Beruflich Dokumente
Kultur Dokumente
Standalone Deployment
!! Maximum endpoints - 2000
ISE
Admin
Monitoring
Policy Service
Presentation_ID
Cisco Confidential
ISE
Admin
Monitoring
Monitoring
Policy Service
Policy Service
Presentation_ID
Cisco Confidential
Presentation_ID
Cisco Confidential
Distributed Deployment
Admin + Monitoring Co-located !! 2 x Admin+Mon
Admin Mon Admin Mon
Policy Svcs Policy Svcs Policy Svcs Policy Svcs Policy Svcs
Presentation_ID
Cisco Confidential
Distributed Deployment
Admin + Policy Svc, Dedicated Monitoring !! Not tested
Admin Policy Admin Svc Policy Svc
Mon Mon
Policy Svcs Policy Svcs Policy Svcs Policy Svcs Policy Svcs
Presentation_ID
Cisco Confidential
Distributed Deployment
Dedicated Admin, Dedicated Monitoring !! 2 x Admin
Admin Admin
Mon Mon
Policy Svcs Policy Svcs Policy Svcs Policy Svcs Policy Svcs
Presentation_ID
Cisco Confidential
Performance - Authentications
Dedicated Policy Services Node Auths/sec
PAP/ASCII EAP-MD5 EAP-TLS LEAP MSCHAPv1 MSCHAPv2 PEAP-MSCHAPv2 PEAP-GTC FAST-MSCHAPv2 FAST-GTC Guest (web auth) Posture (3315) Posture (3355) Posture (3395)
Presentation_ID 2010 Cisco and/or its affiliates. All rights reserved.
1431 600 335 internal, 124 LDAP 455 1064 internal, 361 AD 1316 internal, 277 AD 181 196 AD, 188 LDAP 192 222 17 70 70 110
Cisco Confidential
Profiling Performance
Policy Services Performing Only Profiling
Platform 3315 3355 3395 VM Events/sec 500 500 1200 TBD
Presentation_ID
Cisco Confidential
Max syslogs (3395) Max sessions per day Authentications per day Max stored alarms
Presentation_ID
Cisco Confidential
10
Presentation_ID
Cisco Confidential
11
Bandwidth Requirements
Connection Between: Policy Svcs and Monitoring Admin and Monitoring Redundant Monitoring pair Admin and Policy Svcs
Presentation_ID
Cisco Confidential
12
Admin Node
(Primary) Policy Sync
Admin User
(Secondary)
Cisco Confidential
13
Admin Node
(Primary)
Admin User
X
Logging
Monitoring
(Primary)
Presentation_ID
Monitoring
(Secondary)
Cisco Confidential
14
Monitoring (Collector)
Presentation_ID
Cisco Confidential
15
Load Balancers
16
FO Link
State Link
Internal Network
VLANS ! VLAN 11: (ASA VPN; Inline node untrusted) ! VLAN 12: (Inline node trusted) ! VLAN 13: (Inline Heartbeat Link) ! VLAN 14: (ASA Inside) ! VLAN 15: (Internal Network)
Presentation_ID
ASA Redundant Links Cisco Confidential 2010 Cisco and/or its affiliates. All rights reserved.
17
Presentation_ID
Cisco Confidential
18
Notes
Examples: AD clusters; redundant LDAP servers; distributed domains and servers. Secondary Admin Node must be manually promoted Node group: group together Policy Service nodes that reside in a single location behind a load balancer and share a common multicast address
External Vendor-Specific Attribute Store Administration Active/Standby Policy Service ! Node Groups (Policy Service Clusters) ! Redundant Policy Service config on NADs NAD Inline Posture Node Monitoring NAD-Specific Active/Standby Active/Active
Examples: Redundant Wireless Controllers Clients re-auth to backup Inline Posture Node node upon failover One node serves as Primary; all ISE logs automatically sent to both HA Monitoring nodes Any external loggers must be configured to log to both nodes.
Presentation_ID
Cisco Confidential
19
Campus A
ASA VPN
WLC 802.1X AP
Administration Node
Switch 802.1X
Branch A
Branch B
AP
AP
Presentation_ID
Cisco Confidential
20
Campus A
ASA VPN
Campus B
Switch 802.1X AP
! Active/Standby Admin/Monitoring Branch A Branch B ! Centralized Wired 802.1X Services for HQ and Branches ! Distributed Policy Service nodes and Inline Posture Node services in secondary campus ! VPN/Wireless (non-CoA) support at both campuses via HA Inline Posture Nodes
21
AP
Switch 802.1X
AP
Switch 802.1X
Presentation_ID
Cisco Confidential
Data Center A
ASA VPN
DC B
WLC 802.1X AP
AP
! Redundant, Dedicated Administration and Monitoring split across Data Centers (P=Primary / S=Secondary) Branch B ! Policy Service Cluster for Wired/Wireless 802.1X Services at HQ ! Distributed Policy Service clusters for larger campuses
Branch A
AP
Switch 802.1X
AP
Switch 802.1X
! Distributed Wired/Wireless 802.1X for Branches ! VPN/Wireless (non-CoA) at HQ via HA Inline Posture Nodes
22
Presentation_ID
Cisco Confidential
Tips/Recommendations
!! Create secondary Admin node before adding Policy Svc nodes, otherwise a restart of Policy Svc nodes is required !! Node groups should be L2 adjacent !! Posture assessment is CPU intensive, so will benefit from powerful Policy Svc nodes (3315) !! Avoid co-locating Policy Svc and Monitoring where possible !! Have dedicated Monitoring nodes where possible !! Profiling requires maintenance of L2 info
E.g. HTTP SPAN probe requires L2 adjacency (alternatively use RSPAN) " fixed in 1.0MR (August 2011)
Presentation_ID
Cisco Confidential
23
Tips/Recommendations (Continued)
!! Time Synchronization
Always configure synchronized time at installation Use UTC across nodes and network devices for consistent correlation/reporting
Presentation_ID
Cisco Confidential
24
Deployment Strategy
Visibility
ISE Installation NAD Configuration Profiling Monitor
Classification
Agentless MAB/Profiling
Unmanaged WebAuth
Managed 802.1X
Enforcement
Assessment
Segmentation
Production
Availability
Performance
Operations
Presentation_ID
Cisco Confidential
25
PAP
MnT
PDP
iPEP
! ! ! !
! ! ! !
! ! ! ! ! ! ! ! !
! ! ! !
Ports TCP:22 UDP:67/68 TCP:80/443 UDP:161 UDP:162 UDP:1521 UDP:1645 UDP:1812 UDP:1646 UDP:1813 UDP:1700 TCP:8080 TCP:8443 UDP:9993 TCP:9999 TCP/UDP:8905 TCP/UDP:8906 UDP:20514 UDP:30514 TCP:? UDP:45588 UDP:45590 TCP:80/443
!
!
!
! ! ! ! !
! ! ! ! ! ! ! !
See ISE Hardware Installation Guide Appendix for most current info
Presentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
26
Deployment Checklist
DNS Name Certificate Authorities DNS Servers DHCP Servers NTP Servers FTP Servers TFTP Servers Proxy Servers (for Lab/ Internet) PXE (TFTP) Boot Servers Syslog Servers PIPs Active Directory (AD) PAPs IP Address Protocols UDP:63 UDP:? UDP:123 TCP:21 UDP:69 HTTP/S:# UDP:69 UDP:514 Domain: username:password CLI: username:password GUI: username:password RADIUS Key: ________ CLI: username:password GUI: username:password RADIUS Key: ________ Details username:password
HTTP (TCP:80) HTTPS (TCP:443) HTTP (TCP:80) HTTPS (TCP:443) RADIUS (UDP:1812) RADIUS (UDP:1813) CoA: 1700 & 3799 HTTP (TCP:80) HTTPS (TCP:443) eth0: trusted eth1: untrusted eth2: HA eth3: HA
PDPs
MnTs iPEPs
Presentation_ID
Cisco Confidential
27
Employee-PrePosture
Employee-PostPosture Guest-PrePosture
VLAN: ACCESS ACL: Allow DHCP, DNS, NTP, TFTP URL-Redirect: Client Provisioning / Posture VLAN: ACCESS ACL: permit ip any any VLAN: ACCESS ACL: permit ip any any URL-Redirect: Client Provisioning / Posture VLAN: ACCESS ACL: Internet-Only VLAN: VOICE cisco-av-pair = device-traffic-class=voice VLAN: ACCESS ACL: Allow DHCP, DNS, NTP, TFTP URL-Redirect: WebAuth
Presentation_ID
Cisco Confidential
28