Deployment and Node Settings
The Deployment Nodes window enables you to configure the Cisco ISE (PAN, PSN, and MnT) nodes and to set up a deployment.
Deployment Nodes List Window
Field Name |
Usage Guidelines |
---|---|
Hostname |
Displays the hostname of the node. |
Node Type |
Displays the node type. It can be one of the following:
|
Personas |
(Only appears if the node type is Cisco ISE) Lists the personas that a Cisco ISE node has assumed, for example, Administration, Policy Service, Monitoring, or pxGrid. For example, Administration, Policy Service, Monitoring, or pxGrid. |
Role |
Indicates the role (primary, secondary, or standalone) that the Administration and Monitoring personas have assumed, if these personas are enabled on this node. The role can be any one or more of the following:
|
Services |
(Only appears if the Policy Service persona is enabled) Lists the services that run on this Cisco ISE node. Services can include any one of the following:
|
Node Status |
Indicates the status of each Cisco ISE node in a deployment for data replication:
For more information, click the quick view icon for each Cisco ISE node in the Node Status column. |
General Node Settings
Field Name | Usage Guidelines |
---|---|
Hostname | Displays the hostname of the Cisco ISE node. |
FQDN | Displays the fully qualified domain name of the Cisco ISE node, for example, ise1.cisco.com. |
IP Address | Displays the IP address of the Cisco ISE node. |
Node Type | Displays the node type. |
Personas | |
Administration |
Check this check box if you want a Cisco ISE node to assume the Administration persona. You can enable the Administration persona only on nodes that are licensed to provide the administrative services. Role: Displays the role that the Administration persona has assumed in the deployment. The persona can take any one of the following values: Standalone, Primary, or Secondary. Make Primary: Click this button to make this node your primary Cisco ISE node. You can have only one primary Cisco ISE node in a deployment. The other options in this window will become active only after you make this node primary. You can have only two Administration nodes in a deployment. If the node has a Standalone role, the Make Primary button appears next to it. If the node has a Secondary role, the Promote to Primary button appears next to it. If the node has a Primary role and there are no other nodes registered with it, the Make Standalone button appears next to it. You can click the Make Standalone button to make your primary node a standalone node. |
Monitoring |
Check this check box if you want a Cisco ISE node to assume the Monitoring persona and function as your log collector. There must be at least one Monitoring node in a distributed deployment. At the time of configuring your primary PAN, you must enable the Monitoring persona. After you register a secondary Monitoring node in your deployment, you can edit the primary PAN and disable the Monitoring persona, if required. To configure a Cisco ISE node on a VMware platform as your log collector, use the following guidelines to determine the minimum amount of disk space that you need: 180 KB per endpoint in your network, per day 2.5 MB per Cisco ISE node in your network, per day. You can calculate the maximum disk space that you need based on how many months of data you want to have in your Monitoring node. If there is only one Monitoring node in your deployment, it assumes the standalone role. If you have two Monitoring nodes in your deployment, Cisco ISE displays the name of the other Monitoring node for you to configure the primary-secondary roles. To configure these roles, choose one of the following:
If you configure one of your Monitoring nodes as primary or secondary, the other Monitoring node automatically becomes the secondary or primary node, respectively. Both the primary and secondary Monitoring nodes receive Administration and Policy Service logs. If you change the role for one Monitoring node to None, the role of the other Monitoring node also becomes None, thereby cancelling the high availability pair after you designate a node as a Monitoring node. You will find this node listed as a syslog target in the Remote Logging Targets window: . |
Policy Service | Check this check box to enable any one or all of the following services:
|
pxGrid | Check this check box to enable the pxGrid persona. Cisco pxGrid is used to share the context-sensitive information from the Cisco ISE session directory to other policy network systems such as Cisco Adaptive Security Appliance (ASA). The pxGrid framework can also be used to exchange policy and configuration data between nodes, for example, sharing tags and policy objects between Cisco ISE and third-party vendors, and for non-Cisco ISE-related information exchanges such as threat information. |
Profiling Node Settings
Field Name | Usage Guidelines | ||
---|---|---|---|
NetFlow |
Check this check box to enable NetFlow for each Cisco ISE node that has assumed the Policy Service persona to receive NetFlow packets sent from the routers. Enter the required values for the following options:
|
||
DHCP |
Check this check box to enable DHCP for each Cisco ISE node that has assumed the Policy Service persona to listen for DHCP packets from the IP helper. Enter the required values for the following options:
|
||
DHCP SPAN |
Check this check box to enable DHCP SPAN for each Cisco ISE node that has assumed the Policy Service persona to collect DHCP packets.
|
||
HTTP |
Check this check box to enable HTTP per Cisco ISE node that has assumed the Policy Service persona to receive and parse HTTP packets.
|
||
RADIUS |
Check this check box to enable RADIUS for each Cisco ISE node that has assumed the Policy Service persona to collect RADIUS session attributes as well as Cisco Device Protocol (CDP) and Link Layer Discovery Protocol (LLDP) attributes from the Cisco IOS Sensor-enabled devices. |
||
Network Scan (NMAP) |
Check this check box to enable the NMAP probe. |
||
DNS |
Check this check box to enable DNS for each Cisco ISE node that has assumed the Policy Service persona to perform a DNS lookup for the FQDN. Enter the Timeout period in seconds.
|
||
SNMP Query |
Check this check box to enable SNMP query for each Cisco ISE node that has assumed the Policy Service persona to poll network devices at specified intervals. Enter values in Retries, Timeout, Event Timeout(mandatory), and Description(optional).
|
||
SNMP Trap |
Check this check box to enable an SNMP Trap probe for each Cisco ISE node that has assumed the Policy Service Persona to receive linkUp, linkDown,
and MAC notification traps from the network devices. Provide or enable the following information:
|
||
Active Directory |
Check this check box to scan the defined Active Directory servers for information about Windows users.
|
||
pxGrid |
Check this check box to allow Cisco ISE to collect (profile) endpoint attributes over pxGrid. |