Hi Rahul,

Yangjp715 · ‎01-31-2017

Hi All,

One of our customer wants to have a BOM to meet their requirements below:

1. Next Generation Firewalls including IPS

2. Next Generation Malware Protection for Email, Endpoints and Network

3. Network Access Control

4. Network Security Analytics and Threat Intelligence

5. Enhanced Remote Access and VPN

6. Automation and Integration.

The customer is an university, they have approx. 70,000 concurrent wireless connections and have a high percentage of BYOD across the community. I quoted Cisco FW5506X, 5508X and 5516X with firepower module in HA mode for three internet connection sites. Additionally, ISE for network access control. How many base license, vpn plus and apex licenses i need to order on ASA and ISE, also, please verify the attached BOM in case i missed some features.

Thanks in advance,

Eric

Rahul Govindan · ‎01-31-2017

I would look at it from 2 perspectives - ISE and ASA.

For ISE, the licenses are Base, Plus and Apex, each with varying features. for 70000 concurrent users, you need at least as many base licenses. Plus and Apex can be lower depending on how many users use a particular feature that falls into the license category. You seem to have only 50K Base licenses so that might being a problem. Read about licenses here:

http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_0110.html#id_24976

Also from an ISE deployment perspective, your scenario falls into the category of a large deployment (More than 20K endpoints). That means you need 2 PAN, 2MNT and at least 2 PSN to satisfy the count of 70K. You only have 2 which is not enough. Read the deployment info here:

http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/install_guide/b_ise_InstallationGuide21/b_ise_InstallationGuide21_chapter_00.pdf

For ASA, the Plus and Apex is used for Anyconnect client connections (concurrent). Here Plus has the basic VPN feature set while Apex adds on to that. ASA models are usually determined by throughput it provides with different services enabled. Check the throughput requirements with datasheet for each of these models and verify that they are a good fit with the throughput per link.

http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-series-next-generation-firewalls/datasheet-c78-733916.html

Yangjp715 · ‎01-31-2017

Hi Rahul,

Thanks for your information. Just double confirm with you what is the PAN? MNT and PSN? This is the first time i quote ISE.

Per their requests, there is no information with throughput of firewall, so does Cisco 5516x, 3308x and 5506x match basic requirements in general?

For ISE, does Apex licenses need to equal to Anyconnect Apex licenses on the firewall?

I revised the BOM as attached, adding 100k BSE, 50k PLS, 10k APX and 4x3595 (800k endpoints) on ISE. Please take a look.

Thanks,

Eric

Rahul Govindan · ‎01-31-2017

PAN (Administration), MNT (Monitoring) and PSN's (Policy Service) are different roles/personas an ISE node can take. More information on these roles are here:

http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/install_guide/b_ise_InstallationGuide21/b_ise_InstallationGuide21_chapter_00.html

Yeah, the firewalls should match basic small to medium network deployments - these are the lower end of the ASA5500-X series.

ISE Apex differs from Anyconnect Apex. ISE Apex adds Posture and MDM integration to ISE. Anyconnect Apex enables a few features on top of Anyconnect Plus. Here is the exact Cisco document on this:

http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/200191-AnyConnect-Licensing-Frequently-Asked-Qu.html#anc18

Anyconnect Apex need not be the same as ISE Apex. But usually the number matches the number of VPN users in your environment.

Yangjp715 · ‎02-08-2017

Hi Rahul,

Is there any document i can find for the Firewall throughput when i enable IPS, URL and AMP?

Thanks,

Eric

Network security solution