• No results found

Deployment:

Both Cisco ISE Nodes run all services for redundancy. They support up to 2000 endpoints (Figure A2).

Figure  A2    A  Simple,  2-­‐Node  Distributed  ISE  Deployment    for  Redundancy   Admin

Distributed Deployment, Up to 10,000 Endpoints

“Administrative” personas are shared. The Dedicated Policy Service Nodes follow (Figure A3):

• Two Cisco ISE Nodes for Admin + Monitoring functions

• Up to Five Policy Service Nodes

Figure  A3    A  Distributed  ISE  Deployment  for  Scaling      

Distributed Deployment, Up to 100,000 Endpoints

Dedicated Cisco ISE nodes for each persona follow:

• Two Admin nodes

• Two Monitoring Nodes

• Up to 40 Policy Service Nodes

Figure  A4    Maximum  ISE  1.0  Distributed  Deployment      

 

Figure  A5  Policy  Service  Sizing  and  Performance  

Platform Max Endpoints Max Profiler Events

Physical 3315 3,000 500/sec

3355 6,000 500/sec

3395 10,000 1200/sec

Virtual VM 10,000 * TBD

* Sizing guidance based on matching/exceeding specification of the physical appliance.

Figure  A6  Policy  Service  Node  Performance  (authentications/second)  

Figure  A7  Monitoring  Node  Performance  

Figure  A8  Bandwidth  Requirements  

 

Policy Service Performance (cont.)

PAP/ASCII 1431

EAP-MD5 600

EAP-TLS 335 internal, 124 LDAP

LEAP 455

MSCHAPv1 1064 internal, 361 AD

MSCHAPv2 1316 internal, 277 AD

PEAP-MSCHAPv2 181

Authentications - Dedicated PSN Auths/sec

Max syslogs (3395) 1000/sec

Max sessions per day 2 million Authentications per day 2 million

Max stored alarms 5000

Monitoring Node Performance

Bandwidth Requirements

Connection Between: Minimum Bandwidth Administration and Monitoring 256Kbps

Redundant Monitoring pair 256Kbps Policy Services and Administration 256Kbps Policy Services and Monitoring 1 Mbps

Endpoint and Policy Services (posture) 125bps per endpoint

Figure  A9  Administration  HA  and  Synchronization  I  

Changes made via the Primary administration node are automatically synchronized to the Secondary administration node and all ISE policy service nodes (PSNs).

Figure  A10  Administration  HA  and  Synchronization  II  

Upon failure of the Primary administration node, the admin user can connect to the Secondary administration node; all changes via backup administration node are automatically synchronized to all policy service nodes (PSNs).

The Secondary administration node must be manually promoted to Primary.

 

! Changes made via Primary Administration DB are automatically synced to Secondary Administration and all Policy Service nodes.

Administration HA and Synchronization

! Upon failure of Primary Administration node, admin user can connect to Secondary Administration node; all changes via backup Administration node are automatically synced to all Policy Service nodes.

! Secondary Administration node must be manually promoted to be Primary.

X

Figure  A11  Monitoring  –  Distributed  Log  Collection  

Figure  A12  Policy  Service  Node  (PSN)  Scaling  and  Redundancy  

 

!  ISE supports distributed log collection across all nodes to optimize local data collection , aggregation, and centralized correlation and storage.

!  Each ISE node collects logs locally from itself; Policy Service nodes running Profiler Services may also collect log (profile) data from NADs.

!  Each node buffers and transports collected data to each Monitoring node as Syslog

!  NADs may also send Syslog directly to Monitoring node on UDP/20514 for activity logging, diagnostics, and troubleshooting.

Monitoring - Distributed Log Collection

NADs Policy Service

External Log Targets: Syslog (UDP/20514)

Policy Service Node Scaling and Redundancy

!  NADs can be configured with redundant RADIUS servers (Policy Service nodes).

!  Policy Service nodes can also be configured in a cluster, or “node group”, behind a load balancer. NADs send requests to LB virtual IP for Policy Services.

!  Policy Service nodes in node group maintain heartbeat to verify member health.

Switch'

Figure  A13  Typical  SMB-­‐sized  ISE  Deployment  (>  2,000  Endpoints)  

Figure  A14  Typical  Medium-­‐sized  ISE  Deployment  (<  10,000  Endpoints)  

 

Typical ISE Deployment: SMB (< 2k endpts)

Example Topology

Policy Service nodes •  Centralized Wired 802.1X Services

•  Local VPN support at HQ via HA Inline Posture Nodes

•  Centralized Wireless 802.1X Services for HQ and branch offices (centralized WLCs w/CoA)

•  Centralized 802.1X Services for branch offices

•  Centralized Wired 802.1X Services for HQ and Branches

•  Distributed Policy Service nodes and Inline Posture Node services in secondary campus

•  VPN/Wireless (non-CoA) support at both campuses via HA Inline Posture Nodes A/S Admin +

Typical ISE Deployment: Medium (< 10k)

Example Topology

AD/LDAP (External ID/

Attribute Store)

Figure  A15  Typical  Enterprise-­‐sized  ISE  Deployment  (>  10,000  Endpoints)  

•  Redundant, Dedicated Administration and Monitoring split across Data Centers (P=Primary / S=Secondary)

•  Policy Service Cluster for Wired/Wireless 802.1X Services at HQ

•  Distributed Policy Service clusters for larger campuses

•  Distributed Wired/Wireless 802.1X for Branches

•  VPN/Wireless (non-CoA) at HQ via HA Inline Posture Nodes

Typical ISE Deployment: Enterprise (< 100k)

Example Topology

Appendix B: References

• Cisco Unified Communications Manager 8 Security Configuration Guide:

http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/cucos/8_0_1/cucos/iptpch6.html#wp1055278

• Cisco ISE 1.0 User Guide:

http://www.cisco.com/en/US/docs/security/ise/1.0.4/user_guide/ise104_user_guide.html

Switch Configuration Guides:

For more information about Cisco IOS Software, Cisco IOS XE Software, and Cisco NX-OS Software releases, please refer to following URLs:

• For Cisco Catalyst 2900 series switches:

http://www.cisco.com/en/US/products/ps6406/products_installation_and_configuration_guides_list.html

• For Cisco Catalyst 3000 series switches:

http://www.cisco.com/en/US/products/ps7077/products_installation_and_configuration_guides_list.html

• For Cisco Catalyst 3000-X series switches:

http://www.cisco.com/en/US/products/ps10745/products_installation_and_configuration_guides_list.ht ml

• For Cisco Catalyst 4500 series switches:

http://www.cisco.com/en/US/products/hw/switches/ps4324/products_installation_and_configuration_g uides_list.html

• For Cisco Catalyst 6500 series switches:

http://www.cisco.com/en/US/products/hw/switches/ps708/products_installation_and_configuration_gui des_list.html

• For Cisco ASR 1000 series routers:

http://www.cisco.com/en/US/products/ps9343/products_installation_and_configuration_guides_list.html

• For Cisco Wireless LAN Controllers:

http://www.cisco.com/en/US/docs/wireless/controller/7.0MR1/configuration/guide/wlc_cg70MR1.html

Download now "Cisco TrustSec 2.0: De..."

Outline

Related documents