I have recently upgraded some NAC appliances to ISE and am planning/designing the architecture. I have three 3315 appliances and two 3355 appliances. We have two main hub sites (one HQ and one DR) and several satellite locations. The DR site is a hot standby location. My first thought is to deploy the 3355s at the HQ. One as the primary Administration node and the other as a Policy and Monitoring node. Then at the DR location deploy a 3315 as a secondary administration node so it has a full copy of the database and can be promoted to a primary during DR. The other two 3315s I think I will use for testing Inline posture with VPN at the HQ site. Anyone have any other suggestions/recommendations?
How many endpoints are you planning to run through the deployment? Are you doing this for VPN authorization only or are you planning to push wireless and wired through also?
Normally it would be much cleaner to segment the personas on similar hardware (for example admin nodes running on 3315 hardware since the application database is designed to grow up to 4GB) and you can have it also run as the PDP persona as well), you can use the 3355s as the MNT persona in a distributed config since alot of your growth is over logging...etc. This is just my understanding and there are multiple ways of doing this, and you can leave the 3rd 3315 as a standalone policy service node at HQ or use this for ipep till the new code comes out (see note below) and you can change the persona to a PDP and then add more if your deployment grows in the future.
Also are you running Cisco ASA firewalls for your vpn clients? If so, the ASA 9.x code is planning to support COA so the need for ipep will go away (since I am no longer at Cisco you can have your account team confirm this for you), cisco is also going to stop providing code for the ipep node also.
(please keep in mind that this is with very limited knowledge of your network, it may be best to run this by your account team and get their input since they have the resources to provide some insight into you network)
Approximately 500 endpoints to start mostly at the HQ site. Wireless and wired currently. Adding VPN further down the road. I understand the preference to use similar hardware for the different personas. My reasoning for using the 3315 as a secondary administration node at the DR site is because even during a DR it will never see the kind of endpoints that the HQ site has. I would rather have as much of the horsepower at the main HQ site. If, however, that is considered a best practice I'm fine with making the DR secondary admin node a 3355 to match the HQ node.
We are using ASAs for all VPN access. I knew the COA was suppose to be coming out before long, but thought I would try the IPEP until then, at least as an interim solution.
I understand where you are coming from, i think the horsepower needs to be focused on the monitoring and the PDP side, the admin node doesnt require all that much horsepower in order to run, it simple manages the application database and assigns personas, as far as the bulk of the work that is done among the policy nodes (CPU) and the monitoring node (CPU and storage).
Here is something you can use for refernce, it is Cisco's hardware guide -
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...