ISE distributed environment and snmp monitoring

Similar Messages

• Recommended product for syslogging and snmp monitoring

  Hi,
      We currently use KIWI syslog but can anyone recommend a better product for syslogs from Firewalls, Routers and Switches. Our current product creates a seperate text file per day per device. Ideally I would like all these to be combined (or combinable for display purposes) into one log that shows to update realtime and have the ability to filterout "background noise" - stuff we know is acceptable, as well as being able to run simple or quick searches and reports. Ideally for asbout 200+ devices.
       Am I too hopeful or is there a product out there that can do this (that also will not break my companies bank account).
       Also, recommended products for SNMP monitoring if better than we currently use would be useful - currently using Orion and SNMPc.
  Regards
  Adrian

  Adrian,
  We use syslog-ng for RHEL. It can do what you need as far as writing to files and filtering out background noise, but it is not a search/reporting tool. If KIWI does the latter, I imagine you could tell it to read from the file that syslog-ng creates.
  It is open source for writing files through version 3.1.4. Later versions require licensing to write to files or if you are using a Windows OS.
  http://www.balabit.com/downloads/files/syslog-ng/open-source-edition/3.1.4
  Here are some other options:
  Rsyslog: http://www.rsyslog.com/
  Splunk: http://www.splunk.com/
  Snare: http://www.intersectalliance.com/projects/index.html
  Hope this helps.
  Steve Lee
  Emory University

• ISE distributed : router and switch update

  I have 2 ISE 1.2
  I configured ISE1 as primary for PAN, MNT and PSN and it work fine
  Now I am configuring ISE2 as secondary PAN, MNT and PSN
  Found below the actual configuration of the router, switch and WLC where ISE1_IP is configured
  1. Router (sub-interface and DHCP are configured on the router)
  interface FastEthernet1.10
  encapsulation dot1Q 10
  ip address 192.168.1.1 255.255.255.0
  ip helper-address ISE1_IP
  2. Switch configuration
  snmp-server host ISE1_IP version 2c ROpass
  radius-server host ISE1_IP auth-port 1812 acct-port 1813
  aaa server radius dynamic-author
  client ISE1_IP server-key John23
  On site_1, ISE1 is PAN, MNT and PSN primary then ISE2 is PAN, MNT and PSN secondary
  On site_2, ISE1 is PAN, MNT primary and PSN secondary  then ISE2 is PAN, MNT secondary and PSN primary
  See below the configuration that I made after installed ISE2 secondary for PAN, MNT and PSN
  1. Router site_1
  interface FastEthernet1.10
  encapsulation dot1Q 10
  ip address 192.168.1.1 255.255.255.0
  ip helper-address ISE1_IP
  ip helper-address ISE2_IP
  2. Switch site_1
  snmp-server host ISE1_IP version 2c ROpass
  snmp-server host ISE2_IP version 2c ROpass
  radius-server host ISE1_IP auth-port 1812 acct-port 1813
  radius-server host ISE2_IP auth-port 1812 acct-port 1813
  aaa server radius dynamic-author
  client ISE1_IP server-key John23
  client ISE2_IP server-key John23
  3. Router site_2
  interface FastEthernet1.10
  encapsulation dot1Q 10
  ip address 192.168.1.1 255.255.255.0
  ip helper-address ISE2_IP
  ip helper-address ISE1_IP
  4. Switch site_2 (I changed radius order only)
  snmp-server host ISE1_IP version 2c ROpass
  snmp-server host ISE2_IP version 2c ROpass
  radius-server host ISE2_IP auth-port 1812 acct-port 1813
  radius-server host ISE1_IP auth-port 1812 acct-port 1813
  aaa server radius dynamic-author
  client ISE1_IP server-key John23
  client ISE2_IP server-key John23
  Kindly have a look on my configuration after instelled ISE2 and tell me if it is OK
  Please advise
  Thanks in advance

  I have 2 ISE 1.2
  I configured ISE1 as primary for PAN, MNT and PSN and it work fine
  Now I am configuring ISE2 as secondary PAN, MNT and PSN
  Found below the actual configuration of the router, switch and WLC where ISE1_IP is configured
  1. Router (sub-interface and DHCP are configured on the router)
  interface FastEthernet1.10
  encapsulation dot1Q 10
  ip address 192.168.1.1 255.255.255.0
  ip helper-address ISE1_IP
  2. Switch configuration
  snmp-server host ISE1_IP version 2c ROpass
  radius-server host ISE1_IP auth-port 1812 acct-port 1813
  aaa server radius dynamic-author
  client ISE1_IP server-key John23
  On site_1, ISE1 is PAN, MNT and PSN primary then ISE2 is PAN, MNT and PSN secondary
  On site_2, ISE1 is PAN, MNT primary and PSN secondary  then ISE2 is PAN, MNT secondary and PSN primary
  See below the configuration that I made after installed ISE2 secondary for PAN, MNT and PSN
  1. Router site_1
  interface FastEthernet1.10
  encapsulation dot1Q 10
  ip address 192.168.1.1 255.255.255.0
  ip helper-address ISE1_IP
  ip helper-address ISE2_IP
  2. Switch site_1
  snmp-server host ISE1_IP version 2c ROpass
  snmp-server host ISE2_IP version 2c ROpass
  radius-server host ISE1_IP auth-port 1812 acct-port 1813
  radius-server host ISE2_IP auth-port 1812 acct-port 1813
  aaa server radius dynamic-author
  client ISE1_IP server-key John23
  client ISE2_IP server-key John23
  3. Router site_2
  interface FastEthernet1.10
  encapsulation dot1Q 10
  ip address 192.168.1.1 255.255.255.0
  ip helper-address ISE2_IP
  ip helper-address ISE1_IP
  4. Switch site_2 (I changed radius order only)
  snmp-server host ISE1_IP version 2c ROpass
  snmp-server host ISE2_IP version 2c ROpass
  radius-server host ISE2_IP auth-port 1812 acct-port 1813
  radius-server host ISE1_IP auth-port 1812 acct-port 1813
  aaa server radius dynamic-author
  client ISE1_IP server-key John23
  client ISE2_IP server-key John23
  Kindly have a look on my configuration after instelled ISE2 and tell me if it is OK
  Please advise
  Thanks in advance

• WLC 5508 and SNMP monitoring

  Dear all,
  I'm a little bit confused about this piece of hardware.
  I wonder if there is possibility of monitoring power supply and fans status (like on the other Cisco devices)?
  This info is usually located in ENV-MIB, but seems to me, there is no support of this MIB. Even temperature of box is located in some weird OID.
  Does anyone know, where to find above mentioned?
  For start, power supply (to see through snmp, something like this via CLI):
  Power Supply 1................................... Present, OK
  Thanks for ideas.
  Pavel

  Hi Pavel:
  Please know that the wireless LAN controllers were developed by Airespace and prior to their acquisition by Cisco in 2005, they had already created their own SNMP MIBs (the OIDs start .1.3.6.1.4.1.14179).  Since the acquisition, several former Airespace objects have been obsoleted and replaced by CISCO-LWAPP-* or other Cisco objects, yet some former Airespace objects remain in use, depending on the software train in use on the wireless LAN controller.  There are wireless MIBs for each software train in the Software Center. 
  All the maintenance releases (i.e. 7.0.240.0, 7.0.230.0, 7.0.220.0, 7.0.172.0, etc.) within a given train (i.e. 7.0.something.something, 6.0.something.something, 5.2.something.something) should have the same objects since maintenance releases are only supposed to contain bug fixes, while trains introduce new features and/or functionality--which, in turn, would require new SNMP objects.
  Try walking agentSwitchInfo (.1.3.6.1.4.1.14179.1.1.3):
  nms-jasmine:~# snmpwalk 172.18.254.29 agentSwitchInfoAIRESPACE-SWITCHING-MIB::agentSwitchInfoLwappTransportMode.0 = INTEGER: layer3(2)AIRESPACE-SWITCHING-MIB::agentSwitchInfoPowerSupply1Present.0 = INTEGER: false(0)AIRESPACE-SWITCHING-MIB::agentSwitchInfoPowerSupply1Operational.0 = INTEGER: false(0)AIRESPACE-SWITCHING-MIB::agentSwitchInfoPowerSupply2Present.0 = INTEGER: false(0)AIRESPACE-SWITCHING-MIB::agentSwitchInfoPowerSupply2Operational.0 = INTEGER: false(0)nms-jasmine:~#

• Cisco ISE Distributed environment question

  Hi everyone,
  We want to deploy the ISE's nodes in primary- secondary to high availability.
  One Node is in Europe and the another node is in America.
  Is there exist some restriction about the distance or times, to syncronize between each one?.
  Of course, the timezone for each node will be different (GMT - 8 and GMT +1 for example).
  I was reading the way for implement it, but it didn't show any information about this.
  Regards,

  Hi James,
  Sorry for answer a little late. I  had not the information before by the client.
  The connection between the two sites is a International MPLS (no internet from our perspective). This is the information:
  BW: 2 Mbps
  Delay: 200 ms
  I put the 2 Nodes ISE in that way:
  Node in Europe (We will call NodeA):
  - Administration (PAN) Primary
  - Monitoring (MNT)
  - Policy (PSN)
  - NTP Server: Public NTP Server. 130.206.3.166
  Timezone: UTC
  CA Certificate: Self-Certificate_from_ise_node_America
  Node in America (We will call NodeB):
  - Administration (PAN) Secondary
  NTP Server: Public NTP Server. 130.206.3.166 (the same NTP Server)
  Timezone: EST
  The NodeB is registered from NodeA using its dns name, with no problem (so I assumed that the certificate, credential and DNS resolve correctly).
  Waiting for a couple of hour, the NodeB viewed from the NodeA in the section Administration - System - Deployment state OUT OF SYNC.
  When I tried to sync manually, the NodeA showed the following message:
  Internal Error: Server returned HTTP Response Code: 500 for URL: https://NodeB/deployment-rpc/cert
  Expiry status
  And happened everytime I tried to sync.
  The NodeB is no possible to access through http server web page correctly after its register. It shows the portal page, but it doesn't matter if you use a correct user or bad user, after you click Logging, return a white page without information.
  The solution to use the same timezone
  I will put in practice, making the nodes using for both UTC.
  If you guys have another ideas, it's appreciate it.
  Thanks,

• IP SLA and SNMP monitoring

  Hello All,
  I want to create a IP SLA so that I can monitor UP time for ISP's as the I Ethernet connectivity, so if there link down beyond the mux, i cannot find that when it went down and at what time it came back, Basically for how long it? So i want to set IP SLA between CE-PE and same i want to plot a graph in MTRG so that NOC team can motinor as well we can pull historical report for that link.
  Can you please suggest if this is achievable? if yes than how can i achieve this?
  Thanks
  Jagdev

  Hi ,
   You can configure IP SLA on your device using below link 
  http://www.cisco.com/c/en/us/td/docs/ios/12_4/ip_sla/configuration/guide/hsla_c/hsicmp.html
  you need to download MIB on to your MRTG server for montioring 
  CISCO-IPSLA-ECHO-MIB
  CISCO-IPSLA-ETHERNET-MIB
  Look into below url for loading MIB 
  http://oss.oetiker.ch/mrtg/doc/mrtg-reference.en.html
  HTH
  Sandy

• ISE Configuration in Distributed Environment

                    Hi All,
  I have quick questions about  ISE deployment in Distributed environment, as i have purchased 2 X Cisco ise 3395 - For Data Center and 3 X Cisco ISE 3355 for remote location with 3500 Base licences and 500 Advance licences.
  i have some questions on this deployment
  i will install 1 3395 in Primary Datacenter and other 3395 in Our secondary Data center as Primary admin+Primary Monitoring and Secondary Admin+Secondary Monitoring
  and each 3355 will get installed in Remote location as policy server, My Question is it this will be correct deployment?
  or while configuring 3395 do i need to configure Policy server as well in addition to Primary admin and monitoring?
  or please suggest me best deployment stratagy!
  Thanks,
  Sachin

  Thanks for the reply,
  all three sites are connected in MPLS with 100MB redundant band width
  we are have 2 data center one is primary and other is secondary. and all client locations are connected with 100 Meg links where i am planning to install 3355 which will act as authentication server.
  but now my question is
  3395 - Primary Admin+Primary Monitoring - Primary DC
  3395 - Secondary Admin+ Secondary Monitoring - Secondary DC
  3355- will say for one remote location(PSN)
  3355- Second remote Location(PSN)
  3355- third Remote location (PSN)
  thanks,
  Sachin

• SNMP monitoring of UCS environment

  Hello,
    We use Level Platforms (Managed Workplace Service Center)  to monitor the environments my company supports.
  We have an On Site Manager installed within a UCS environment which will monitor host IPs, etc.
  The question is the best way to monitor the rest. (blades without service profiles assigned, etc.)
  I was configuring new Policy Modules in Service Center and need to import MIBs, and wondered which ones would be needed. There are many for the UCS platform, and I thought maybe I was going about it all wrong.
  For reference, we have 6 chassis and @ 42 blades, 2 6248s. Actually, it's a VCE vBlock

  I'm able to set up traps via the EM website following these instructions:
  http://download-west.oracle.com/docs/cd/B19306_01/em.102/b40002/notification.htm
  However, what I'm really looking for is the ability to do snmp gets. I need functionality similar to how the old school DBSNMP under OMS used to work. These commands seem to be totally missing. I found the following documentation:
  http://download-east.oracle.com/docs/cd/B19306_01/em.102/b16244/chap2.htm#sthref74
  Which indicates there should be an snmp subfolder under $ORACLE_HOME/sysman, but that folder does not exist in my installation. I installed Oracle EE. Is there another package I need to install in order to make the subagent run like a normal snmp agent?
  So far if I do a:
  emctl start dbconsole
  that starts up the EM Website and I can use that no probelm. If I...
  emctl start agent -- I get:
  Starting agent ... started.
  issuing a 'emctl staus agent' gives me a normal status message. Things start to get strange when I try to start the subagent, which to my understanding is what I need running in order to to talk to net-snmp, which is the master agent running on this host. Here's what happens:
  [zaro@cheetah bin]$ ./emctl start subagent
  Oracle Enterprise Manager 10g Database Control Release 10.2.0.1.0
  Copyright (c) 1996, 2005 Oracle Corporation. All rights reserved.
  Starting sub agent .....started
  [zaro@cheetah bin]$ ./emctl status subagent
  Oracle Enterprise Manager 10g Database Control Release 10.2.0.1.0
  Copyright (c) 1996, 2005 Oracle Corporation. All rights reserved.
  Sub agent is not running..
  I guess my question is how do I get to have the ability I used to have back in 8i to start up dbsnmp and then have my SNMP monitoring app "discover" the agent and use its instrumentation to get data?

• Cisco ISE 1.2 and Cisco ACS 5.4 patch 6 and support for snmp version 3

  does anyone know if cisco ISE version 1.2 patch 8 and Cisco ACS 5.4 patch 6 support snmp version 3?
  ciscoISE/admin(config)# snmp-server ?
    community  Set community string
    contact    Text for mib object sysContact
    host       Specify hosts to receive SNMP notifications
    location   Text for mib object sysLocation
  ciscoISE/admin(config)# snmp-server
  Ciscoacs/admin(config)# snmp-server ?
    community  Set community string
    contact    Text for mib object sysContact
    host       Specify hosts to receive SNMP notifications
    location   Text for mib object sysLocation
  Ciscoacs/admin(config)# snmp-server

  No support SNMP v3 on ISE v1.2 and 1.3 except for profilling
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/cli_ref_guide/ise_cli/ise_cli_app_a.html#12768
   http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/cli_ref_guide/b_ise_CLIReferenceGuide/b_ise_CLIReferenceGuide_chapter_0100.html#ID-1364-00000d30

• Hyperion 11.1.1.3 Installation and Configuration on a Distributed Environ:

  Hi All,
  We have Only Hyperion Production Servers on a Distributed Environment. Now, we are thinking to create new instance that will be called Development Environment and that must be replica or mirror of Prod Environment. For that we cloned Production Servers.
  Since we have all four servers Cloned for Development Environment now I need to Configure those all four instances.....I never worked with installations and configurations ...I do have knowledge and little experience with single tier or one system installation and configuration but distributed environment....I need your support and guideline to configure these boxes...
  Our Distributed Environment lay out is as follows:-
  We have installed Hyperion on Windows Server 2003 and Database is SQL Server
  (1) We have Four Servers
  (a) SQL, which Contains these services EPMA, and IIS Admin Service, World Wide Publishing Services, Hyperion Calc Manager-Web Application,
  Hyperion EPMA (.Net JNI Bridge, Engine Manager, Event Manager, Job Manager, Process Manager, Web Application, and Data Syn-WebApplication)
  (b) Essbase Server Contains these services Hyp ERP Integrator-Web Application, Hyp Essbase Services, Hyp financial Data Quality Management-
  Task Manager
  (c) Planning Server contains these Services Hyp Financial Reporting-Web Application, Hyperion Planning-Web Application, Hyp RMI Registry,
  Hyp Web Analysis-Web Application
  (d) Workspace Server Contains these services Hyp Finacial Reporting (Java RMI Registy, Print Server, Report Server, Scheduler Server), Hyp Foundatio
  OpenLDAP, Hyp foundation shared services-web application, Hyp Provider Services - web application, Hyp Workspace (agent service and web application)
  (2) Now my question is which server needs to be configured 1st then next and next and what things or steps i need to follow for configuration that works fine?
  I know I can run EPMA configure tool for each system from Stat>All program>Oracle EPMA>EPMA Configuration> and then select tool to run.....But I am bit confused that which one go 1st and then next.
  Please give your few words for this so that I can start configure the system....
  I hoping for positive feedback...
  Thanks in Advance.
  Safi
  Edited by: Safi on Aug 31, 2011 2:00 PM

  We have roughly 8 servers in our distributed prod environment. We are using red linux for everything but the epma and report server which you need a windows server. The way we installed was to start with the base server with Shared services and establish that one and whatever else you want on that server. From there it really didnt matter as you go through the installs it will ask you where your shared services box is located. The only problem we had was that some of our boxes are behind a WHI cage where we had to open up ports. Other then that i really didnt follow a specific sequence of installation after shared services. Hope that helps.

• ISE admin , PSN and monitoring node fail-over and fall back scenario

  Hi Experts,
  I have question about ISE failover .
  I have two ISE appliaces in two different location . I am trying to understand the fail-over scenario and fall-back scenario
  I have gone through document as well however still not clear.
  my Primary ISE server would have primary admin role , primary monitoring node and secondary ISE would have secondary admin and secondary monitoring role .
  In case of primary ISE appliance failure , I will have to login into secondary ISE node and make admin role as primary but how about if primary ISE comes back ? what would be scenario ?
  during the primary failure will there any impact with users for authentication ? as far as PSN is available from secondary , it should work ...right ?
  and what is the actual method to promote the secondary ISE admin node to primary ? do i have to even manually make monitoring node role changes ?
  will i have to reboot the secondary ISE after promoting admin role to primary  ?

  We have the same set up across an OTV link and have tested this scenario out multiple times. You don't have to do anything if communication is broken between the prim and secondary nodes. The secondary will automatically start authenticating devices that it is in contact with. If you promote the secondary to primary after the link is broke it will assume the primary role when the link is restored and force the former primary nodes to secondary.

• Need Step by step installation guide for Cisco ISE in distributed environment.

               Hi Friends,
  If anyone is having  step by step installation guide for Cisco ISE in distributed environment please shere!
  I have user guide from Cisco, but does someone have created at the time of actual installation.
  Thanks,
  Sachin

  There is a trustsec 2.1 how to guide on cisco's website. There is also a TrustSec 2.0 ISE Guide floating around that has step by step instructions for setting up ISE 1.0.4. Which is still pretty accurate for the 1.1.1 guide. But if you go through the below site it should give you all the info you need.
  http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html

• SAPehpi and Windows distributed environment

  Hi,  We have Windows platform with Oracle databases in distributed and high-availability environment.
  I have tried to install EHP1 for PI 7.1.  I have used SAPehpi as described in installation manual.  SAPehpi will stop
  when querying database information.  It uses brtools and this will fail because Oracle is another server and you cannot
  use brtools in primary application server os-level.
  SAPehpi should be started on primary application server as described in manual. But the instructions how to use tool
  in distributed environment just give information about microsoft cluster SCS and ASCS handling. I need to know
  howto use this tool with remote Oracle database.
  Why I can't just use SAINT and JSPM, I don't need slow and complicated tools like this. I don't need shadow instance
  because just building up the systems.
  Do I have to install temporary PAS instances to database server to get this work? Any experience using this tool
  on distributed env?
  BR. Jari

  > My question was actually criticism againts this new tool.  SAINT and JSPM were working fine in already installed and configured
  > SAP systems.
  Yes - you're right - but they require a HUGE downtime since the whole system must be locked as the first runtime step of SAINT is started; depending on the speed of the system and the number of packages you'd have downtimes of two days or more; this is fine for test- and/or qa-systems but it's not for production systems.
  > Now this SApehpi tool doesn't work in current installation without changing configurations.
  SAPehpi is basically nothing else than a SAPup - so a real upgrade (as if you'd upgrade e. g. from 4.6c to ERP 6.0 or from XI 3.0 to PI 7.1).
  I agree with you that the communication of that fact was not clear, one can get the impression, that the installation of EHP1 is the same as a support package installation. It is not, it's a real upgrade of the system requiring lots of additional work.
  > We have already configured DBAcockpit via SAP gateways because remote shell was not wanted to use.
  I see.
  > But I haven't found a way to tell SAPehpi how to use gateway for brtools. Solution cannot be that I have to
  > change SAP supported installation just to get EHP1 installed.
  >
  > I think this tool is released without proper testing.
  That tool was basically used for all upgrades that have been done since 2.x (R3up, SAPup) and is now "renamed" to SAPehpi. The Java upgrade functionality was integrated, former combined upgrades required two upgrade programs (SAPup and SAPJup) running and synchronizing at the same time.
  I understand your problem - I'm not aware of any way to tell SAPehpi to use the RFC or gateway functionality to connect to the database; I suggest you write an email to "EHP-TECH at SAP dot COM", maybe those guys and girls have an idea how to do that.
  EHP1 for PI 7.1 is a system upgrade, not a support package installation.
  Markus

• Distributed transactions and 2-phase commit in a SAP Netweaver environment

  Hello,
  I am a Java architect., I don't know very much the SAP technologies. I tried to found on forums or technical papers if SAP does support distributed transactions and two-phase commit, it's not clear. I found something on SAP WAS but my project is using a  SAP PI 7.0 and I cannot find anything on the subject.
  My goal is to include a SAP server (via PI 7.0) in a distributed transaction handled by a J2EE ESB (Oracle, ex-BEA Aqualogic) based on XA capabilities.
  Does anyone have experience or feedback on this topic ?
  Thanks.

  Hi,
  Do you know this white paper ?
  [Distributed Transaction and 2 phase commit|https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/3732d690-0201-0010-a993-b92aab79701f]
  Regards,
  Olivier

• ISE 1.2 and maximum PSNs supported in my Persona config

  Hello folks,  I am putting together a medium to large distributed ISE deployment and wondered if anybody could tell me what the maximum number of PSNs are allowed under this configuration.   I was reading thru an older training document with version 1.1 and it suggested only 5, which is why I am wondering if the specs changed on 1.2 but I cannot find them anywhere handy.
  I have a large VM running the PRIMARY admin persona which also is secondary for my reporting & monitoring in my main data center.
  In another state (connected with 10G) is another large VM acting as my secondary admin persona with primary monitoring & reporting.
  Across multiple states I want to have multiple PSNs across the geographical layouts of each state but I am not sure if I can scale enough PSNs with my current version of 1.2 and my persona config listed above.    I have a need for about 12 to 15 PSNs.
  Wondering if I need two more VMs to break out my monitoring as one node in DC1 and secondary monitoring in DC2 in order to get more PSN scalability.
  Any help would be greatly appreciated.
  -Thanks

  As Marvin suggested, I would look into using 1.3 at this point unless you have some specific concerns with that version and really want to stay with 1.2. With that being said, here are my recommendations/comments:
  - Both v1.2 and v1.3 can actually scale up to 40 PSN nodes
  - If any of your PSN nodes are going to be placed in the same location and are layer 2 adjacent I would recommend putting them in a node group and behind a load balancer. If you don't have a load balancer, I would still put them in a node group. At the moment a node group can have up to 10 PSNs
  - If you are going to have 10-15 PSN nodes then you should dedicate 2 nodes for specifically for the monitoring persona
  - The maximum roundtrip delay between any nodes cannot exceed 200ms
  For more info you can always reference the "Network Deployment" section in the hardware installation guide for ISE:
  v1.3
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/installation_guide/b_ise_InstallationGuide13/b_ise_InstallationGuide12_chapter_00.html
  v1.2
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/installation_guide/ise_ig/ise_deploy.html
  Thank you for rating helpful posts!