Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
947
Views
0
Helpful
1
Replies

Network Infrastructure QoS Reference Guide for large distributed ISE deployment

Go to solution
Ping Zhou
Level 8
Level 8

‎06-09-2017 10:23 AM

I have a customer deploying 8+ nodes distributed ISE deployment. After gone through the CiscoLive 3699-RG presentation, and knowing the 200 ms delay, we're looking for some case study or reference guide on how to implement networks QoS for better supporting a large distributed ISE deployment that runs RADIUS and TACACS+. ISE nodes in the cluster use a very large number of TCP / UDP ports for different use cases. With traditional MQC method, we need to understand which ports are critical, important and best effort, etc.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
kthiruve
Cisco Employee
Cisco Employee

‎06-09-2017 01:23 PM

The delay of 200ms is reduced further to 300ms in ISE 2.1. Here is the link for the BW calculator

https://communities.cisco.com/docs/DOC-64317

Here is the ISE document that describes the ports open per service. These are critical to the services being used across deployment . If you are using different ports for the RADIUS/TACACS+ service that needs to be opened.

http://www.cisco.com/c/en/us/td/docs/security/ise/2-2/install_guide/b_ise_InstallationGuide22/b_ise_InstallationGuide22_chapter_0110.pdf

You need Administration, replication to happen including (Jgroups). You also need NTP, DNS, RADIUS, CoA and TACACS+ ports to be open. You need ports open for external ID store(if using AD etc) and logging. Turn on ports on profiling based on the probes used(Do SNMP poll per server to minimize traffic). Rest turn on based on the services/portals being used being used across deployment. It make sense to open 443 since it is used for a lot of communication. If you are not using profiling but still want to monitor the resources SNMP needs to be open.

Hope this clarifies.

Thanks

Krishnan

View solution in original post

0 Helpful
1 Reply 1

Go to solution
kthiruve
Cisco Employee
Cisco Employee

‎06-09-2017 01:23 PM

The delay of 200ms is reduced further to 300ms in ISE 2.1. Here is the link for the BW calculator

https://communities.cisco.com/docs/DOC-64317

Here is the ISE document that describes the ports open per service. These are critical to the services being used across deployment . If you are using different ports for the RADIUS/TACACS+ service that needs to be opened.

http://www.cisco.com/c/en/us/td/docs/security/ise/2-2/install_guide/b_ise_InstallationGuide22/b_ise_InstallationGuide22_chapter_0110.pdf

You need Administration, replication to happen including (Jgroups). You also need NTP, DNS, RADIUS, CoA and TACACS+ ports to be open. You need ports open for external ID store(if using AD etc) and logging. Turn on ports on profiling based on the probes used(Do SNMP poll per server to minimize traffic). Rest turn on based on the services/portals being used being used across deployment. It make sense to open 443 since it is used for a lot of communication. If you are not using profiling but still want to monitor the resources SNMP needs to be open.

Hope this clarifies.

Thanks

Krishnan

0 Helpful
Customers Also Viewed These Support Documents