Network Deployments in Cisco ISE
• Cisco ISE Network Architecture, page 1
• Cisco ISE Deployment Terminology, page 2
• Node Types and Personas in Distributed Deployments, page 3
• Standalone and Distributed ISE Deployments, page 5
• Distributed Deployment Scenarios, page 5
• Small Network Deployments, page 5
• Medium-Sized Network Deployments, page 7
• Large Network Deployments, page 8
• Deployment Size and Scaling Recommendations, page 11
• Inline Posture Planning Considerations, page 12
• Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions, page13
Cisco ISE Network ArchitectureCisco ISE architecture includes the following components:
• Nodes and persona types
◦Cisco ISE node—ACisco ISE node can assume any or all of the following personas: Administration,Policy Service, Monitoring, or pxGrid
◦Inline Posture node—A gatekeeping node that takes care of access policy enforcement
• Network resources
• Endpoints
The policy information point represents the point at which external information is communicated to the PolicyService persona. For example, external information could be a Lightweight Directory Access Protocol (LDAP)attribute.
Cisco Identity Services Engine Hardware Installation Guide, Release 1.3 1
The following figure shows Cisco ISE nodes and personas (Administration, Policy Service, and Monitoring),an Inline Posture node, and a policy information point.
Figure 1: Cisco ISE Architecture
Cisco ISE Deployment TerminologyThis guide uses the following terms when discussing Cisco ISE deployment scenarios:
DefinitionTerm
A specific feature that a persona provides such as network access,profiling, posture, security group access, monitoring, andtroubleshooting.
Service
An individual physical or virtual Cisco ISE appliance.Node
A node can be one of two types: A Cisco ISE node or an InlinePosture node. The node type and persona determine the type offunctionality provided by a node
Node Type
Cisco Identity Services Engine Hardware Installation Guide, Release 1.32
Network Deployments in Cisco ISECisco ISE Deployment Terminology
DefinitionTerm
Determines the services provided by a node. A Cisco ISE nodecan assume any or all of the following personas: Administration,Policy Service, and Monitoring. The menu options that areavailable through the administrative user interface depend on therole and personas that a node assumes.
Persona
Determines if a node is a standalone, primary, or secondary nodeand applies only to Administration and Monitoring nodes.
Role
Node Types and Personas in Distributed DeploymentsIn a Cisco ISE distributed deployment, there are two types of nodes:
• Cisco ISE node (Administration, Policy Service, Monitoring)
• Inline Posture node
ACisco ISE node can provide various services based on the persona that it assumes. Each node in a deployment,with the exception of the Inline Posture node, can assume the Administration, Policy Service, pxGrid, andMonitoring personas. In a distributed deployment, you can have the following combination of nodes on yournetwork:
• Primary and secondary Administration nodes for high availability
• A pair of Monitoring nodes for automatic failover
• One or more Policy Service nodes for session failover
• One or more pxGrid nodes for pxGrid services
• A pair of Inline Posture nodes for high availability
Administration NodeA Cisco ISE node with the Administration persona allows you to perform all administrative operations onCisco ISE. It handles all system-related configurations that are related to functionality such as authentication,authorization, and accounting. In a distributed deployment, you can have a maximum of two nodes runningthe Administration persona. The Administration persona can take on the standalone, primary, or secondaryrole.
Policy Service NodeA Cisco ISE node with the Policy Service persona provides network access, posture, guest access, clientprovisioning, and profiling services. This persona evaluates the policies and makes all the decisions. You canhave more than one node assume this persona. Typically, there would be more than one Policy Service nodein a distributed deployment. All Policy Service nodes that reside in the same high-speed Local Area Network
Cisco Identity Services Engine Hardware Installation Guide, Release 1.3 3
Network Deployments in Cisco ISENode Types and Personas in Distributed Deployments
(LAN) or behind a load balancer can be grouped together to form a node group. If one of the nodes in a nodegroup fails, the other nodes detect the failure and reset any URL-redirected sessions.
At least one node in your distributed setup should assume the Policy Service persona.
Monitoring NodeA Cisco ISE node with the Monitoring persona functions as the log collector and stores log messages fromall the Administration and Policy Service nodes in a network. This persona provides advanced monitoringand troubleshooting tools that you can use to effectively manage a network and resources. A node with thispersona aggregates and correlates the data that it collects, and provides you with meaningful reports. CiscoISE allows you to have a maximum of two nodes with this persona, and they can take on primary or secondaryroles for high availability. Both the primary and secondary Monitoring nodes collect log messages. In casethe primary Monitoring node goes down, the secondary Monitoring node automatically becomes the primaryMonitoring node.
At least one node in your distributed setup should assume the Monitoring persona. We recommend that youdo not have theMonitoring and Policy Service personas enabled on the same Cisco ISE node. We recommendthat the Monitoring node be dedicated solely to monitoring for optimum performance.
Inline Posture NodeAn Inline Posture node is a gatekeeping node that is positioned behind network access devices such as wirelessLAN controllers (WLCs) and VPN concentrators on the network. Inline Posture enforces access policies aftera user has been authenticated and granted access, and handles change of authorization (CoA) requests that aWLC or VPN is unable to accommodate. Cisco ISE allows you to have two Inline Posture nodes, and theycan take on primary or secondary roles for high availability.
The Inline Posture node must be a dedicated node. It must be dedicated solely for Inline Posture service, andcannot operate concurrently with other Cisco ISE services. Likewise, due to the specialized nature of itsservice, an Inline Posture node cannot assume any persona. For example, it cannot act as an Administrationnode (offering administration service), or a Policy Service node (offering network access, posture, profile,and guest services), or a Monitoring node (offering monitoring and troubleshooting services).
Inline Posture is not supported on the Cisco SNS 3495 platform. Ensure that you install Inline Posture on anyone of the following supported platforms:
• Cisco ISE 3315
• Cisco ISE 3355
• Cisco ISE 3395
• Cisco SNS 3415
Install an Inline Posture Node
Before You Begin
• Download the Inline Posture ISO image from Cisco.com
• Configure a certificate for it and register it with the primary Administration node
Cisco Identity Services Engine Hardware Installation Guide, Release 1.34
Network Deployments in Cisco ISEMonitoring Node
Procedure
Step 1 Install the Inline Posture ISO image on one of the supported platforms.Step 2 Log into the CLI.Step 3 Configure the certificates for the node.Step 4 Log into the user interface of the primary Administration node.Step 5 Register the Inline Posture node.
Inline Posture Node ReuseIf you decide that you no longer need an Inline Posture node, you cannot add any services or roles to it, butyou can change it to a Cisco ISE node and then assign any persona to it. If you want to reuse an Inline Posturenode, you must first deregister it and then reimage the appliance and install Cisco ISE on it.
Standalone and Distributed ISE DeploymentsA deployment that has a single Cisco ISE node is called a standalone deployment. This node runs theAdministration, Policy Service, and Monitoring personas.
A deployment that has more than one Cisco ISE node is called a distributed deployment. To support failoverand to improve performance, you can set up a deployment with multiple Cisco ISE nodes in a distributedfashion. In a Cisco ISE distributed deployment, administration and monitoring activities are centralized, andprocessing is distributed across the Policy Service nodes. Depending on your performance needs, you canscale your deployment. A Cisco ISE node can assume any of the following personas: Administration, PolicyService, and Monitoring. An Inline Posture node cannot assume any other persona, due to its specializednature and it must be a dedicated node.
Distributed Deployment Scenarios• Small Network Deployments
• Medium-Sized Network Deployments
• Large Network Deployments
Small Network DeploymentsThe smallest Cisco ISE deployment consists of two Cisco ISE nodes with one Cisco ISE node functioning asthe primary appliance in a small network.
The primary node provides all the configuration, authentication, and policy capabilities that are required forthis networkmodel, and the secondary Cisco ISE node functions in a backup role. The secondary node supports
Cisco Identity Services Engine Hardware Installation Guide, Release 1.3 5
Network Deployments in Cisco ISEStandalone and Distributed ISE Deployments
the primary node and maintains a functioning network whenever connectivity is lost between the primarynode and network appliances, network resources, or RADIUS.
Centralized authentication, authorization, and accounting (AAA) operations between clients and the primaryCisco ISE node are performed using the RADIUS protocol. Cisco ISE synchronizes or replicates all of thecontent that resides on the primary Cisco ISE node with the secondary Cisco ISE node. Thus, your secondarynode is current with the state of your primary node. In a small network deployment, this type of configurationmodel allows you to configure both your primary and secondary nodes on all RADIUS clients by using thistype of deployment or a similar approach.
Figure 2: Small Network Deployment
As the number of devices, network resources, users, and AAA clients increases in your network environment,you should change your deployment configuration from the basic small model and use more of a split ordistributed deployment model.
Split DeploymentsIn split Cisco ISE deployments, you continue to maintain primary and secondary nodes as described in a smallCisco ISE deployment. However, the AAA load is split between the two Cisco ISE nodes to optimize theAAAworkflow. Each Cisco ISE appliance (primary or secondary) needs to be able to handle the full workloadif there are any problems with AAA connectivity. Neither the primary node nor the secondary nodes handlesall AAA requests during normal network operations because this workload is distributed between the twonodes.
The ability to split the load in this way directly reduces the stress on each Cisco ISE node in the system. Inaddition, splitting the load provides better loading while the functional status of the secondary node ismaintained during the course of normal network operations.
In split Cisco ISE deployments, each node can perform its own specific operations, such as network admissionor device administration, and still perform all the AAA functions in the event of a failure. If you have two
Cisco Identity Services Engine Hardware Installation Guide, Release 1.36
Network Deployments in Cisco ISESplit Deployments
Cisco ISE nodes that process authentication requests and collect accounting data from AAA clients, werecommend that you set up one of the Cisco ISE nodes to act as a log collector.
In addition, the split Cisco ISE deployment design provides an advantage because it allows for growth.
Figure 3: Split Network Deployment
Medium-Sized Network DeploymentsAs small networks grow, you can keep pace and manage network growth by adding Cisco ISE nodes to createamedium-sized network. Inmedium-sized network deployments, you can dedicate the new nodes for all AAAfunctions, and use the original nodes for configuration and logging functions.
Cisco Identity Services Engine Hardware Installation Guide, Release 1.3 7
Network Deployments in Cisco ISEMedium-Sized Network Deployments
As the amount of log traffic increases in a network, you can choose to dedicate one or two of the secondaryCisco ISE nodes for log collection in your network.
Figure 4: Medium-Sized Network Deployment
Large Network Deployments
Centralized LoggingWe recommend that you use centralized logging for large Cisco ISE networks. To use centralized logging,you must first set up a dedicated logging server that serves as a Monitoring persona (for monitoring andlogging) to handle the potentially high syslog traffic that a large, busy network can generate.
Because syslog messages are generated for outbound log traffic, any RFC 3164-compliant syslog appliancecan serve as the collector for outbound logging traffic. A dedicated logging server enables you to use thereports and alert features that are available in Cisco ISE to support all the Cisco ISE nodes.
You can also consider having the appliances send logs to both a Monitoring persona on the Cisco ISE nodeand a generic syslog server. Adding a generic syslog server provides a redundant backup if the Monitoringpersona on the Cisco ISE node goes down.
Load BalancersIn large centralized networks, you should use a load balancer, which simplifies the deployment of AAA clients.Using a load balancer requires only a single entry for the AAA servers, and the load balancer optimizes therouting of AAA requests to the available servers.
Cisco Identity Services Engine Hardware Installation Guide, Release 1.38
Network Deployments in Cisco ISELarge Network Deployments
However, having only a single load balancer introduces the potential for having a single point of failure. Toavoid this potential issue, deploy two load balancers to ensure a measure of redundancy and failover. Thisconfiguration requires you to set up two AAA server entries in each AAA client, and this configuration remainsconsistent throughout the network.
Figure 5: Large Network Deployment
Dispersed Network DeploymentsDispersed Cisco ISE network deployments are most useful for organizations that have a main campus withregional, national, or satellite locations elsewhere. The main campus is where the primary network resides,is connected to additional LANs, ranges in size from small to large, and supports appliances and users indifferent geographical regions and locations.
Large remote sites can have their own AAA infrastructure for optimal AAA performance. A centralizedmanagement model helps maintain a consistent, synchronized AAA policy. A centralized configuration modeluses a primary Cisco ISE node with secondary Cisco ISE nodes. We still recommend that you use a separate
Cisco Identity Services Engine Hardware Installation Guide, Release 1.3 9
Network Deployments in Cisco ISEDispersed Network Deployments
Monitoring persona on the Cisco ISE node, but each remote location should retain its own unique networkrequirements.
Figure 6: Dispersed Deployment
Considerations for Planning a Network with Several Remote Sites• Verify if a central or external database is used, such as Microsoft Active Directory or LightweightDirectory Access Protocol (LDAP). Each remote site should have a synchronized instance of the externaldatabase that is available for Cisco ISE to access for optimizing AAA performance.
• The location of AAA clients is important. You should locate the Cisco ISE nodes as close as possibleto the AAA clients to reduce network latency effects and the potential for loss of access that is causedby WAN failures.
• Cisco ISE has console access for some functions such as backup. Consider using a terminal at each site,which allows for direct, secure console access that bypasses network access to each node.
• If small, remote sites are in close proximity and have reliable WAN connectivity to other sites, considerusing a Cisco ISE node as a backup for the local site to provide redundancy.
• Domain Name System (DNS) should be properly configured on all Cisco ISE nodes to ensure access tothe external databases.
Cisco Identity Services Engine Hardware Installation Guide, Release 1.310
Network Deployments in Cisco ISEConsiderations for Planning a Network with Several Remote Sites
Deployment Size and Scaling RecommendationsThe following table provides guidance on the type of deployment, number of Cisco ISE nodes, and the typeof appliance (small, medium, large) that you need based on the number of endpoints that connect to yournetwork.
Table 1: Cisco ISE Deployment—Size and Scaling Recommendations
Number of ActiveEndpoints
Maximum Numberof Dedicated PolicyService Nodes
Appliance PlatformNumber ofNodes/Personas
Deployment Type
Maximum of 2,000endpoints
0Cisco ISE 3300Series (3315, 3355,3395)
Standalone orredundant (2) nodeswithAdministration,Policy Service, andMonitoring personasenabled
Small
Maximum of 5,000endpoints
0Cisco ISE 3415
Maximumof 10,000endpoints
0Cisco ISE 3495
Maximum of 5,000endpoints
5Cisco ISE-3355 orCisco SNS 3415appliances forAdministration andMonitoring personas
Administration andMonitoring personason single orredundant nodes.Maximum of 2Administration andMonitoring nodes.
Medium
Maximumof 10,000endpoints
5Cisco SNS 3495appliances forAdministration andMonitoring personas
Maximum of100,000 endpoints
40Cisco ISE 3395appliances forAdministration andMonitoring personas
DedicatedAdministrationnode/nodes.Maximum of 2Administrationnodes.
DedicatedMonitoringnode/nodes.Maximum of 2Monitoring nodes.
Dedicated PolicyService nodes.Maximum of 40Policy Servicenodes.
Large
Maximum of250,000 endpoints
40Cisco SNS 3495appliances forAdministration andMonitoring personas
Cisco Identity Services Engine Hardware Installation Guide, Release 1.3 11
Network Deployments in Cisco ISEDeployment Size and Scaling Recommendations
The following table provides guidance on the type of appliance that you would need for a dedicated PolicyService node based on the number of active endpoints the node services.
Table 2: Policy Service Node Size Recommendations
Maximum EndpointsAppliancePlatform SizeForm Factor
3,000Cisco ISE-3315SmallPhysical
5,000Cisco SNS-3415
6,000Cisco ISE-3355Medium
10,000Cisco ISE-3395Large
20,000Cisco SNS-3495
3,000 to 20,000Comparable to physicalappliance
Small/Medium/LargeVirtual Machine
The following table provides the maximum throughput and the maximum number of endpoints that a singleInline Posture node can support.
Table 3: Inline Posture Node Sizing Recommendations
PerformanceAttribute
5,000 to 20,000 (gated by Policy Service nodes)Maximum number of endpoints perphysical appliance
936 MbpsMaximum throughput per any physicalappliance
Inline Posture Planning ConsiderationsA network or system architect must address the following basic questions when planning to deploy InlinePosture nodes:
•Will deployment plans include an Inline Posture primary-secondary pair configuration? Cisco ISEnetworks support up to two Inline Posture nodes configured on a network at any one time.
•What type of Inline Posture operating modes will you choose?
Cisco Identity Services Engine Hardware Installation Guide, Release 1.312
Network Deployments in Cisco ISEInline Posture Planning Considerations
The untrusted interface on an Inline Posture node should be disconnected when an InlinePosture node is being configured. If the trusted and untrusted interfaces are connectedto the same VLAN during initial configuration, and the Inline Posture node boots upafter changing persona, multicast packet traffic gets flooded out of the untrusted interface.This multicast event can potentially bring down devices that are connected to the samesubnet or VLAN. The Inline Posture node at this time is in the maintenance mode.
Caution
Do not change the CLI password for Inline Posture node once it has been added to thedeployment. If the password is changed, when you access the Inline Posture node throughthe Administration node, a Java exception error is displayed and the CLI gets locked.You need to recover the password by using the installation DVD and rebooting theInline Posture node. Or, you can set the password to the original one.
If you need to change the password, then deregister the Inline Posture node from thedeployment, modify the password, and then add the node to the deployment with thenew credentials.
Caution
Switch and Wireless LAN Controller Configuration Required toSupport Cisco ISE Functions
To ensure that Cisco ISE can interoperate with network switches and that functions from Cisco ISE aresuccessful across the network segment, you must configure your network switches with certain requiredNetwork Time Protocol (NTP), RADIUS/AAA, IEEE 802.1X, MAC Authentication Bypass (MAB), andother settings.
Cisco Identity Services Engine Hardware Installation Guide, Release 1.3 13
Network Deployments in Cisco ISESwitch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions
Cisco Identity Services Engine Hardware Installation Guide, Release 1.314
Network Deployments in Cisco ISESwitch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions
Top Related