Home
Support
Product Support
Security
Cisco Identity Services Engine
Install and Upgrade Guides

Cisco Identity Services Engine Installation Guide, Release 3.5

View all Saved Content

PDF

Is this helpful?

Helpful Unhelpful

Feedback

Thank you for your feedback. Your response has been recorded.

Ask about this document

Cisco Configuration Guide, Release 4.2

Expand all sections

About this content

Network Deployments in Cisco ISE

Cisco ISE network architecture
Cisco ISE deployment terminology
Node types and personas in distributed deployments
Cisco ISE deployment models
Small network deployments
Medium-sized network deployments
Large network deployments
Network device configuration for Cisco ISE

Cisco Secured Network Server Series Appliances and Virtual Machine Requirements

Cisco ISE hardware and virtual appliance requirements
VMware cloud solutions for Cisco ISE
Virtual machine size recommendations
Disk space requirements for VMs in a Cisco ISE deployment
Disk space guidelines for Cisco ISE
CPU requirements for hypervisors

Install Cisco ISE

Install Cisco ISE using Cisco Integrated Management Interface
Run the setup program of Cisco ISE
Verify the Cisco ISE installation process
Install Cisco ISE from an ISO on OpenStack
Install Cisco ISE on a Cisco SNS appliance using NFS
Localized ISE installation

Additional Installation Information

Tools used to create a bootable USB device from installation ISO file
SNS appliance maintenance
VMware virtual machine
Linux KVM
Microsoft Hyper-V
Create a Cisco ISE virtual machine on Hyper-V
Zero Touch Provisioning

Installation Verification and Post-Installation Tasks

Log in to the Cisco ISE web-based interface
Cisco ISE configuration verification
List of post-installation tasks

Common System Maintenance Tasks

Bond ethernet interfaces for high availability
Reset a lost, forgotten, or compromised password using a DVD
Reset a disabled password due to administrator lockout
Change the IP address of a Cisco ISE appliance
View installation and upgrade history
Perform a system erase

Cisco ISE Network Ports and Protocols Specifications

Ports used by all Cisco ISE personas
Cisco ISE infrastructure requirements
Operating system ports
Administration node ports
Monitoring node ports
Policy Service node ports
Cisco pxGrid service ports
OCSP and CRL service ports
Cisco ISE processes
Required internet URLs

Small network deployments

Updated: May 28, 2026

Want to summarize with AI?

On this page

Overview

Split deployments

Overview

Describes small network deployments in Cisco ISE that use a minimal Cisco ISE footprint. This provides centralized policy management and access control with lower complexity, making them suitable for smaller sites with limited users, devices, and authentication load.

The smallest Cisco ISE deployment consists of two Cisco ISE nodes with one Cisco ISE node functioning as the primary node.

The primary node manages all configuration, authentication, and policy tasks for your network. The secondary node acts as a backup. If connectivity is lost between the primary node and network appliances, network resources, or RADIUS, the secondary node supports the primary node and keeps the network running.

Centralized authentication, authorization, and accounting (AAA) operations between clients and the primary node are performed using the RADIUS protocol. Cisco ISE synchronizes all content from the primary node to the secondary node. In a small network deployment, you can configure both nodes on all RADIUS clients by using this model or a similar approach.

A small network deployment of two Cisco ISE nodes. — Figure 1. Small network deployment of Cisco ISE nodes

If you want to add more devices, network resources, users, or AAA clients, switch from the small deployment model to a split or distributed deployment model.

Split deployments

A split deployment in Cisco ISE separates key personas across different nodes, for example, running the Administration and Monitoring personas on one node and the Policy Service persona on separate nodes. This deployment model improves performance and scalability by isolating policy processing from management and reporting functions.

Split deployment provides better load distribution and ensures that the secondary node remains functional during normal network operations. This design also supports deployment expansion.

In split deployments, the AAA load is split between the primary and secondary nodes to optimize the AAA workflow.

Each node must be able to handle the full workload if there are any problems with AAA connectivity. During normal network operations, neither the primary node nor the secondary node handles all AAA requests, because the workload is distributed between the two nodes.

In split deployments, each node can perform its own specific operations, such as network admission or device administration, and still perform all the AAA functions if a failure occurs. If two nodes process authentication requests and collect accounting data from AAA clients, configure one node to act as a log collector.

Figure 2. Split network deployment in Cisco ISE

Need help?

Open a support case

(Requires a Cisco Service Contract)

Bias-free language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.