+ All Categories
Home > Documents > 4.0_Design_v3

4.0_Design_v3

Date post: 17-Oct-2015
Category:
Upload: christian-christensen
View: 6 times
Download: 1 times
Share this document with a friend
Popular Tags:

of 28

Transcript
  • ISE Design Guidance

  • 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 2

    Standalone Deployment

    Maximum endpoints - 2000

    Admin

    Policy Service

    Monitoring

    ISE

  • 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 3

    Dual Node Deployment

    Maximum endpoints 2000 Redundant sizing - 2000

    Admin

    Policy Service

    Monitoring

    ISE

    Admin

    Policy Service

    Monitoring

    ISE

  • 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 4

    Endpoints Per Dedicated Policy Svcs

    Platform Endpoints 3315 3000 3355 6000 3395 10000 VM TBD

    All Services Auth, Profiling, Posture

  • 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 5

    Distributed Deployment

    2 x Admin+Mon Max 5 Policy Service Max 50k endpoints (3395)

    Admin + Monitoring Co-located

    Admin Mon

    Admin Mon

    Policy Svcs Policy

    Svcs Policy Svcs Policy

    Svcs Policy Svcs

  • 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 6

    Admin Policy

    Svc

    Mon

    Distributed Deployment

    Not tested

    Admin + Policy Svc, Dedicated Monitoring

    Admin Policy

    Svc

    Mon

    Policy Svcs Policy

    Svcs Policy Svcs Policy

    Svcs Policy Svcs

  • 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 7

    Admin Mon

    Distributed Deployment

    2 x Admin 2 x Monitoring Max 40 Policy Service Max 100,000 endpoints

    Dedicated Admin, Dedicated Monitoring

    Admin Mon

    Policy Svcs Policy

    Svcs Policy Svcs Policy

    Svcs Policy Svcs

  • 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 8

    Performance - Authentications

    PAP/ASCII 1431 EAP-MD5 600 EAP-TLS 335 internal, 124 LDAP LEAP 455 MSCHAPv1 1064 internal, 361 AD MSCHAPv2 1316 internal, 277 AD PEAP-MSCHAPv2 181 PEAP-GTC 196 AD, 188 LDAP FAST-MSCHAPv2 192 FAST-GTC 222 Guest (web auth) 17 Posture (3315) 70 Posture (3355) 70 Posture (3395) 110

    Dedicated Policy Services Node Auths/sec

  • 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 9

    Profiling Performance

    Platform Events/sec 3315 500 3355 500 3395 1200 VM TBD

    Policy Services Performing Only Profiling

  • 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 10

    Monitoring Node Performance

    Max syslogs (3395) 1000/sec Max sessions per day 2 million Authentications per day 2 million Max stored alarms 5000

  • 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 11

    Inline Posture Node Performance

    Endpoints (3315/3355) 5-10k Throughput 936 Mbps

  • 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 12

    Bandwidth Requirements

    Connection Between: Minimum Bandwidth Policy Svcs and Monitoring 1 Mbps Admin and Monitoring 256Kbps Endpoint and Policy Svcs (posture) 125bps per endpoint Redundant Monitoring pair 256Kbps Admin and Policy Svcs 256Kbps

  • 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 13

    Changes made via Primary Administration DB are automatically synced to Secondary Administration and all Policy Service nodes.

    Administration HA and Synchronization

    Policy Service Node

    Policy Service Node

    Policy Service Node

    Admin Node (Primary)

    Admin Node (Secondary)

    Monitoring Node

    (Primary)

    Monitoring Node

    (Secondary)

    Policy Sync

    Policy Sync

    Logging Admin User

  • 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 14

    Administration HA and Synchronization (cont.)

    Policy Service Node

    Policy Service Node

    Policy Service Node

    Admin Node

    (Primary)

    Admin Node (Secondary -> Primary)

    Monitoring (Primary)

    Monitoring (Secondary)

    Policy Sync

    Logging

    Admin User

    Upon failure of Primary Administration node, admin user can connect to Secondary Administration node; all changes via backup Administration node are automatically synced to all Policy Service nodes.

    Secondary Administration node must be manually promoted to be Primary.

    X

  • 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 15

    ISE supports distributed log collection across all nodes to optimize local data collection , aggregation, and centralized correlation and storage.

    Local Collector Agent process runs on each ISE node and collects logs locally from itself and from any NAD configured to send logs to node (Policy Services).

    Local Collector buffers and transports the collected data to designated ISE Monitoring node(s) as Syslog; once Monitoring nodes globally defined via Admin, ISE nodes automatically send logs to one/both configured Monitoring nodes.

    Monitoring - Distributed Log Collection

    NADs Policy Services (Collector

    Agent)

    Monitoring (Collector)

    Netflow SNMP Syslog

    External Log Servers

  • 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 16

    Policy Service Node Scaling and Redundancy NADs can be configured with redundant RADIUS servers (Policy Service nodes). Policy Service nodes can also be configured in a cluster, or node group, behind a

    load balancer. NADs send requests to LB virtual IP for Policy Services.

    Policy Service nodes in node group maintain heartbeat to verify member health.

    Switch

    Administration Node (Primary)

    Switch

    Policy Services Node Group

    Load Balancers

    Network Access Devices

    Administration Node (Secondary)

    Policy Replication

    AAA connection

  • 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 17

    Inline Posture Node High Availability VPN Detailed Example

    Internal Network

    ISE Inline ACTIVE

    L3 Switch

    ISE Inline STANDBY

    L3 Switch ASA

    VPN User

    eth1 eth0

    eth1 eth0

    Inline Service

    IP eth1

    Inline Service

    IP eth0

    VLAN 11

    VLAN 12

    Internet

    ASA

    ASA Redundant

    Links

    FO Link

    State Link

    eth2 (HB Link)

    eth2 (HB Link)

    VLAN 14

    VLAN 12 External Switch

    External Switch

    Internet Router

    ISP A

    ISP B

    Internet Router

    outside

    outside

    inside

    vpn

    vpn

    VLAN 11

    VLANS VLAN 11: (ASA VPN; Inline node untrusted) VLAN 12: (Inline node trusted) VLAN 13: (Inline Heartbeat Link) VLAN 14: (ASA Inside) VLAN 15: (Internal Network)

    Trunk: VLANs 11-15

    VLAN 15

    inside

    ASA HA: A/S or VPN Cluster

    VPN Client HA: VPN to single ASA HA IP or

    VPN Cluster IP

  • 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 18

    HA link is used to exchange heartbeat messages to check the status of mutual peer.

    HA link is a dedicated, highly reliable Layer 2 connection between failover pairs; can be a LAN crossover cable or recommend dedicated VLAN connection.

    Multiple HA links can be configured; as long as heartbeat messages are received over at least on HA link, then peer is considered healthy.

    Inline Posture Node HA supports link detection to allow failover to occur if active Inline Posture Node detects loss of network connectivity while Standby does not; prevent traffic black hole due to other network failures.

    In case of failure, Standby Inline Posture Node assumes ownership of service IP and sends gratuitous ARPs out each interface to notify gateways of change.

    HA failover is stateless, so all active sessions need to be re-authorized upon

    FO. Standby Inline Posture Node will auto-fetch session state/policy as needed.

    Inline Posture Node High Availability

  • 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 19

    ISE Node HA / Scalability Summary

    Node HA Scheme Auto Failover? Notes External Attribute Store

    Vendor-Specific Vendor-Specific Examples: AD clusters; redundant LDAP servers; distributed domains and servers.

    Administration Active/Standby No Secondary Admin Node must be manually promoted

    Policy Service Node Groups (Policy Service Clusters)

    Redundant Policy Service config on NADs

    Yes for established sessions; sessions in process of setup may require re-auth

    Node group: group together Policy Service nodes that reside in a single location behind a load balancer and share a common multicast address

    NAD NAD-Specific NAD-Specific Examples: Redundant Wireless Controllers

    Inline Posture Node

    Active/Standby Yes Clients re-auth to backup Inline Posture Node node upon failover

    Monitoring Active/Active Yes One node serves as Primary; all ISE logs automatically sent to both HA Monitoring nodes Any external loggers must be configured to log to both nodes.

  • 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 20

    Typical ISE Deployment: SMB (< 2k users) Example Topology

    Campus A

    Branch A Branch B

    AP AP

    WLC 802.1X

    AP

    ASA VPN

    Switch 802.1X

    Switch 802.1X

    Switch 802.1X

    A/S Admin, Monitoring, Policy Service nodes Centralized Wired 802.1X Services

    Local VPN support at HQ via HA Inline Posture Nodes

    Centralized Wireless 802.1X Services for HQ and branch offices (centralized WLCs w/CoA)

    Centralized 802.1X Services for branch offices

    HA Inline Posture Nodes

    AD/LDAP (External ID/ Attribute Store)

    Administration Node

    Policy Service Node

    Inline Posture Node

    Monitoring Node

    External ID/Attribute Store

  • 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 21

    Campus A Campus B

    Branch A

    AP

    AP

    WLC

    AP

    ASA VPN

    Switch 802.1X

    Switch 802.1X

    Switch 802.1X

    WLC

    Active/Standby Admin/Monitoring

    Centralized Wired 802.1X Services for HQ and Branches

    Distributed Policy Service nodes and Inline Posture Node services in secondary campus

    VPN/Wireless (non-CoA) support at both

    campuses via HA Inline Posture Nodes

    A/S Monitoring

    nodes

    A/S Admin nodes + Policy Service Cluster

    HA Inline Posture Nodes

    Distributed Policy Service node

    Distributed Inline Posture Node

    Branch B

    AP Switch 802.1X

    Typical ISE Deployment: Medium Example Topology

    AD/LDAP (External ID/ Attribute Store)

  • 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 22

    Data Center A

    DC B

    Branch A Branch B

    AP

    AP AP

    WLC 802.1X

    AP

    ASA VPN

    Switch 802.1X

    Switch 802.1X

    Switch 802.1X

    WLC 802.1X

    Switch 802.1X

    Admin (P) Admin (S)

    Monitor (P) Monitor (S)

    Policy Services Cluster

    HA Inline Posture Nodes

    Redundant, Dedicated Administration and Monitoring split across Data Centers (P=Primary / S=Secondary)

    Policy Service Cluster for Wired/Wireless 802.1X Services at HQ

    Distributed Policy Service clusters for larger campuses

    Distributed Wired/Wireless 802.1X for Branches VPN/Wireless (non-CoA) at HQ via HA Inline

    Posture Nodes

    Typical ISE Deployment: Enterprise (< 100k) Example Topology

    Distributed Policy Services

    AD/LDAP (External ID/ Attribute Store)

    AD/LDAP (External ID/ Attribute Store)

  • 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 23

    Tips/Recommendations Create secondary Admin node before adding Policy Svc

    nodes, otherwise a restart of Policy Svc nodes is required

    Node groups should be L2 adjacent Posture assessment is CPU intensive, so will benefit

    from powerful Policy Svc nodes (3315) Avoid co-locating Policy Svc and Monitoring where

    possible Have dedicated Monitoring nodes where possible Profiling requires maintenance of L2 info

    E.g. HTTP SPAN probe requires L2 adjacency (alternatively use RSPAN) fixed in 1.0MR (August 2011)

  • 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 24

    Tips/Recommendations (Continued)

    Time Synchronization Always configure synchronized time at installation Use UTC across nodes and network devices for consistent correlation/reporting

    Active Directory integration Critical to have time synchronization with AD infrastructure DNS availability is required for AD name resolution

  • 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 25

    Deployment Strategy

    Visibility ISE Installation NAD

    Configuration Profiling Monitor

    Classification Agentless MAB/Profiling Unmanaged

    WebAuth Managed 802.1X

    Posture Desktop

    OSes

    Enforcement Assessment Segmentation

    Production Availability Performance Operations

  • 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 26

    Security: Protocols & Ports Feature, Service or Protocol PAP MnT PDP iPEP Ports

    SSH TCP:22 DHCP Traffic Probe (Profiler) UDP:67/68 Administration WebApp TCP:80/443 SNMP Agent UDP:161 SNMP Trap Probe (Profiler) UDP:162 Stream Oracle DB Listener UDP:1521

    RADIUS Authentication UDP:1645 UDP:1812 RADIUS Accounting UDP:1646 UDP:1813 RADIUS CoA UDP:1700

    WebAuth Portal Sponsor only

    TCP:8080 TCP:8443

    NetFlow Receiver (configurable) UDP:9993 JMX (until FCS) TCP:9999

    Posture Agent (HTTPS) TCP/UDP:8905 TCP/UDP:8906 Syslog Receiver UDP:20514 Syslog Receiver UDP:30514 Oracle AQ TCP:?

    PDP Heartbeat UDP:45588 UDP:45590 API TCP:80/443

    See ISE Hardware Installation Guide Appendix for most current info

  • 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 27

    Deployment Checklist DNS Name IP Address Protocols Details

    Certificate Authorities username:password DNS Servers UDP:63 DHCP Servers UDP:? NTP Servers UDP:123 FTP Servers TCP:21 username:password TFTP Servers UDP:69 username:password Proxy Servers (for Lab/Internet)

    HTTP/S:# username:password

    PXE (TFTP) Boot Servers UDP:69 Syslog Servers UDP:514 PIPs Active Directory (AD) Domain:

    username:password PAPs HTTP (TCP:80)

    HTTPS (TCP:443) CLI: username:password GUI: username:password RADIUS Key: ________

    PDPs HTTP (TCP:80) HTTPS (TCP:443) RADIUS (UDP:1812) RADIUS (UDP:1813) CoA: 1700 & 3799

    CLI: username:password GUI: username:password RADIUS Key: ________

    MnTs HTTP (TCP:80) HTTPS (TCP:443)

    CLI: username:password GUI: username:password

    iPEPs eth0: trusted eth1: untrusted eth2: HA eth3: HA

  • 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Presentation_ID 28

    Deployment Checklist: Enforcement Name Enforcement Attributes (VLAN, ACL, SGA, timers, redirect URL, etc.)

    Employee-PrePosture VLAN: ACCESS ACL: Allow DHCP, DNS, NTP, TFTP URL-Redirect: Client Provisioning / Posture

    Employee-PostPosture VLAN: ACCESS ACL: permit ip any any

    Guest-PrePosture VLAN: ACCESS ACL: permit ip any any URL-Redirect: Client Provisioning / Posture

    Guest-PostPosture VLAN: ACCESS ACL: Internet-Only

    Phone VLAN: VOICE cisco-av-pair = device-traffic-class=voice

    ... Default VLAN: ACCESS

    ACL: Allow DHCP, DNS, NTP, TFTP URL-Redirect: WebAuth