Techrunner
asked on
ISE Deployment for Multiple Sites.
We have 6 sites and each site has its own Active Directory Domain (child domain), 3000 endpoints, 2 WLCs. Sites are connected to the central location through IPSec VPN with 50-60 ms latency
We are planning to plan and deploy Cisco ISE. ISE will be for 802.1x Authentication ( wired/wireless), BYOD, Guest Captive Portal, and Posture Assessment. In addition, we will also host DNAC at the central site for assurance only.
The question is how the ISE node should be distributed and deployed. What are the best deployment methods and practices?
We are planning to plan and deploy Cisco ISE. ISE will be for 802.1x Authentication ( wired/wireless), BYOD, Guest Captive Portal, and Posture Assessment. In addition, we will also host DNAC at the central site for assurance only.
The question is how the ISE node should be distributed and deployed. What are the best deployment methods and practices?
ASKER
Hi Sreejith,
- So I can multiple AD on ISE?
- What about Monitoring node ? I will place them central location ?
- What I need to consider in terms of WAN bandwidth requirements with 2 PAN+2 PSN+Mnt at central location and 2PSN at each remote location?
- What about integration of wireless controllers with ISE ?
- Which appliances will best fit as per my given needs ?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I got this reply from Cisco, it doesn't make sense to me;
So, the total number of nodes required at the central site is 6 to 8, depending on redundancy for PSN and pxGrid nodes. Plus 1 node for each remote location.
- As You would need a separate node for each function (PAN, MNT and PSN), due to the number of PSN and pxGrid nodes required
- So, at the central site 4 admin nodes (PAN/MNT) and 1 or 2 PSN nodes are to be deployed.
- As I understand, DNAC integration is expected, so additionally ISE pxGrid nodes would be deployed (+1 or 2 pxGrid nodes). Note that for hybrid deployment a dedicated pxGrid node counts towards the 5 secondary nodes maximum (=> 4PSN+1pxGrid or 3+2), but it is possible to co-locate pxGrid nodes with PAN+MNT nodes to have 5 PSN nodes.
Cisco is suggested you the best practical solution. I would suggest you go for it if you have a budget.
ASKER
We don't have the budget to deploy 6-8 nodes on a central location.
Any further suggestion?
Any further suggestion?
The AD bit is fine - you can join multiple AD domains (up to around 50) from ISE, or you can use domain trusts - whichever you prefer.
For 3000 clients and everything going back to the central site it seems like overkill to go with a 6-8 node deployment although it would perform better. Sure you have 802.1x, pxGrid and posture in mind but still boxes should be able to deal with that, especially the 3755 or 3795 appliance (or appropriately-sized VMs). Cisco are advising based on a highly resilient solution, and that's fine, but practically it's probably unnecessary.
If it was me I would put everything in the central site:
2x ISE running all personas (or 4x ISE - 2x PAN/MnT and 2x PSN/pxGrid)
2x WLC in HA-SSO (also an anchor WLC if you want to secure Guest as per best practice)
APs in Flexconnect mode with "corporate" SSID doing local switching and Guest doing central switching.
For 3000 clients and everything going back to the central site it seems like overkill to go with a 6-8 node deployment although it would perform better. Sure you have 802.1x, pxGrid and posture in mind but still boxes should be able to deal with that, especially the 3755 or 3795 appliance (or appropriately-sized VMs). Cisco are advising based on a highly resilient solution, and that's fine, but practically it's probably unnecessary.
If it was me I would put everything in the central site:
2x ISE running all personas (or 4x ISE - 2x PAN/MnT and 2x PSN/pxGrid)
2x WLC in HA-SSO (also an anchor WLC if you want to secure Guest as per best practice)
APs in Flexconnect mode with "corporate" SSID doing local switching and Guest doing central switching.
ASKER
Just to clarify that we have 3000 endpoints at every remote site and the central site has 5000+ endpoints hence for that reason we would need PSN at every site.
Cisco at the central location every function will require a separate node (PAN+PSN+MNT) and a remote site will need 1 or 2 PSN nodes.
Cisco at the central location every function will require a separate node (PAN+PSN+MNT) and a remote site will need 1 or 2 PSN nodes.
ASKER
Any further help please ?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the detailed recommendation.
We will be integrating ISE with DNAC. DNA will be placed at the central site. Then how many nodes I would need at HQ ?
For the licensing part, I have to buy licenses for each PSN service for the respective sites For example, I have 3000 endpoints, 1000 device posture per site that will be authenticating the local PSN. I would 2 PSN at each site.
So I would separate licenses per site.
We will be integrating ISE with DNAC. DNA will be placed at the central site. Then how many nodes I would need at HQ ?
For the licensing part, I have to buy licenses for each PSN service for the respective sites For example, I have 3000 endpoints, 1000 device posture per site that will be authenticating the local PSN. I would 2 PSN at each site.
So I would separate licenses per site.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks, the Licensing part is crystal clear.
As per Cisco, for DNAC and ISE integration, we need separate PxGrid nodes. That's why, they mentioned we need 8 nodes at a central location ( 2XPSN, 2XPAN, 2XPNT, 2PxGrid) and 2XPSN at each site. We don't have an issue to install 2PSN at each node at the branch site but 8 nodes at HQ are out of our budget.
Anyway to resolve this?
As per Cisco, for DNAC and ISE integration, we need separate PxGrid nodes. That's why, they mentioned we need 8 nodes at a central location ( 2XPSN, 2XPAN, 2XPNT, 2PxGrid) and 2XPSN at each site. We don't have an issue to install 2PSN at each node at the branch site but 8 nodes at HQ are out of our budget.
Anyway to resolve this?
ASKER
In addition to my above message, do we get physical or virtual appliance ?
You can put pxGrid role on PSN. That would mean you need 2 less boxes at HQ, so you'd need 2x PAN, 2x MnT and 2x PSN/pxGrid. It's not as efficient as having dedicated nodes for each but it is an acceptable deployment. I don't think it would have much impact on your deployment if you only have a couple of subscribers. If it's only DNAC it will be fine.
I'd go for virtuals if you have the resource available at each site, however physicals will ensure resources are dedicated to that node only. If you do go virtual make sure you reserve all the resources for each node you deploy.
I'd go for virtuals if you have the resource available at each site, however physicals will ensure resources are dedicated to that node only. If you do go virtual make sure you reserve all the resources for each node you deploy.
ASKER
Thanks
So our final setup would look as follows
Central Location:
1. DNAC Center
2. 2 X PAN, 2xMNT, 2 x PSN ( for authenticating central location users only) and PxGrid will be on this node
Remote Site:
2x PSN per each location.
I would like to add something here, all the PSN devices will be sending Syslog messages to MNT node at a central location. Hence, how much bandwidth would be required?
So our final setup would look as follows
Central Location:
1. DNAC Center
2. 2 X PAN, 2xMNT, 2 x PSN ( for authenticating central location users only) and PxGrid will be on this node
Remote Site:
2x PSN per each location.
I would like to add something here, all the PSN devices will be sending Syslog messages to MNT node at a central location. Hence, how much bandwidth would be required?
Sounds good although you could strip the 2nd PSN at each site and use HQ as a backup.
Bandwidth requirement is a few Meg. Nothing much. Latency is more important. Less than 300ms.
Bandwidth requirement is a few Meg. Nothing much. Latency is more important. Less than 300ms.
ASKER
Thanks
any idea on the numbers for bandwidth specially when PSN sending logs to MNT
I just want to ensure we have proper bandwidth and infrastructure.
appreciating your usual support
any idea on the numbers for bandwidth specially when PSN sending logs to MNT
I just want to ensure we have proper bandwidth and infrastructure.
appreciating your usual support
Configure AD on the PAN and sync AD time with all Nodes. Make sure the NTP is configured the same as AD, else it could give trouble in the authentication.