Blog

Cisco ISEv2.4 Deployment Methods

ISE Node is Physical device or VM  running installed ISE software

  • There are four major collections of ISE services that are categorized into personas.
  • These personas are responsible for different functions within ISE architecture.
  • You can collect them in a single node or distribute them across multiple nodes.

The four Personas are :

Administration persona:

This is the control Center, your user interface for licensing and policy configuration.

[if personas distributed in different nodes , we call it Admin node and will push out configurations out to other nodes] , PAN = Policy Administration Node

[Create config on it then it will Push config to PSN]

Policy Service persona:

The policy decision engine processes all ISE related network messaging: DHCP, CDP, NetFlow and RADIUS. It is the RADIUS server for NADs

[if personas distributed in different nodes , we call it Policy Service node = PSN ]

[Carry the config and act as AAA server , passive ID , SXP , Tacacs+ server]

Monitoring persona:

Is the engine for collecting and correlating logs and report data.

It generates reports and alarms for the ISE system.

[if personas distributed in different nodes , we call it Monitoring node] , MnT = Monitoring & Troubleshooting Node

pxGrid persona:

It will enable the sharing of contextual-based information from ISE session directory to other network systems such as ASA.

You can use pxGrid framework to exchange policy and configuration data between nodes.

This data include sharing tags & policy objects between ISE and thrid party vendors for non-ISE related information exchanges such as threat information.

An extra license is required for pxGrid services.

 

How to Implement Nodes , Personas and Roles?

  • Single Node Deployment

By default when we install ISE , it work in this deployment type.

All personas run on single ISE node.

The disadvantage is the lack of fault tolerance and limited scalability.

Support max 2000 endpoints.

  • Four Node Deployment [distributed deployment.]

This type provide fault tolerance and scalability.

Introduced the concept of Role.

For Redundancy :

Node 1

The primary role for Admin persona = Primary Administration Node (PAN)

Node 2

A secondary role for Admin persona

Cisco Required to minimize inter-node communication overhead to make sure primary admin [PAN] and monitoring personas  [MnT] run on the same node.

There is no concept of primary and secondary role for Policy service persona.

But you can have more than one node running Policy service persona.

Policy service persona plays the role of RADIUS server for NADs.

Inside NAD you can configure higher priority to use which Policy service node.

Admin node

In any ISE deployment, we must have at least one Admin node.

we can have one primary in one node and another secondary in another node.

ISE supports automatic failover between them.

 

Policy Service Node

Policy Service nodes make a real-time policy-based decisions and convey the polices directly to the NADs for policy enforcement.

Remember, The Admin Role governs policy and the endpoint attributes that it has acquired.

Policy Service node support runtime use cases such as user and endpoint access while other nodes support administrative, monitoring or troubleshooting use cases.

ISE deployment can have more than one Policy service nodes.

If administration and monitoring personas run of the same node or pair of nodes ,

we can have up to 5 Policy service nodes.

If administration and monitoring personas installed independently on their own nodes , we can have up to 50 Policy service nodes.

Monitoring Node

Each ISE Deployment need at least one Monitoring node.

You can deploy a second for fault tolerance,

in this case, both Active and Standby nodes will collect log messages,

each PSN forwards information to both nodes since monitoring nodes do not synchronize with each other.

Monitoring Node can forward the logged information to external databases which can act as sources for accounting and security related information that is useful as evidence and forensic data.

 

ISE Licences

Picture1

Any Connect Apex

This extra license you will need (with ISE Apex as well )when using AnyConnect for posture instead of Temporal agent.

So you will buy two :ISE Apex & AnyConnect Apex licenses

Picture2

You need VM license only if your ISE is ova (VM).

You can have a mixed environment: ISE physical nodes and ISE VM nodes together .

Cisco on-box automation tools

Cisco on-box automation tools are just tools already embedded in Cisco IOS or can be run through Cisco IOS CLI which helps you to automate many tasks.

Cisco on-box automation tools include:

Auto SmartPorts

AutoConf

Auto Security

AutoQoS

Smart Call Home

Tcl Shell

Embedded Event Manager (EEM)

Python Version 2.7

-Auto SmartPorts

-AutoConf

-Auto Security

-AutoQoS

-Smart Call Home

For above read chapter 7 “On-Box Automation and Operations Tools” in “Programming and Automating Cisco Networks” cisco press book

-Tcl Shell

For above read cisco press book ” TcL Scripting for Cisco IOS “

-Embedded Event Manager (EEM)

For above read my personal two parts article “Understanding Cisco EEM by examples”

https://lnkd.in/gbRtA58

https://lnkd.in/gHa_hFC

-Python Version 2.7

Yes, you can run python command in Cisco IOS XE in interactive and non-interactive modes

for more info about Python on-box capability read:

https://lnkd.in/ga6itBG

EDR VS EPP

Endpoint Detection and Response (EDR) platforms are security systems that combine elements of next-gen antivirus with additional tools to provide real-time anomaly detection and alerting, forensic analysis and endpoint remediation capabilities.

By recording every file execution and modification, registry change, network connection and binary execution across an organization’s endpoints, EDR enhances threat visibility beyond the scope of EPPs.

Top Endpoint Detection and Response (EDR) Solutions:

Cisco Advanced Malware Protection AMP for Endpoints
FireEye Endpoint Security
Carbon Black Cb Response
Guidance Software EnCase Endpoint Security
Cybereason Total Enterprise Protection
Symantec Endpoint Protection
RSA NetWitness Endpoint
Tanium
CrowdStrike Falcon Insight
CounterTack Endpoint Threat
SentinelOne

Gartner Top EDR

https://www.gartner.com/reviews/market/endpoint-detection-and-response-solutions

Endpoint Protection Platform (EPP) aka Next Generation Anti-Virus NGAV   is an integrated security solution designed to detect and block threats at the device level. Typically this includes antivirus, anti-malware, data encryption, personal firewalls, intrusion prevention (IPS) and data loss prevention (DLP).

Traditional EPP is inherently preventative, and most of its approaches are signature-based – identifying threats based on known file signatures for newly discovered threats. The latest EPP solutions have however evolved to utilize a broader range of detection techniques.

Top NGAV Vendors to Watch in 2019 Endpoint Protection platform (EPP)
Carbon Black
CrowdStrike
Kaspersky Lab
SentinelOne

Gartner Top EPP

https://www.gartner.com/reviews/market/endpoint-protection-platforms

 

RIPv2 no validate-update-source command

When a router running Routing Information Protocol (RIP) receives an update from a neighboring router, it checks whether the source of the update belongs to the same network or sub-network as the receiving interface.

If they are the same, the routes are accepted for installing into the routing table. Otherwise, the update is dropped.

But we can change this behavior:

2

R1

interface Serial2/0

ip address 10.1.1.1 255.255.255.0

encapsulation ppp

interface Loopback0

ip address 1.1.1.1 255.0.0.0

R2

interface Serial2/0

ip address 10.2.2.2 255.255.255.0

encapsulation ppp

 

R2#PING 10.1.1.1

!!!!!

R2#sh ip route

10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks

C        10.1.1.1/32 is directly connected, Serial2/0

C        10.2.2.0/24 is directly connected, Serial2/0

R1

router rip

ver 2

no auto

network 10.1.1.0

network 1.0.0.0

 

R2

router rip

ver 2

no auto

network 10.2.2.0

 

R2#sh ip route

10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks

C        10.1.1.1/32 is directly connected, Serial2/0

C        10.2.2.0/24 is directly connected, Serial2/0

 

R2

router rip

no validate-update-source

 

R2#sh ip route

R     1.0.0.0/8 [120/1] via 10.1.1.1, 00:00:01

10.0.0.0/8 is variably subnetted, 3 subnets, 2 masks

C        10.1.1.1/32 is directly connected, Serial2/0

C        10.2.2.0/24 is directly connected, Serial2/0

L        10.2.2.2/32 is directly connected, Serial2/0

R2#ping 1.1.1.1

!!!!!