AWS Deployment Guide
Introduction
It is possible to deploy the Cisco Identity Service Enginer (ISE) on AWS using the official Cisco ISE AMI. The following guide explains how to use the Ansible role created for such task.
Goal
The goals of this guide are:
- Install the ansible role.
- Configure the role.
- Deploy to AWS.
Pre-requisites
It is recommended that you review the following guide before starting this one:
Role information
Within the recently installed Ansible collection, comes an AWS deployment role which can be configured using variables.
The role can be used like this:
---
- name: ISE Deployment Playbook
hosts: localhost
connection: local
roles:
- aws-deployment
The role accomplishes the following tasks:
- Create an AWS Virtual Private Cloud (VPC).
- Create an AWS subnet within the previously created VPC.
- Create an AWS Security Group (SG) on the VPC.
- Create and store in the local filesystem an AWS key pair.
- Deploy the selected ISE servers configuration.
Variables
The role behavior can be changed using the following variables:
- ise_base_hostname: Servers base hostname. Default: ISE
- ise_username: Servers default username. Default: admin
- ise_password: Servers default password. Default: C1sco12345
- ise_ntp_server: NTP server. Default: 10.10.0.1
- ise_dns_server: DNS Server. Default: 10.10.0.1
- ise_domain: Domain name. Default: example.com
- ise_timezone: Timezones based on RFC. Default: Etc/UTC
- aws_ise_ami: Cisco ISE AWS AMI ID, for example, ami-0a8b4f863885c3372
- aws_vpc_name: AWS VPC. Default: ISE VPC
- aws_vpc_cidr: AWS VPC CIDR. Default: 10.10.0.0/16
- aws_subnet_cidr: AWS Subnet CIDR. Default: 10.10.1.0/24
- aws_region: AWS deployment region. Default: us-west-2
- aws_public_access_cidr: Network from where public access will be available. Default: 0.0.0.0/0
- aws_keypair_name: AWS SSH Key Pair name. Default: ISE-Deployment
- aws_instance_type: AWS Instance type for ISE servers. Default: c5.4xlarge
Using variables in Ansible
There are several ways of modifying the default variables. You can check the Ansible documentation for more information.
Command line
From the command line, it can be done with the -e EXTRA_VARS or --extra-vars EXTRA_VARS flag:
ansible-playbook ise/deployment.yml -e "aws_ise_ami='ami-0a8b4f863885c3372'"
ansible-playbook ise/deployment.yml --extra-vars "aws_ise_ami='ami-0a8b4f863885c3372'"
Variables file
It is possible to use a variables file:
---
- name: ISE Deployment Playbook
hosts: localhost
connection: local
vars_files:
- my_vars.yml
roles:
- aws-deployment
Playbook variables
You can define the variables in the playbook:
---
- name: ISE Deployment Playbook
hosts: localhost
connection: local
vars:
aws_ise_ami: ami-0a8b4f863885c3372
roles:
- aws-deployment
Role usage
There are four possible deployment types supported by this role:
- Single
- Small
- Medium
- Large
Single deployment
It is used with the following variable: ise_deployment_type=single
It creates one Cisco ISE server.
Small deployment
It is used with the following variable: ise_deployment_type=small
The small deployment creates two servers.
Medium deployment
It is used with the following variable: ise_deployment_type=medium
The medium deployment uses an extra variable to define how many PSN servers up to a maximum of five servers, ise_psn_instances.
The medium deployment installs two servers with PAN and MNT personas and as many as five PSN servers depending on the ise_psn_instances variable.
Large deployment
It is used with the following variable: ise_deployment_type=large
The large deployment uses an extra variable to define how many PSN servers up to a maximum of fifty servers, ise_psn_instances.
The large deployment installs two servers with PAN persona, two servers with MNT persona and as many as fifty PSN servers depending on the ise_psn_instances variable.