| Date post: | 17-Oct-2015 |
| Category: |
Documents |
| Upload: | christian-christensen |
| View: | 6 times |
| Download: | 1 times |
of 28
ISE Design Guidance
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 2
Standalone Deployment
Maximum endpoints - 2000
Admin
Policy Service
Monitoring
ISE
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 3
Dual Node Deployment
Maximum endpoints 2000 Redundant sizing - 2000
Admin
Policy Service
Monitoring
ISE
Admin
Policy Service
Monitoring
ISE
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 4
Endpoints Per Dedicated Policy Svcs
Platform Endpoints 3315 3000 3355 6000 3395 10000 VM TBD
All Services Auth, Profiling, Posture
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 5
Distributed Deployment
2 x Admin+Mon Max 5 Policy Service Max 50k endpoints (3395)
Admin + Monitoring Co-located
Admin Mon
Admin Mon
Policy Svcs Policy
Svcs Policy Svcs Policy
Svcs Policy Svcs
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 6
Admin Policy
Svc
Mon
Distributed Deployment
Not tested
Admin + Policy Svc, Dedicated Monitoring
Admin Policy
Svc
Mon
Policy Svcs Policy
Svcs Policy Svcs Policy
Svcs Policy Svcs
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 7
Admin Mon
Distributed Deployment
2 x Admin 2 x Monitoring Max 40 Policy Service Max 100,000 endpoints
Dedicated Admin, Dedicated Monitoring
Admin Mon
Policy Svcs Policy
Svcs Policy Svcs Policy
Svcs Policy Svcs
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 8
Performance - Authentications
PAP/ASCII 1431 EAP-MD5 600 EAP-TLS 335 internal, 124 LDAP LEAP 455 MSCHAPv1 1064 internal, 361 AD MSCHAPv2 1316 internal, 277 AD PEAP-MSCHAPv2 181 PEAP-GTC 196 AD, 188 LDAP FAST-MSCHAPv2 192 FAST-GTC 222 Guest (web auth) 17 Posture (3315) 70 Posture (3355) 70 Posture (3395) 110
Dedicated Policy Services Node Auths/sec
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 9
Profiling Performance
Platform Events/sec 3315 500 3355 500 3395 1200 VM TBD
Policy Services Performing Only Profiling
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 10
Monitoring Node Performance
Max syslogs (3395) 1000/sec Max sessions per day 2 million Authentications per day 2 million Max stored alarms 5000
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 11
Inline Posture Node Performance
Endpoints (3315/3355) 5-10k Throughput 936 Mbps
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 12
Bandwidth Requirements
Connection Between: Minimum Bandwidth Policy Svcs and Monitoring 1 Mbps Admin and Monitoring 256Kbps Endpoint and Policy Svcs (posture) 125bps per endpoint Redundant Monitoring pair 256Kbps Admin and Policy Svcs 256Kbps
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 13
Changes made via Primary Administration DB are automatically synced to Secondary Administration and all Policy Service nodes.
Administration HA and Synchronization
Policy Service Node
Policy Service Node
Policy Service Node
Admin Node (Primary)
Admin Node (Secondary)
Monitoring Node
(Primary)
Monitoring Node
(Secondary)
Policy Sync
Policy Sync
Logging Admin User
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 14
Administration HA and Synchronization (cont.)
Policy Service Node
Policy Service Node
Policy Service Node
Admin Node
(Primary)
Admin Node (Secondary -> Primary)
Monitoring (Primary)
Monitoring (Secondary)
Policy Sync
Logging
Admin User
Upon failure of Primary Administration node, admin user can connect to Secondary Administration node; all changes via backup Administration node are automatically synced to all Policy Service nodes.
Secondary Administration node must be manually promoted to be Primary.
X
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 15
ISE supports distributed log collection across all nodes to optimize local data collection , aggregation, and centralized correlation and storage.
Local Collector Agent process runs on each ISE node and collects logs locally from itself and from any NAD configured to send logs to node (Policy Services).
Local Collector buffers and transports the collected data to designated ISE Monitoring node(s) as Syslog; once Monitoring nodes globally defined via Admin, ISE nodes automatically send logs to one/both configured Monitoring nodes.
Monitoring - Distributed Log Collection
NADs Policy Services (Collector
Agent)
Monitoring (Collector)
Netflow SNMP Syslog
External Log Servers
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 16
Policy Service Node Scaling and Redundancy NADs can be configured with redundant RADIUS servers (Policy Service nodes). Policy Service nodes can also be configured in a cluster, or node group, behind a
load balancer. NADs send requests to LB virtual IP for Policy Services.
Policy Service nodes in node group maintain heartbeat to verify member health.
Switch
Administration Node (Primary)
Switch
Policy Services Node Group
Load Balancers
Network Access Devices
Administration Node (Secondary)
Policy Replication
AAA connection
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 17
Inline Posture Node High Availability VPN Detailed Example
Internal Network
ISE Inline ACTIVE
L3 Switch
ISE Inline STANDBY
L3 Switch ASA
VPN User
eth1 eth0
eth1 eth0
Inline Service
IP eth1
Inline Service
IP eth0
VLAN 11
VLAN 12
Internet
ASA
ASA Redundant
Links
FO Link
State Link
eth2 (HB Link)
eth2 (HB Link)
VLAN 14
VLAN 12 External Switch
External Switch
Internet Router
ISP A
ISP B
Internet Router
outside
outside
inside
vpn
vpn
VLAN 11
VLANS VLAN 11: (ASA VPN; Inline node untrusted) VLAN 12: (Inline node trusted) VLAN 13: (Inline Heartbeat Link) VLAN 14: (ASA Inside) VLAN 15: (Internal Network)
Trunk: VLANs 11-15
VLAN 15
inside
ASA HA: A/S or VPN Cluster
VPN Client HA: VPN to single ASA HA IP or
VPN Cluster IP
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 18
HA link is used to exchange heartbeat messages to check the status of mutual peer.
HA link is a dedicated, highly reliable Layer 2 connection between failover pairs; can be a LAN crossover cable or recommend dedicated VLAN connection.
Multiple HA links can be configured; as long as heartbeat messages are received over at least on HA link, then peer is considered healthy.
Inline Posture Node HA supports link detection to allow failover to occur if active Inline Posture Node detects loss of network connectivity while Standby does not; prevent traffic black hole due to other network failures.
In case of failure, Standby Inline Posture Node assumes ownership of service IP and sends gratuitous ARPs out each interface to notify gateways of change.
HA failover is stateless, so all active sessions need to be re-authorized upon
FO. Standby Inline Posture Node will auto-fetch session state/policy as needed.
Inline Posture Node High Availability
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 19
ISE Node HA / Scalability Summary
Node HA Scheme Auto Failover? Notes External Attribute Store
Vendor-Specific Vendor-Specific Examples: AD clusters; redundant LDAP servers; distributed domains and servers.
Administration Active/Standby No Secondary Admin Node must be manually promoted
Policy Service Node Groups (Policy Service Clusters)
Redundant Policy Service config on NADs
Yes for established sessions; sessions in process of setup may require re-auth
Node group: group together Policy Service nodes that reside in a single location behind a load balancer and share a common multicast address
NAD NAD-Specific NAD-Specific Examples: Redundant Wireless Controllers
Inline Posture Node
Active/Standby Yes Clients re-auth to backup Inline Posture Node node upon failover
Monitoring Active/Active Yes One node serves as Primary; all ISE logs automatically sent to both HA Monitoring nodes Any external loggers must be configured to log to both nodes.
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 20
Typical ISE Deployment: SMB (< 2k users) Example Topology
Campus A
Branch A Branch B
AP AP
WLC 802.1X
AP
ASA VPN
Switch 802.1X
Switch 802.1X
Switch 802.1X
A/S Admin, Monitoring, Policy Service nodes Centralized Wired 802.1X Services
Local VPN support at HQ via HA Inline Posture Nodes
Centralized Wireless 802.1X Services for HQ and branch offices (centralized WLCs w/CoA)
Centralized 802.1X Services for branch offices
HA Inline Posture Nodes
AD/LDAP (External ID/ Attribute Store)
Administration Node
Policy Service Node
Inline Posture Node
Monitoring Node
External ID/Attribute Store
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 21
Campus A Campus B
Branch A
AP
AP
WLC
AP
ASA VPN
Switch 802.1X
Switch 802.1X
Switch 802.1X
WLC
Active/Standby Admin/Monitoring
Centralized Wired 802.1X Services for HQ and Branches
Distributed Policy Service nodes and Inline Posture Node services in secondary campus
VPN/Wireless (non-CoA) support at both
campuses via HA Inline Posture Nodes
A/S Monitoring
nodes
A/S Admin nodes + Policy Service Cluster
HA Inline Posture Nodes
Distributed Policy Service node
Distributed Inline Posture Node
Branch B
AP Switch 802.1X
Typical ISE Deployment: Medium Example Topology
AD/LDAP (External ID/ Attribute Store)
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 22
Data Center A
DC B
Branch A Branch B
AP
AP AP
WLC 802.1X
AP
ASA VPN
Switch 802.1X
Switch 802.1X
Switch 802.1X
WLC 802.1X
Switch 802.1X
Admin (P) Admin (S)
Monitor (P) Monitor (S)
Policy Services Cluster
HA Inline Posture Nodes
Redundant, Dedicated Administration and Monitoring split across Data Centers (P=Primary / S=Secondary)
Policy Service Cluster for Wired/Wireless 802.1X Services at HQ
Distributed Policy Service clusters for larger campuses
Distributed Wired/Wireless 802.1X for Branches VPN/Wireless (non-CoA) at HQ via HA Inline
Posture Nodes
Typical ISE Deployment: Enterprise (< 100k) Example Topology
Distributed Policy Services
AD/LDAP (External ID/ Attribute Store)
AD/LDAP (External ID/ Attribute Store)
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 23
Tips/Recommendations Create secondary Admin node before adding Policy Svc
nodes, otherwise a restart of Policy Svc nodes is required
Node groups should be L2 adjacent Posture assessment is CPU intensive, so will benefit
from powerful Policy Svc nodes (3315) Avoid co-locating Policy Svc and Monitoring where
possible Have dedicated Monitoring nodes where possible Profiling requires maintenance of L2 info
E.g. HTTP SPAN probe requires L2 adjacency (alternatively use RSPAN) fixed in 1.0MR (August 2011)
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 24
Tips/Recommendations (Continued)
Time Synchronization Always configure synchronized time at installation Use UTC across nodes and network devices for consistent correlation/reporting
Active Directory integration Critical to have time synchronization with AD infrastructure DNS availability is required for AD name resolution
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 25
Deployment Strategy
Visibility ISE Installation NAD
Configuration Profiling Monitor
Classification Agentless MAB/Profiling Unmanaged
WebAuth Managed 802.1X
Posture Desktop
OSes
Enforcement Assessment Segmentation
Production Availability Performance Operations
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 26
Security: Protocols & Ports Feature, Service or Protocol PAP MnT PDP iPEP Ports
SSH TCP:22 DHCP Traffic Probe (Profiler) UDP:67/68 Administration WebApp TCP:80/443 SNMP Agent UDP:161 SNMP Trap Probe (Profiler) UDP:162 Stream Oracle DB Listener UDP:1521
RADIUS Authentication UDP:1645 UDP:1812 RADIUS Accounting UDP:1646 UDP:1813 RADIUS CoA UDP:1700
WebAuth Portal Sponsor only
TCP:8080 TCP:8443
NetFlow Receiver (configurable) UDP:9993 JMX (until FCS) TCP:9999
Posture Agent (HTTPS) TCP/UDP:8905 TCP/UDP:8906 Syslog Receiver UDP:20514 Syslog Receiver UDP:30514 Oracle AQ TCP:?
PDP Heartbeat UDP:45588 UDP:45590 API TCP:80/443
See ISE Hardware Installation Guide Appendix for most current info
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 27
Deployment Checklist DNS Name IP Address Protocols Details
Certificate Authorities username:password DNS Servers UDP:63 DHCP Servers UDP:? NTP Servers UDP:123 FTP Servers TCP:21 username:password TFTP Servers UDP:69 username:password Proxy Servers (for Lab/Internet)
HTTP/S:# username:password
PXE (TFTP) Boot Servers UDP:69 Syslog Servers UDP:514 PIPs Active Directory (AD) Domain:
username:password PAPs HTTP (TCP:80)
HTTPS (TCP:443) CLI: username:password GUI: username:password RADIUS Key: ________
PDPs HTTP (TCP:80) HTTPS (TCP:443) RADIUS (UDP:1812) RADIUS (UDP:1813) CoA: 1700 & 3799
CLI: username:password GUI: username:password RADIUS Key: ________
MnTs HTTP (TCP:80) HTTPS (TCP:443)
CLI: username:password GUI: username:password
iPEPs eth0: trusted eth1: untrusted eth2: HA eth3: HA
2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 28
Deployment Checklist: Enforcement Name Enforcement Attributes (VLAN, ACL, SGA, timers, redirect URL, etc.)
Employee-PrePosture VLAN: ACCESS ACL: Allow DHCP, DNS, NTP, TFTP URL-Redirect: Client Provisioning / Posture
Employee-PostPosture VLAN: ACCESS ACL: permit ip any any
Guest-PrePosture VLAN: ACCESS ACL: permit ip any any URL-Redirect: Client Provisioning / Posture
Guest-PostPosture VLAN: ACCESS ACL: Internet-Only
Phone VLAN: VOICE cisco-av-pair = device-traffic-class=voice
... Default VLAN: ACCESS
ACL: Allow DHCP, DNS, NTP, TFTP URL-Redirect: WebAuth
