CHAPTER 1

Network Deployments in Cisco ISE

This chapter describes several network deployment scenarios, provides information about how to deploy
the Cisco Identity Services Engine (ISE) SNS 3400 Series appliance and its related components, and
provides a pointer to the switch and Wireless LAN Controller configurations that are needed to support
Cisco ISE. This chapter contains the following sections:
• Architecture Overview, page 1-1
• Network Deployment Terminology, page 1-2
• Node Types and Personas in Distributed Deployments, page 1-3
• Standalone and Distributed Deployments, page 1-5
• Distributed Deployment Scenarios, page 1-5
• Deployment Size and Scaling Recommendations, page 1-10
• Inline Posture Planning Considerations, page 1-12
• Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions,
page 1-13

Architecture Overview
Cisco ISE architecture includes the following components:
• Nodes and persona types
– Cisco ISE node—A Cisco ISE node can assume any or all of the following personas:
Administration, Policy Service, or Monitoring
– Inline Posture node—A gatekeeping node that takes care of access policy enforcement
• Network resources
• Endpoints

Note Figure 1-1 shows Cisco ISE nodes and personas (Administration, Policy Service, and Monitoring), an
Inline Posture node, and a policy information point.

The policy information point represents the point at which external information is communicated to the
Policy Service persona. For example, external information could be a Lightweight Directory Access
Protocol (LDAP) attribute.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

OL-27044-01 1-1
 Chapter 1 Network Deployments in Cisco ISE
Network Deployment Terminology

Figure 1-1 Cisco ISE Architecture

282088
Network Deployment Terminology
The following terms are commonly used when discussing Cisco ISE deployment scenarios:
• Service—A service is a specific feature that a persona provides such as network access, profiling,
posture, security group access, monitoring, and troubleshooting.
• Node—A node is an individual instance that runs the Cisco ISE software. Cisco ISE is available as
an appliance and as software that can be run on VMware.
• Node Type—A node can be one of two types: A Cisco ISE node or an Inline Posture node. The node
type and persona determine the type of functionality provided by a node.
• Persona—The persona or personas of a node determines the services provided by a node. A Cisco
ISE node can assume any or all of the following personas: Administration, Policy Service, and
Monitoring. The menu options that are available through the administrative user interface depend
on the role and personas that a node assumes.
• Role—The role of a node determines if it is a standalone, primary, or secondary node and applies
only to Administration and Monitoring nodes.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

1-2 OL-27044-01
 Chapter 1 Network Deployments in Cisco ISE
Node Types and Personas in Distributed Deployments

Node Types and Personas in Distributed Deployments

In a Cisco ISE distributed deployment, there are two types of nodes:
• Cisco ISE node—Administration, Policy Service, Monitoring
• Inline Posture node
A Cisco ISE node can provide various services based on the persona that it assumes. Each node in a
deployment, with the exception of the Inline Posture node, can assume the Administration, Policy
Service, and Monitoring personas. In a distributed deployment, you can have the following combination
of nodes on your network:
• Primary and secondary Administration nodes for high availability
• A pair of Monitoring nodes for automatic failover
• One or more Policy Service nodes for session failover
• A pair of Inline Posture nodes for high availability

Related Topics
• Administration Node, page 1-3
• Policy Service Node, page 1-3
• Monitoring Node, page 1-3
• Inline Posture Node, page 1-4

Administration Node
A Cisco ISE node with the Administration persona allows you to perform all administrative operations
on Cisco ISE. It handles all system-related configurations that are related to functionality such as
authentication, authorization, and accounting. In a distributed deployment, you can have one or a
maximum of two nodes running the Administration persona. The Administration persona can take on the
standalone, primary, or secondary role.

Policy Service Node

A Cisco ISE node with the Policy Service persona provides network access, posture, guest access, client
provisioning, and profiling services. This persona evaluates the policies and provides network access to
endpoints based on the result of the policy evaluation. You can have more than one node assume this
persona. Typically, there is more than one Policy Service node in a distributed deployment. All Policy
Service nodes that reside behind a load balancer share a common multicast address and can be grouped
to form a node group. If one of the nodes in a node group goes down, the other nodes detect the failure
and reset any pending sessions.
At least one node in your distributed setup should assume the Policy Service persona.

Monitoring Node
A Cisco ISE node with the Monitoring persona functions as the log collector and stores log messages
from all the Administration and Policy Service nodes in a network. This persona provides advanced
monitoring and troubleshooting tools that you can use to effectively manage a network and resources. A

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

OL-27044-01 1-3
 Chapter 1 Network Deployments in Cisco ISE
Node Types and Personas in Distributed Deployments

node with this persona aggregates and correlates the data that it collects, and provides you with
meaningful reports. Cisco ISE allows you to have a maximum of two nodes with this persona, and they
can take on primary or secondary roles for high availability. Both the primary and secondary Monitoring
nodes collect log messages. In case the primary Monitoring node goes down, the secondary Monitoring
node automatically becomes the primary Monitoring node.
At least one node in your distributed setup should assume the Monitoring persona. We recommend that
you do not have the Monitoring and Policy Service personas enabled on the same Cisco ISE node. We
recommend that the Monitoring node be dedicated solely to monitoring for optimum performance.

Inline Posture Node

An Inline Posture node is a gatekeeping node that is positioned behind network access devices such as
wireless LAN controllers (WLCs) and VPN concentrators on the network. Inline Posture enforces access
policies after a user has been authenticated and granted access, and handles change of authorization
(CoA) requests that a WLC or VPN is unable to accommodate. Cisco ISE allows you to have two Inline
Posture nodes, and they can take on primary or secondary roles for high availability.
The Inline Posture node must be a dedicated node. It must be dedicated solely for Inline Posture service,
and cannot operate concurrently with other Cisco ISE services. Likewise, due to the specialized nature
of its service, an Inline Posture node cannot assume any persona. For example, it cannot act as an
Administration node (offering administration service), or a Policy Service node (offering network
access, posture, profile, and guest services), or a Monitoring node (offering monitoring and
troubleshooting services).
Inline Posture is not supported on the Cisco SNS 3495 platform. Ensure that you install Inline Posture
on any one of the following supported platforms: Cisco ISE 3315, Cisco ISE 3355, Cisco ISE 3395, or
Cisco SNS 3415.

Inline Posture Node Installation

You must download the Inline Posture ISO image from Cisco.com and install it on any of the supported
platforms, configure certificates through the CLI, and register this node from the user interface of the
primary Administration node.

Note You cannot access the web-based user interface of the Inline Posture nodes. You can configure them only
from the primary Administration node.

Before you can add an Inline Posture node to a deployment, you must configure a certificate for it and
register it with the primary Administration node. See Configuring Certificates for Inline Posture Nodes,
page E-34 for more information.

Inline Posture Node Reuse

If you decide that you no longer need an Inline Posture node, you cannot add any services or roles to it,
but you can change it to a Cisco ISE node and then assign any persona to it. If you want to reuse an Inline
Posture node, you must first deregister it and then reimage the appliance and install Cisco ISE, Release
1.2, on it.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

1-4 OL-27044-01
 Chapter 1 Network Deployments in Cisco ISE
Standalone and Distributed Deployments

Standalone and Distributed Deployments

A deployment that has a single Cisco ISE node is called a standalone deployment. This node runs the
Administration, Policy Service, and Monitoring personas.
A deployment that has more than one Cisco ISE node is called a distributed deployment. To support
failover and to improve performance, you can set up a deployment with multiple Cisco ISE nodes in a
distributed fashion. In a Cisco ISE distributed deployment, administration and monitoring activities are
centralized, and processing is distributed across the Policy Service nodes. Depending on your
performance needs, you can scale your deployment. A Cisco ISE node can assume any of the following
personas: Administration, Policy Service, and Monitoring. An Inline Posture node cannot assume any
other persona, due to its specialized nature and it must be a dedicated node.

Distributed Deployment Scenarios

• Small Network Deployments, page 1-5
• Medium-Sized Network Deployments, page 1-7
• Large Network Deployments, page 1-8

Small Network Deployments

The smallest Cisco ISE deployment consists of two Cisco ISE nodes as shown in Figure 1-2, with one
Cisco ISE node functioning as the primary appliance in a small network.

Note Concurrent endpoints represent the total number of supported users and devices. Concurrent endpoints
can be any combination of users, personal computers, laptops, IP phones, smart phones, gaming
consoles, printers, fax machines, or other types of network devices.

The primary node provides all the configuration, authentication, and policy capabilities that are required
for this network model, and the secondary Cisco ISE node functions in a backup role. The secondary
node supports the primary node and maintains a functioning network whenever connectivity is lost
between the primary node and network appliances, network resources, or RADIUS.
Centralized authentication, authorization, and accounting (AAA) operations between clients and the
primary Cisco ISE node are performed using the RADIUS protocol. Cisco ISE synchronizes or replicates
all of the content that resides on the primary Cisco ISE node with the secondary Cisco ISE node. Thus,
your secondary node is current with the state of your primary node. In a small network deployment, this
type of configuration model allows you to configure both your primary and secondary nodes on all
RADIUS clients by using this type of deployment or a similar approach.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

OL-27044-01 1-5
 Chapter 1 Network Deployments in Cisco ISE
Distributed Deployment Scenarios

Figure 1-2 Small Network Deployment

282092
As the number of devices, network resources, users, and AAA clients increases in your network
environment, you should change your deployment configuration from the basic small model and use
more of a split or distributed deployment model, as shown in Figure 1-3.
Figure 1-2 shows the secondary Cisco ISE node acting as a Policy Service persona performing AAA
functions. The secondary Cisco ISE node could also be acting as a Monitoring or Administration
persona.

Split Deployments
In split Cisco ISE deployments, you continue to maintain primary and secondary nodes as described in
a small Cisco ISE deployment. However, the AAA load is split between the two Cisco ISE nodes to
optimize the AAA workflow. Each Cisco ISE appliance (primary or secondary) needs to be able to
handle the full workload if there are any problems with AAA connectivity. Neither the primary node nor
the secondary nodes handles all AAA requests during normal network operations because this workload
is distributed between the two nodes.
The ability to split the load in this way directly reduces the stress on each Cisco ISE node in the system.
In addition, splitting the load provides better loading while the functional status of the secondary node
is maintained during the course of normal network operations.
In split Cisco ISE deployments, each node can perform its own specific operations, such as network
admission or device administration, and still perform all the AAA functions in the event of a failure. If
you have two Cisco ISE nodes that process authentication requests and collect accounting data from
AAA clients, we recommend that you set up one of the Cisco ISE nodes to act as a log collector.
Figure 1-3 shows the secondary Cisco ISE node in this role.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

1-6 OL-27044-01
 Chapter 1 Network Deployments in Cisco ISE
Distributed Deployment Scenarios

Figure 1-3 Split Network Deployment

282093
In addition, the split Cisco ISE node deployment design provides an advantage because it also allows for
growth, as shown in Figure 1-4.

Medium-Sized Network Deployments

As small, local networks grow, you can keep pace and manage network growth by adding Cisco ISE
nodes to create a medium-sized network. In medium-sized network deployments, you can dedicate the
new nodes for all AAA functions, and use the original nodes for configuration and logging functions.
As the amount of log traffic increases in a network, you can choose to dedicate one or two of the
secondary Cisco ISE nodes for log collection in your network.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

OL-27044-01 1-7
 Chapter 1 Network Deployments in Cisco ISE
Distributed Deployment Scenarios

Figure 1-4 Medium-Sized Network Deployment

Large Network Deployments

We recommend that you use centralized logging (as shown in Figure 1-5) for large Cisco ISE networks.
To use centralized logging, you must first set up a dedicated logging server that serves as a Monitoring
persona (for monitoring and logging) to handle the potentially high syslog traffic that a large, busy
network can generate.
Because syslog messages are generated for outbound log traffic, any RFC 3164-compliant syslog
appliance can serve as the collector for outbound logging traffic. A dedicated logging server enables you
to use the reports and alert features that are available in Cisco ISE to support all the Cisco ISE nodes.
See “Cisco ISE Setup Program Parameters” section on page 3-7 when configuring the Cisco ISE
software to support a dedicated logging server.
You can also consider having the appliances send logs to both a Monitoring persona on the Cisco ISE
node and a generic syslog server. Adding a generic syslog server provides a redundant backup if the
Monitoring persona on the Cisco ISE node goes down.
In large centralized networks, you should use a load balancer (as shown in Figure 1-5), which simplifies
the deployment of AAA clients. Using a load balancer requires only a single entry for the AAA servers,
and the load balancer optimizes the routing of AAA requests to the available servers.
However, having only a single load balancer introduces the potential for having a single point of failure.
To avoid this potential issue, deploy two load balancers to ensure a measure of redundancy and failover.
This configuration requires you to set up two AAA server entries in each AAA client, and this
configuration remains consistent throughout the network.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

1-8 OL-27044-01
 Chapter 1 Network Deployments in Cisco ISE
Distributed Deployment Scenarios

Figure 1-5 Large Network Deployment

282094
Dispersed Network Deployments
Dispersed Cisco ISE network deployments are most useful for organizations that have a main campus
with regional, national, or satellite locations elsewhere. The main campus is where the primary network
resides, is connected to additional LANs, ranges in size from small to large, and supports appliances and
users in different geographical regions and locations.
Large remote sites can have their own AAA infrastructure (as shown in Figure 1-6) for optimal AAA
performance. A centralized management model helps maintain a consistent, synchronized AAA policy.
A centralized configuration model uses a primary Cisco ISE node with secondary Cisco ISE nodes. We
still recommend that you use a separate Monitoring persona on the Cisco ISE node, but each remote
location should retain its own unique network requirements.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

OL-27044-01 1-9
 Chapter 1 Network Deployments in Cisco ISE
Deployment Size and Scaling Recommendations

Figure 1-6 Dispersed Deployment

282095
Before You Plan a Network with Several Remote Sites
• Verify if a central or external database is used, such as Microsoft Active Directory or Lightweight
Directory Access Protocol (LDAP). Each remote site should have a synchronized instance of the
external database that is available for Cisco ISE to access for optimizing AAA performance.
• The location of AAA clients is important. You should locate the Cisco ISE nodes as close as possible
to the AAA clients to reduce network latency effects and the potential for loss of access that is
caused by WAN failures.
• Cisco ISE has console access for some functions such as backup. Consider using a terminal at each
site, which allows for direct, secure console access that bypasses network access to each node.
• If small, remote sites are in close proximity and have reliable WAN connectivity to other sites,
consider using a Cisco ISE node as a backup for the local site to provide redundancy.
• Domain Name System (DNS) should be properly configured on all Cisco ISE nodes to ensure access
to the external databases.

Deployment Size and Scaling Recommendations

This section provides guidance on the size of the physical and virtual machine appliances that you would
need for your deployment based the number of endpoints that connect to your network. Table 1-1
provides guidance on the type of deployment, number of Cisco ISE nodes, and the type of appliance
(small, medium, large) that you need based on the number of endpoints that connect to your network.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

1-10 OL-27044-01
 Chapter 1 Network Deployments in Cisco ISE
Deployment Size and Scaling Recommendations

Table 1-1 Cisco ISE Deployment—Size and Scaling Recommendations

Maximum Number
Deployment of Dedicated Policy Number of Active
Type Number of Nodes/Personas Appliance Platform Service Nodes Endpoints
Small Standalone or redundant (2) Cisco ISE 3300 Series 0 Maximum of 2,000
nodes with Administration, (3315, 3355, 3395) endpoints
Policy Service, and Cisco ISE 3415 0 Maximum of 5,000
Monitoring personas enabled. endpoints
Cisco ISE 3495 0 Maximum of 10,000
endpoints
Medium Administration and Cisco ISE-3355 or 5 Maximum of 5,000
Monitoring personas on single Cisco SNS 3415 endpoints
or redundant nodes. Maximum appliances for
of 2 Administration and Administration and
Monitoring nodes. Monitoring personas
Cisco ISE 3395 or 5 Maximum of 10,000
Cisco SNS 3495 endpoints
appliances for
Administration and
Monitoring personas
Large Dedicated Administration Cisco ISE 3395 40 Maximum of 100,000
node/nodes. Maximum of 2 appliances for endpoints
Administration nodes. Administration and
Monitoring personas
Dedicated Monitoring
node/nodes. Maximum of 2 Cisco SNS 3495 40 Maximum of 250,000
Monitoring nodes. appliances for endpoints
Administration and
Monitoring personas

Table 1-2 provides guidance on the type of appliance that you would need for a dedicated Policy Service
node based on the number of active endpoints the node services.

Table 1-2 Policy Service Node Size Recommendations

Form Factor Platform Size Appliance Maximum Endpoints

Physical Small Cisco ISE-3315 3,000
Cisco SNS-3415 5,000
Medium Cisco ISE-3355 6,000
Large Cisco ISE-3395 10,000
Cisco SNS-3495 20,000
Virtual Machine Small/Medium/Large Comparable to physical 3,000 to 20,000
appliance

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

OL-27044-01 1-11
 Chapter 1 Network Deployments in Cisco ISE
Inline Posture Planning Considerations

Table 1-3 provides the maximum throughput and the maximum number of endpoints that a single Inline
Posture node can support.

Table 1-3 Inline Posture Node Sizing Recommendations

Attribute Performance
Maximum number of endpoints per physical 5,000 to 20,000 (gated by Policy Service nodes)
appliance
Maximum throughput per any physical 936 Mbps
appliance

Inline Posture Planning Considerations

A network or system architect is responsible for researching the issues involved in Inline Posture
deployment to determine what best suits network requirements.
A network or system architect must address the following basic questions when planning to deploy Inline
Posture nodes:
• Will deployment plans include an Inline Posture primary-secondary pair configuration? Cisco ISE
networks support up to two Inline Posture nodes configured on a network at any one time.
• What type of Inline Posture operating modes will you choose?

Caution The untrusted interface on an Inline Posture node should be disconnected when an Inline Posture node
is being configured. If the trusted and untrusted interfaces are connected to the same VLAN during initial
configuration, and the Inline Posture node boots up after changing persona, multicast packet traffic gets
flooded out of the untrusted interface. This multicast event can potentially bring down devices that are
connected to the same subnet or VLAN. The Inline Posture node at this time is in the maintenance mode.

Caution Do not change the CLI password for Inline Posture node once it has been added to the deployment. If
the password is changed, when you access the Inline Posture node through the Administration node, a
Java exception error is displayed and the CLI gets locked. You need to recover the password by using
the installation DVD and rebooting the Inline Posture node. Or, you can set the password to the original
one.

If you need to change the password, then deregister the Inline Posture node from the deployment, modify
the password, and then add the node to the deployment with the new credentials.

Related Topics
Cisco Identity Services Engine User Guide, Release 1.2.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

1-12 OL-27044-01
Chapter 1 Network Deployments in Cisco ISE
Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions

Switch and Wireless LAN Controller Configuration

Required to Support Cisco ISE Functions
To ensure that Cisco ISE can interoperate with network switches and that functions from Cisco ISE are
successful across the network segment, you must configure your network switches with certain required
Network Time Protocol (NTP), RADIUS/AAA, IEEE 802.1X, MAC Authentication Bypass (MAB), and
other settings.

Related Topics
For more switch and wireless LAN controller configuration requirements, see Appendix C, “Switch and
Wireless LAN Controller Configuration Required to Support Cisco ISE Functions,” in Cisco Identity
Services Engine User Guide, Release 1.2.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

OL-27044-01 1-13
 Chapter 1 Network Deployments in Cisco ISE
Switch and Wireless LAN Controller Configuration Required to Support Cisco ISE Functions

Cisco Identity Services Engine Hardware Installation Guide, Release 1.2

1-14 OL-27044-01