ISE Design Guidance

Standalone Deployment
!! Maximum endpoints - 2000

ISE
Admin

Monitoring

Policy Service

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

Dual Node Deployment

!! Maximum endpoints 2000 !! Redundant sizing - 2000
ISE
Admin

ISE
Admin

Monitoring

Monitoring

Policy Service

Policy Service

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

Endpoints Per Dedicated Policy Svcs

All Services Auth, Profiling, Posture

Platform 3315 3355 3395 VM

Endpoints 3000 6000 10000 TBD

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

Distributed Deployment
Admin + Monitoring Co-located !! 2 x Admin+Mon
Admin Mon Admin Mon

!! Max 5 Policy Service !! Max 50k endpoints (3395)

Policy Svcs Policy Svcs Policy Svcs Policy Svcs Policy Svcs

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

Distributed Deployment
Admin + Policy Svc, Dedicated Monitoring !! Not tested
Admin Policy Admin Svc Policy Svc

Mon Mon

Policy Svcs Policy Svcs Policy Svcs Policy Svcs Policy Svcs

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

Distributed Deployment
Dedicated Admin, Dedicated Monitoring !! 2 x Admin
Admin Admin

Mon Mon

!! 2 x Monitoring !! Max 40 Policy Service !! Max 100,000 endpoints

Policy Svcs Policy Svcs Policy Svcs Policy Svcs Policy Svcs

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

Performance - Authentications
Dedicated Policy Services Node Auths/sec
PAP/ASCII EAP-MD5 EAP-TLS LEAP MSCHAPv1 MSCHAPv2 PEAP-MSCHAPv2 PEAP-GTC FAST-MSCHAPv2 FAST-GTC Guest (web auth) Posture (3315) Posture (3355) Posture (3395)
Presentation_ID 2010 Cisco and/or its affiliates. All rights reserved.

1431 600 335 internal, 124 LDAP 455 1064 internal, 361 AD 1316 internal, 277 AD 181 196 AD, 188 LDAP 192 222 17 70 70 110
Cisco Confidential

Profiling Performance
Policy Services Performing Only Profiling
Platform 3315 3355 3395 VM Events/sec 500 500 1200 TBD

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

Monitoring Node Performance

Max syslogs (3395) Max sessions per day Authentications per day Max stored alarms

1000/sec 2 million 2 million 5000

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

10

Inline Posture Node Performance

Endpoints (3315/3355) Throughput

5-10k 936 Mbps

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

11

Bandwidth Requirements

Connection Between: Policy Svcs and Monitoring Admin and Monitoring Redundant Monitoring pair Admin and Policy Svcs

Minimum Bandwidth 1 Mbps 256Kbps 256Kbps 256Kbps

Endpoint and Policy Svcs (posture) 125bps per endpoint

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

12

Administration HA and Synchronization

!! Changes made via Primary Administration DB are automatically synced to Secondary Administration and all Policy Service nodes.
Admin Node
(Secondary) Policy Sync

Policy Service Node Policy Service Node Policy Service Node

Logging

Admin Node
(Primary) Policy Sync

Admin User

Monitoring Monitoring Node Node

(Primary)
Presentation_ID

(Secondary)
Cisco Confidential

2010 Cisco and/or its affiliates. All rights reserved.

13

Administration HA and Synchronization (cont.)

!! Upon failure of Primary Administration node, admin user can connect to Secondary Administration node; all changes via backup Administration node are automatically synced to all Policy Service nodes. !! Secondary Administration node must be manually promoted to be Primary.
Admin Node
(Secondary -> Primary) Policy Sync

Policy Service Node Policy Service Node Policy Service Node

Admin Node
(Primary)

Admin User

X
Logging

Monitoring
(Primary)
Presentation_ID

Monitoring
(Secondary)
Cisco Confidential

2010 Cisco and/or its affiliates. All rights reserved.

14

Monitoring - Distributed Log Collection

!! ISE supports distributed log collection across all nodes to optimize local data collection , aggregation, and centralized correlation and storage. !! Local Collector Agent process runs on each ISE node and collects logs locally from itself and from any NAD configured to send logs to node (Policy Services). !! Local Collector buffers and transports the collected data to designated ISE Monitoring node(s) as Syslog; once Monitoring nodes globally defined via Admin, ISE nodes automatically send logs to one/both configured Monitoring nodes.
NADs
Netflow SNMP Syslog

Policy Services (Collector Agent)

Monitoring (Collector)

External Log Servers

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

15

Policy Service Node Scaling and Redundancy

!! NADs can be configured with redundant RADIUS servers (Policy Service nodes). !! Policy Service nodes can also be configured in a cluster, or node group, behind a load balancer. NADs send requests to LB virtual IP for Policy Services. !! Policy Service nodes in node group maintain heartbeat to verify member health.
Administration Node (Primary) Administration Node (Secondary)

Policy Replication AAA connection

!"#$%&' !"#$%&'

Policy Services Node Group

Load Balancers

Network Access Devices

Presentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

16

Inline Posture Node High Availability VPN Detailed Example

ISE Inline ACTIVE ASA HA: A/S or VPN Cluster Internet Router External Switch outside inside ISP A VLAN 14 Inline Service IP eth1 L3 Switch Inline Trunk: Service VLANs IP 11-15 eth0 VLAN 15 ASA VLAN 11 eth1 vpn eth0 eth2 (HB Link) VLAN 12

VPN Client HA: VPN to single ASA HA IP or VPN Cluster IP

Internet VPN User

FO Link

State Link

Internal Network

ISP B outside Internet Router External Switch ASA inside vpn

L3 Switch eth1 eth0

VLANS ! VLAN 11: (ASA VPN; Inline node untrusted) ! VLAN 12: (Inline node trusted) ! VLAN 13: (Inline Heartbeat Link) ! VLAN 14: (ASA Inside) ! VLAN 15: (Internal Network)
Presentation_ID

VLAN 12 eth2 (HB Link)

VLAN 11 ISE Inline STANDBY

ASA Redundant Links Cisco Confidential 2010 Cisco and/or its affiliates. All rights reserved.

17

Inline Posture Node High Availability

!! HA link is used to exchange heartbeat messages to check the status of mutual peer. !! HA link is a dedicated, highly reliable Layer 2 connection between failover pairs; can be a LAN crossover cable or recommend dedicated VLAN connection. !! Multiple HA links can be configured; as long as heartbeat messages are received over at least on HA link, then peer is considered healthy. !! Inline Posture Node HA supports link detection to allow failover to occur if active Inline Posture Node detects loss of network connectivity while Standby does not; prevent traffic black hole due to other network failures. !! In case of failure, Standby Inline Posture Node assumes ownership of service IP and sends gratuitous ARPs out each interface to notify gateways of change. !! HA failover is stateless, so all active sessions need to be re-authorized upon FO. Standby Inline Posture Node will auto-fetch session state/policy as needed.

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

18

ISE Node HA / Scalability Summary

Node HA Scheme Auto Failover?
Vendor-Specific No Yes for established sessions; sessions in process of setup may require re-auth NAD-Specific Yes Yes

Notes
Examples: AD clusters; redundant LDAP servers; distributed domains and servers. Secondary Admin Node must be manually promoted Node group: group together Policy Service nodes that reside in a single location behind a load balancer and share a common multicast address

External Vendor-Specific Attribute Store Administration Active/Standby Policy Service ! Node Groups (Policy Service Clusters) ! Redundant Policy Service config on NADs NAD Inline Posture Node Monitoring NAD-Specific Active/Standby Active/Active

Examples: Redundant Wireless Controllers Clients re-auth to backup Inline Posture Node node upon failover One node serves as Primary; all ISE logs automatically sent to both HA Monitoring nodes Any external loggers must be configured to log to both nodes.

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

19

Typical ISE Deployment: SMB (< 2k users)

Example Topology
A/S Admin, Monitoring, Policy Service nodes ! Centralized Wired 802.1X Services AD/LDAP (External ID/ Attribute Store) ! Local VPN support at HQ via HA Inline Posture Nodes ! Centralized Wireless 802.1X Services for HQ and branch offices (centralized WLCs w/CoA)

HA Inline Posture Nodes

Campus A
ASA VPN

! Centralized 802.1X Services for branch offices

WLC 802.1X AP

Administration Node
Switch 802.1X

Monitoring Node Policy Service Node

Branch A

Branch B

Inline Posture Node

Switch 802.1X Switch 802.1X

AP

AP

External ID/Attribute Store

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

20

Typical ISE Deployment: Medium

Example Topology
A/S Monitoring nodes A/S Admin nodes + Policy Service Cluster

AD/LDAP (External ID/ Attribute Store)

Distributed Policy Service node

HA Inline Posture Nodes

Campus A
ASA VPN

Campus B

Distributed Inline Posture Node

WLC

WLC AP Switch 802.1X

Switch 802.1X AP

! Active/Standby Admin/Monitoring Branch A Branch B ! Centralized Wired 802.1X Services for HQ and Branches ! Distributed Policy Service nodes and Inline Posture Node services in secondary campus ! VPN/Wireless (non-CoA) support at both campuses via HA Inline Posture Nodes
21

AP

Switch 802.1X

AP

Switch 802.1X

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

Typical ISE Deployment: Enterprise (< 100k)

Example Topology
Admin (P) Monitor (P) Policy Services Cluster Distributed Admin (S) Monitor (S) Policy Services

HA Inline Posture Nodes

Data Center A
ASA VPN

AD/LDAP (External ID/ Attribute Store)

DC B

AD/LDAP (External ID/ Attribute Store)

WLC 802.1X

WLC 802.1X AP

Switch 802.1X Switch 802.1X

AP

! Redundant, Dedicated Administration and Monitoring split across Data Centers (P=Primary / S=Secondary) Branch B ! Policy Service Cluster for Wired/Wireless 802.1X Services at HQ ! Distributed Policy Service clusters for larger campuses

Branch A

AP

Switch 802.1X

AP

Switch 802.1X

! Distributed Wired/Wireless 802.1X for Branches ! VPN/Wireless (non-CoA) at HQ via HA Inline Posture Nodes
22

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

Tips/Recommendations
!! Create secondary Admin node before adding Policy Svc nodes, otherwise a restart of Policy Svc nodes is required !! Node groups should be L2 adjacent !! Posture assessment is CPU intensive, so will benefit from powerful Policy Svc nodes (3315) !! Avoid co-locating Policy Svc and Monitoring where possible !! Have dedicated Monitoring nodes where possible !! Profiling requires maintenance of L2 info
E.g. HTTP SPAN probe requires L2 adjacency (alternatively use RSPAN) " fixed in 1.0MR (August 2011)

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

23

Tips/Recommendations (Continued)
!! Time Synchronization
Always configure synchronized time at installation Use UTC across nodes and network devices for consistent correlation/reporting

!! Active Directory integration

Critical to have time synchronization with AD infrastructure DNS availability is required for AD name resolution

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

24

Deployment Strategy
Visibility
ISE Installation NAD Configuration Profiling Monitor

Classification

Agentless MAB/Profiling

Unmanaged WebAuth

Managed 802.1X

Posture Desktop OSes

Enforcement

Assessment

Segmentation

Production

Availability

Performance

Operations

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

25

Security: Protocols & Ports

Feature, Service or Protocol SSH DHCP Traffic Probe (Profiler) Administration WebApp SNMP Agent SNMP Trap Probe (Profiler) Stream Oracle DB Listener RADIUS Authentication RADIUS Accounting RADIUS CoA WebAuth Portal NetFlow Receiver (configurable) JMX (until FCS) Posture Agent (HTTPS) Syslog Receiver Syslog Receiver Oracle AQ PDP Heartbeat API
Sponsor only

PAP

MnT

PDP

iPEP

! ! ! !

! ! ! !

! ! ! ! ! ! ! ! !

! ! ! !

Ports TCP:22 UDP:67/68 TCP:80/443 UDP:161 UDP:162 UDP:1521 UDP:1645 UDP:1812 UDP:1646 UDP:1813 UDP:1700 TCP:8080 TCP:8443 UDP:9993 TCP:9999 TCP/UDP:8905 TCP/UDP:8906 UDP:20514 UDP:30514 TCP:? UDP:45588 UDP:45590 TCP:80/443

!
!

!
! ! ! ! !

! ! ! ! ! ! ! !

See ISE Hardware Installation Guide Appendix for most current info
Presentation_ID 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

26

Deployment Checklist
DNS Name Certificate Authorities DNS Servers DHCP Servers NTP Servers FTP Servers TFTP Servers Proxy Servers (for Lab/ Internet) PXE (TFTP) Boot Servers Syslog Servers PIPs Active Directory (AD) PAPs IP Address Protocols UDP:63 UDP:? UDP:123 TCP:21 UDP:69 HTTP/S:# UDP:69 UDP:514 Domain: username:password CLI: username:password GUI: username:password RADIUS Key: ________ CLI: username:password GUI: username:password RADIUS Key: ________ Details username:password

username:password username:password username:password

HTTP (TCP:80) HTTPS (TCP:443) HTTP (TCP:80) HTTPS (TCP:443) RADIUS (UDP:1812) RADIUS (UDP:1813) CoA: 1700 & 3799 HTTP (TCP:80) HTTPS (TCP:443) eth0: trusted eth1: untrusted eth2: HA eth3: HA

PDPs

MnTs iPEPs

CLI: username:password GUI: username:password

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

27

Deployment Checklist: Enforcement

Name Enforcement Attributes (VLAN, ACL, SGA, timers, redirect URL, etc.)

Employee-PrePosture

Employee-PostPosture Guest-PrePosture

Guest-PostPosture Phone ... Default

VLAN: ACCESS ACL: Allow DHCP, DNS, NTP, TFTP URL-Redirect: Client Provisioning / Posture VLAN: ACCESS ACL: permit ip any any VLAN: ACCESS ACL: permit ip any any URL-Redirect: Client Provisioning / Posture VLAN: ACCESS ACL: Internet-Only VLAN: VOICE cisco-av-pair = device-traffic-class=voice VLAN: ACCESS ACL: Allow DHCP, DNS, NTP, TFTP URL-Redirect: WebAuth

Presentation_ID

2010 Cisco and/or its affiliates. All rights reserved.

Cisco Confidential

28