Re: OT - ISE first deployments / impressions

EDIT

Sorry for the confusion but I need to edit my statement on HA for iPEP.
HA for iPEP is performed in a similar fashion as the old NAC solution not
with radius server groups link my previous e-mail stated, which was
bugging me last night. There are L2 and L3 deployment options which both
incorporate a Service IP and a heartbeat link very much like Cisco NAC.
More info can be found in the ISE 1.0 User Guide.

Chad

On 10/19/11 4:48 PM, "Charles Mitchell" <cmitchell_at_force3.com> wrote:

>Nitin,
>
>If you are trying to do anything other than Radius authentication for VPN,
>i.e. Posture you will need a dedicated box, called an iPEP, to enforce
>posture requirements on any VPN users. For HA you will need 2, more
>details in response to your HA question. Posture in ISE requires COA or
>change of authorization support, available in newer IOS codes. The Cisco
>ASA 8.x code does not have this feature built in yet therefore requiring
>the iPEP to force the COA in line between the ASA and the network. The
>iPEP has two deployment options, L2 inline and L3 routed.
>
>In your initial question you mentioned 1200 endpoints. Is that total?
>including Printers, IP Phones, etc or only users. If 1200 is the true
>"total" number you can use two 3315's to enforce the wired policy in
>conjunction with the one/two iPEPs for VPN. This design is limited to a
>MAX of 2000 endpoints and 5 PDPs. At that point you would have to break
>out the PDPs, like the old NAC Server, from the PAP and M&T
>(Administration node (like NAC Manager) and Monitoring and
>Troubleshooting node). That one 3315 in the DR requires a little more
>discussion around WAN bandwidth and load as running distributed services
>over that link may saturate the link. Let us know if you want to discuss
>more on this, i.e. Speed requirements and traffic profiles. IOS/802.1x
>does incorporate a critical vlan feature that could be an option in place
>of the DR box in the case that WAN speed is a limiting factor.
>
>In reference to the HA, it is not at all like the old NAC Manager/Server
>HA. With the new ISE technology using radius we can leverage server
>groups in IOS to give two+ servers to reference in the case that any one
>is down, same for VPN (ASA). This option gives redundancy in the case
>that the primary server is down, the next server in the group will receive
>the radius authentication request. There is also the option to leverage a
>load balancer for the radius authentication requests in the event that
>there is a large cluster of PDPs. The ISE solution also uses the idea of
>cluster groups for the PDP roles. What this allows is information sharing
>about all radius sessions between all servers in the cluster group,
>therefore if one server dies in the middle of the radius authentication
>the other servers in the group can pick up where it left off.
>
>The Administration point or PAP uses HA through a manual failover
>(Primary/Secondary) whereas if the primary node is down you have to
>manually promote the secondary to the primary role to make any changes.
>The caveat to this is that the PDPs can operate independent of the PAP in
>a distributed deployment.
>
>Hope that makes it all a little more clear for you.
>
>Chad
>
>On 10/19/11 3:34 PM, "Nitin Venugopal" <nitinsworld_at_gmail.com> wrote:
>
>
>>Thanks Ryan
>>
>>1- The requirement for authentication / posture accessment for wired and
>>VPN
>>- Can one ISE appliance do both the functionalites or does it required
>>dedicated ISE for VPN
>>
>>2- The deisgn i was looking is 2 X ISE 3315 units for Wired Users in
>>Production Datacenter & 1 x 3315 ISE in the DR
>>
>>How does the distibuted architecure and licensing work?
>>
>>3- I am looking at design High Availilibity ( Active -Standby at
>>Production
>>Datacenter) how does it work. As there is no concept like in the previous
>>release - NAC manager controlling all NAC server and NAC server having
>>high
>>availibilty.
>>
>>Regds-Nitin
>>
>>
>>
>>
>>On Wed, Oct 19, 2011 at 11:15 PM, Ryan West <rwest_at_zyedge.com> wrote:
>>
>>> On Wed, Oct 19, 2011 at 15:11:03, Nitin Venugopal wrote:
>>> > Subject: Re: OT - ISE first deployments / impressions
>>> >
>>> > I am also working on a ISE design for 1200 endpoints-
>>> >
>>> > Have couple of related question-
>>> > Does VPN needs a dedicated appliance ?
>>>
>>> Depends on the overall load I believe, is the deployment for VPN only?
>>>You
>>> could run all roles on one device.
>>>
>>> > Does single advance license would suffice 3 standalone units in a
>>> > single deployment?
>>>
>>> Licensing is on end user node count and shared across the appliances
>>>that
>>> are joined together.
>>>
>>> > How does the HA work in reality ?
>>>
>>> I'll let you know what I find on this. Are you asking about shared
>>> addressing, replication, role sharing, etc..?
>>>
>>> >
>>> > Appreciate if some one can share more insight on this-
>>> >
>>>
>>> -ryan
>>
>>
>>Blogs and organic groups at http://www.ccie.net
>>
>>_______________________________________________________________________
>>Subscription information may be found at:
>>http://www.groupstudy.com/list/CCIELab.html
>
>
>Blogs and organic groups at http://www.ccie.net
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Thu Oct 20 2011 - 04:49:52 ART