RE: OT - ISE first deployments / impressions

Charles,

Great information below. I have a question regarding the use of physical vs. virtual. I can see the iPEP requires a physical appliance with predetermined trusted and untrusted interfaces. Have you used the virtual appliances for other ISE node related functions? Are there major limitations to sizing with the virtual appliance?

Thanks,

-ryan

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Charles Mitchell
Sent: Wednesday, October 19, 2011 4:48 PM
To: Nitin Venugopal
Cc: CCIE Lab (ccielab_at_groupstudy.com)
Subject: Re: OT - ISE first deployments / impressions

Nitin,

If you are trying to do anything other than Radius authentication for VPN, i.e. Posture you will need a dedicated box, called an iPEP, to enforce posture requirements on any VPN users. For HA you will need 2, more details in response to your HA question. Posture in ISE requires COA or change of authorization support, available in newer IOS codes. The Cisco ASA 8.x code does not have this feature built in yet therefore requiring the iPEP to force the COA in line between the ASA and the network. The iPEP has two deployment options, L2 inline and L3 routed.

In your initial question you mentioned 1200 endpoints. Is that total?
including Printers, IP Phones, etc or only users. If 1200 is the true "total" number you can use two 3315's to enforce the wired policy in conjunction with the one/two iPEPs for VPN. This design is limited to a MAX of 2000 endpoints and 5 PDPs. At that point you would have to break out the PDPs, like the old NAC Server, from the PAP and M&T (Administration node (like NAC Manager) and Monitoring and Troubleshooting node). That one 3315 in the DR requires a little more discussion around WAN bandwidth and load as running distributed services over that link may saturate the link. Let us know if you want to discuss more on this, i.e. Speed requirements and traffic profiles. IOS/802.1x does incorporate a critical vlan feature that could be an option in place of the DR box in the case that WAN speed is a limiting factor.

In reference to the HA, it is not at all like the old NAC Manager/Server HA. With the new ISE technology using radius we can leverage server groups in IOS to give two+ servers to reference in the case that any one is down, same for VPN (ASA). This option gives redundancy in the case that the primary server is down, the next server in the group will receive the radius authentication request. There is also the option to leverage a load balancer for the radius authentication requests in the event that there is a large cluster of PDPs. The ISE solution also uses the idea of cluster groups for the PDP roles. What this allows is information sharing about all radius sessions between all servers in the cluster group, therefore if one server dies in the middle of the radius authentication the other servers in the group can pick up where it left off.

The Administration point or PAP uses HA through a manual failover
(Primary/Secondary) whereas if the primary node is down you have to manually promote the secondary to the primary role to make any changes.
The caveat to this is that the PDPs can operate independent of the PAP in a distributed deployment.

Hope that makes it all a little more clear for you.

Chad

On 10/19/11 3:34 PM, "Nitin Venugopal" <nitinsworld_at_gmail.com> wrote:

>Thanks Ryan
>
>1- The requirement for authentication / posture accessment for wired
>and VPN
>- Can one ISE appliance do both the functionalites or does it required
>dedicated ISE for VPN
>
>2- The deisgn i was looking is 2 X ISE 3315 units for Wired Users in
>Production Datacenter & 1 x 3315 ISE in the DR
>
>How does the distibuted architecure and licensing work?
>
>3- I am looking at design High Availilibity ( Active -Standby at
>Production
>Datacenter) how does it work. As there is no concept like in the
>previous release - NAC manager controlling all NAC server and NAC
>server having high availibilty.
>
>Regds-Nitin
>
>
>
>
>On Wed, Oct 19, 2011 at 11:15 PM, Ryan West <rwest_at_zyedge.com> wrote:
>
>> On Wed, Oct 19, 2011 at 15:11:03, Nitin Venugopal wrote:
>> > Subject: Re: OT - ISE first deployments / impressions
>> >
>> > I am also working on a ISE design for 1200 endpoints-
>> >
>> > Have couple of related question-
>> > Does VPN needs a dedicated appliance ?
>>
>> Depends on the overall load I believe, is the deployment for VPN only?
>>You
>> could run all roles on one device.
>>
>> > Does single advance license would suffice 3 standalone units in a
>> > single deployment?
>>
>> Licensing is on end user node count and shared across the appliances
>>that are joined together.
>>
>> > How does the HA work in reality ?
>>
>> I'll let you know what I find on this. Are you asking about shared
>> addressing, replication, role sharing, etc..?
>>
>> >
>> > Appreciate if some one can share more insight on this-
>> >
>>
>> -ryan
>
>
>Blogs and organic groups at http://www.ccie.net
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Wed Oct 19 2011 - 23:58:20 ART