Re: OT - ISE first deployments / impressions

Great question Ryan. You are correct iPEP is limited to run ONLY on the
physical appliance.

I have used ISE in the virtual appliance for all of the other related ISE
functions/roles/personas. The virtual appliance is recommended/supported
on virtual instances that match the hardware specifications of the
corresponding physical appliances. For instance if you were looking to
run an "All in one" VM that was to handle wired/wireless ISE functionality
for up to 2000 users you would want to match the specs on at minimum the
3315 appliance. If you were looking to do ISE functionality for more than
2000 then you would start wanting to look at a distributed deployment with
33[59]5 equivalent VMs depending on the endpoint requirements.

Chad

On 10/19/11 7:58 PM, "Ryan West" <rwest_at_zyedge.com> wrote:

>Charles,
>
>Great information below. I have a question regarding the use of physical
>vs. virtual. I can see the iPEP requires a physical appliance with
>predetermined trusted and untrusted interfaces. Have you used the
>virtual appliances for other ISE node related functions? Are there major
>limitations to sizing with the virtual appliance?
>
>Thanks,
>
>-ryan
>
>-----Original Message-----
>From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
>Charles Mitchell
>Sent: Wednesday, October 19, 2011 4:48 PM
>To: Nitin Venugopal
>Cc: CCIE Lab (ccielab_at_groupstudy.com)
>Subject: Re: OT - ISE first deployments / impressions
>
>Nitin,
>
>If you are trying to do anything other than Radius authentication for
>VPN, i.e. Posture you will need a dedicated box, called an iPEP, to
>enforce posture requirements on any VPN users. For HA you will need 2,
>more details in response to your HA question. Posture in ISE requires
>COA or change of authorization support, available in newer IOS codes.
>The Cisco ASA 8.x code does not have this feature built in yet therefore
>requiring the iPEP to force the COA in line between the ASA and the
>network. The iPEP has two deployment options, L2 inline and L3 routed.
>
>In your initial question you mentioned 1200 endpoints. Is that total?
>including Printers, IP Phones, etc or only users. If 1200 is the true
>"total" number you can use two 3315's to enforce the wired policy in
>conjunction with the one/two iPEPs for VPN. This design is limited to a
>MAX of 2000 endpoints and 5 PDPs. At that point you would have to break
>out the PDPs, like the old NAC Server, from the PAP and M&T
>(Administration node (like NAC Manager) and Monitoring and
>Troubleshooting node). That one 3315 in the DR requires a little more
>discussion around WAN bandwidth and load as running distributed services
>over that link may saturate the link. Let us know if you want to discuss
>more on this, i.e. Speed requirements and traffic profiles. IOS/802.1x
>does incorporate a critical vlan feature that could be an option in place
>of the DR box in the case that WAN speed is a limiting factor.
>
>In reference to the HA, it is not at all like the old NAC Manager/Server
>HA. With the new ISE technology using radius we can leverage server
>groups in IOS to give two+ servers to reference in the case that any one
>is down, same for VPN (ASA). This option gives redundancy in the case
>that the primary server is down, the next server in the group will
>receive the radius authentication request. There is also the option to
>leverage a load balancer for the radius authentication requests in the
>event that there is a large cluster of PDPs. The ISE solution also uses
>the idea of cluster groups for the PDP roles. What this allows is
>information sharing about all radius sessions between all servers in the
>cluster group, therefore if one server dies in the middle of the radius
>authentication the other servers in the group can pick up where it left
>off.
>
>The Administration point or PAP uses HA through a manual failover
>(Primary/Secondary) whereas if the primary node is down you have to
>manually promote the secondary to the primary role to make any changes.
>The caveat to this is that the PDPs can operate independent of the PAP in
>a distributed deployment.
>
>Hope that makes it all a little more clear for you.
>
>Chad
>
>On 10/19/11 3:34 PM, "Nitin Venugopal" <nitinsworld_at_gmail.com> wrote:
>
>
>>Thanks Ryan
>>
>>1- The requirement for authentication / posture accessment for wired
>>and VPN
>>- Can one ISE appliance do both the functionalites or does it required
>>dedicated ISE for VPN
>>
>>2- The deisgn i was looking is 2 X ISE 3315 units for Wired Users in
>>Production Datacenter & 1 x 3315 ISE in the DR
>>
>>How does the distibuted architecure and licensing work?
>>
>>3- I am looking at design High Availilibity ( Active -Standby at
>>Production
>>Datacenter) how does it work. As there is no concept like in the
>>previous release - NAC manager controlling all NAC server and NAC
>>server having high availibilty.
>>
>>Regds-Nitin
>>
>>
>>
>>
>>On Wed, Oct 19, 2011 at 11:15 PM, Ryan West <rwest_at_zyedge.com> wrote:
>>
>>> On Wed, Oct 19, 2011 at 15:11:03, Nitin Venugopal wrote:
>>> > Subject: Re: OT - ISE first deployments / impressions
>>> >
>>> > I am also working on a ISE design for 1200 endpoints-
>>> >
>>> > Have couple of related question-
>>> > Does VPN needs a dedicated appliance ?
>>>
>>> Depends on the overall load I believe, is the deployment for VPN only?
>>>You
>>> could run all roles on one device.
>>>
>>> > Does single advance license would suffice 3 standalone units in a
>>> > single deployment?
>>>
>>> Licensing is on end user node count and shared across the appliances
>>>that are joined together.
>>>
>>> > How does the HA work in reality ?
>>>
>>> I'll let you know what I find on this. Are you asking about shared
>>> addressing, replication, role sharing, etc..?
>>>
>>> >
>>> > Appreciate if some one can share more insight on this-
>>> >
>>>
>>> -ryan
>>
>>
>>Blogs and organic groups at http://www.ccie.net
>>
>>_______________________________________________________________________
>>Subscription information may be found at:
>>http://www.groupstudy.com/list/CCIELab.html
>
>
>Blogs and organic groups at http://www.ccie.net
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Wed Oct 19 2011 - 20:58:28 ART