PAN, MnT, and PSNs: 300 milliseconds

3. Yes, please take a look at: ISE Ordering Guide, search for Migration from other older license to today and special attention to Table 16. Cisco ISE Virtual Machine licenses.

5. please take a look at ISE in AWS Webinar, at 43'47" - Demo, also special attention to 48'11" - Caveats.

 

Hope this helps !!!

 

ComputerRick
Cisco Employee
Cisco Employee

Please remember to mark the solution, if it's been provided.

There is a lot of great information here, do you have further questions about deployments or terms?

User_80617
Level 1
Level 1

Hi @Marcelo Morais and @ComputerRick 

Thanks once again..

 

I have few more queries which i will post soon, need advice on that as well please.

User_80617
Level 1
Level 1

Hi @Marcelo Morais and @ComputerRick ,

 

Cisco documentation mentions there is need of S3 storage apart from 600 GB of volume. This S3 storage would be used to store backup and restore files, monitoring and troubleshooting reports, and more.

 

Any idea how much of S3 storage shall be considered to begin with for around 5K users of small deployment. I feel 10GB should be ok to begin with??

I would have to look for guidelines, I haven't seen or found them personally, if they exist.

That being said, if it's for use as a repository, it's going to depend on several factors.  If the Primary Admin is going to be on AWS, the S3 storage requirements will be higher as it'll get used more than if you have the Primary Admin on your internal network and use an repository internally.
How many backups would you like to retain on AWS?
Would you clean, prune, or migrate files off of the S3 to internal locations?

1Gb would probably suffice for most, 10Gb should work for some time.
I'll look to see if I can find Cisco guidelines for it.  This is likely addressed in the ISE in AWS Webinar that @Marcelo Morais cited in a previous post, I'd suggest watching that anyway.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: