ISE Deployment Architectures: Nodes, Services & Scale
Вставка
- Опубліковано 6 лип 2024
- The Identity Services Engine (ISE) network access control application is designed to scale from a single, standalone instance to 54 distributed nodes. Learn from TME Thomas Howard about how we do this with nodes and services across our many supported platforms.
00:00 Intro
00:55 Agenda
01:46 ISE Provides Zero Trust for the Workplace
04:19 ISE Nodes: Appliances, VMs, Cloud
07:50 Free, 90-day ISE Evaluation Licenses with every installation
08:56 ISE Personas: PAN, MNT, PSN, PXG
14:06 ISE Personas Example Flow
16:44 ISE Deployment: Standalone ISE Node
17:59 ISE Deployment: Small
19:01 ISE Deployment: Small 3 Node
20:33 ISE Deployment: Medium and Multiple Regions
22:43 ISE Deployment: Medium to Large
23:40 ISE Deployment: Large
25:30 Centralized or Distributed Deployments
28:00 Primay PAN Operations
29:31 Personas & Services
31:00 PSN Profiling Probes
38:00 ISE Inter-Node Communications
38:36 ISE Platforms: Appliances & VMs
39:58 ISE Platforms: AWS EC2 Instance Types
41:10 Zero Touch Provisioning
42:46 Appliance vs VM
47:21 On-Premises vs Cloud
49:50 ISE Performance and Scale
51:28 Maximum Concurrent Active Endpoints
53:07 Steady State vs Peak Demand
55:55 Multiple ISE Deployments
59:19 Other Scaling Considerations
1:00:21 Deployment Automation
1:00:58 ISE Policy & Lifecycle APIs
1:02:32 ISE Resources:
- Try ISE Free for 90 days: cs.co/ise-software
- Try ISE in AWS: cs.co/ise-aws (you must pay for AWS resource usage)
- ISE Webinars : cs.co/ise-webinars
- ISE UA-cam Channel : cs.co/ise-videos
- ISE Resources : cs.co/ise-resources
- ISE Community : cs.co/ise-community
- ISE Security Integration Guides: cs.co/ise-guides
- ISE Compatibility: cs.co/ise-compatibility
- ISE NAD Capabilities: cs.co/nad-capabilities
- ISE Scale & Performance: cs.co/ise-scale
- ISE APIs : cs.co/ise-api
- ISE @ Cisco DevNet : cs.co/ise-devnet - Наука та технологія
Invaluable vids for anyone new to ISE or inheriting administration of it.
Great session and very helpful for beginners 🙏🙏
Nice job. Invaluable session.
Thank you for doing this video in great details.
I'm planning for a 3 node small deployment. If I get it right, I'd need to put 2 nodes as PAN+MnT+PSN and 1 node as PSN, this will work fine??
Great Session !
quick question can I deploy ISE facing the internet ? Like attach an Elastic IP to its intenal interface and add the Natted IP of the Network Access Devices on ISE ?
ISE extracts the NAS-IP attribute from the radius header in the auth request which I believe won't be natted. I was just thinking to use Global accelerator with ISE hence this question.
You can for basic authentication however there are two issues. The most important is that RADIUS and TACACS traffic is not encrypted so anywhere in the path between the network device and ISE the RADIUS attributes with your usernames and network device IPs and other details could be captured. This is why a VPN or DTLS is required to secure the traffic.
NATed IPs cause a problem because you lose device-specific control/details by IP address (you may not care but most people do) and if you want or need to do RADIUS Change of Authorization (CoA) back to the network device, the NAT device will not know which network device to send it.
Best to use a VPN from on prem to cloud.
See
- Automated ISE Setup with Infrastructure as Code Tools @ ua-cam.com/video/tN_nTEE48Ys/v-deo.html
- Cisco ISE with Meraki @ ua-cam.com/video/snc0HIK0My4/v-deo.html
- ISE in AWS Webinar @ ua-cam.com/video/JOvQYSa6eFk/v-deo.html
PAN server related for making policy
9:12
PSN server, making the ise enforcement
10:44
it is a useful video tq.. .. if possible can you make a video for how to add the network devices, wireless how to monitor the endpoint devices
Managing Network Devices in ISE is coming up next month (April 2022)! Register @ cs.co/ise-webinar or you may always watch the recording here
what about the health check tab on the interface ? where can I find test outputs ?
Great presentation, 1 question though. Does it mean ISE is not a suitable solution for offshore environments with latency being more than 300 milisec as you mentioned?
By "offshore", I assume you mean boats. Yes, naval and cruise ships have isolated ISE deployments because their satellite links are not fast enough. This is explicitly covered @ 55:55 Multiple ISE Deployments
@@CiscoISE Thanks for your reply. A follow up question, lets say you have 50+ ships each with their own ISE deployments, how do you maintain all that from shore?
Great session, can I get the presentation slides?