Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cisco ISE Deployment

1175
Views
0
Helpful
5
Comments
Etlicher
Beginner
‎02-10-2020 06:30 AM
edited on: ‎02-10-2020 ‎06:30 AM

Hello, I am implementing the Cisco ISE solution (two virtual applications). I wonder if the best practices were to deploy the OVAs on the normal cluster with the other virtual machines or dedicate two servers (cluster) to the appliance in order to have maximum performance? I think that depends on the number of clients to manage as well as the current workload of the cluster, right?

 

Thx !!

0 Helpful
Comments
balaji.bandi
VIP Expert VIP Expert
VIP Expert
‎02-10-2020 07:04 AM
‎02-10-2020 07:04 AM

As per i know they do not give high availability unlike FW as per my understanding, deploy them as separate nodes.

 

Look up deployment guide and sizing :

 

https://www.cisco.com/c/en/us/td/docs/security/ise/1-2/installation_guide/ise_ig/ise_deploy.html

 

here good to start all documents are here for your reference :

 

https://community.cisco.com/t5/security-documents/ise-community-resources/ta-p/3621621#Implement

Etlicher
Beginner
Beginner
‎02-11-2020 04:02 AM
‎02-11-2020 04:02 AM

Hello,

I have already created a deployment node with my two ISE servers, the solution is functional.

I just want to see if the best and to dedicate two servers to the ISE appliance or if I can leave them with other
VM on a classic cluster.

Marvin Rhoads
Hall of Fame Guru Hall of Fame Guru
Hall of Fame Guru
‎02-12-2020 04:03 AM
‎02-12-2020 04:03 AM

Coexisting within clusters with other VMs is by far the most prevalent way ISE VMs are deployed.

As long as you have adequate resources for your VMs allocated they should be fine. ISE will periodically check disk IOPS and alert you if that parameter is becoming troublesome.

Etlicher
Beginner
Beginner
‎02-12-2020 06:52 AM
‎02-12-2020 06:52 AM

Once fully operational, the ISE will be used as a RADIUS network access control, to make dynamic VLAN
and the TrestSec function will also be used.
A total of 3000 connections will be checked.

The CPU, disk and network loads of ISE servers will not be significant? I want to be sure to guarantee maximum performance
at the ISE node.

balaji.bandi
VIP Expert VIP Expert
VIP Expert
‎02-12-2020 12:05 PM
‎02-12-2020 12:05 PM

what version of ISE you have in place:

 

here is ISE 2.4 VM requirement -

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_01.html

 

3000 end devices you mean, you need to look and design multiple PSN and MGMT, so you have high availability.

 

Did you get a chance to read the documents i have posted before?   VM Performance varies depends on your IOPS - what kind of disk you have.

 

 

Latest Contents
IKEv2 clients route filtering
Created by mdu113 on 04-15-2021 11:17 AM
0
0
0
0
Hello,Can somebody explain to me how I can make sure that only authorized subnets are routed to IKEv2 clients?If I configure 'route accept any' - which is the only option - under authorization policy then client is allowed to send me any routes, thus noth... view more
Fail to lanuch anyconnect profile editor
Created by engahmedsaied on 04-15-2021 06:46 AM
0
0
0
0
Hello, When trying to lanuch anyconnect profile editor I see this error  "Failed to load Main Class: com/cisco/acprofile/AcProfile" I tried on latest anyconnect version and older same error 
Non ASCII symbols in AAA ldap-base-dn
Created by KonstantinRav60956 on 04-15-2021 06:45 AM
0
0
0
0
Hi everyone!I have a task to integrate ASA 5516 with LDAP for implementing cut-through proxy feature with AD authentication.I have successfully got connected with the AAA server but the problem is - there are non-ASCII (Cyrillic) symbols in AD groups name... view more
Snort 2 to Snort 3 Migration - Monthly Technical Webinars
Created by Robert Albach on 04-15-2021 05:27 AM
0
0
0
0
Hi Team,I wanted to make you aware that we will have a series of monthly 30-45 minute technical webinars regarding the migration to Snort 3 This is highly relevant for ALL FirePower customers. The content is technical in nature and is designed to all... view more
NMAP rescan interval
Created by Oliver Laue on 04-15-2021 05:25 AM
1
0
1
0
Hi, if NMAP is used for Profiling devices is there some kind of interval which reruns the scan to check if the device is still the same.I know there is some kind of overload protection for the Node but is there some kind of verification like (if nmap... view more
Content for Community-Ad