https://community.cisco.com/t5/network-access-control/ise-node-group-behind-load-balancer/m-p/2193497#M137948 <HTML><HEAD></HEAD><BODY><P>You can place them in either. The trouble becomes with having to deal with all of the ACL rules that you have to manage. There are a lot of ports and protocols used by ISE. Also, it is not not uncommon for some of those ports to change with new releases <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P><EM>Thank you for rating!</EM></P></BODY></HTML> Wed, 20 Mar 2013 18:27:03 GMT nspasov 2013-03-20T18:27:03Z https://community.cisco.com/t5/network-access-control/ise-node-group-behind-load-balancer/m-p/2193494#M137866 <P>I'm trying to gather info on distributed deployment w/ multiple PSN nodes.</P><P>Having read through some documents, it looks like you can put multiple PSN's in a node group, and then place the node group behind a load balancer.</P><P></P><P>Q1:</P><P>Node group config requires multicast.</P><P>Cisco ACE LB doesn't support multicast, except in brige mode.</P><P>How do people support distributed deployment in node group behind Ciso ACE?</P><P></P><P>Q2:</P><P>User guide says: "We recommend that you have two, three, or a maximum of four nodes in a node group."</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_dis_deploy.html#wp1134272" target="_blank">http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_dis_deploy.html#wp1134272</A></P><P></P><P>What if we need more than 4 PSN nodes to support our network &amp; user base?</P><P></P><P>Q3:</P><P>Has anyone been able to implement distributed deployment between two datacenters behind GSS?</P><P>If GSS isn't possible, we'll be happy to just have it in working state behind ACE LB.</P><P></P><P>thx!</P> Mon, 11 Mar 2019 03:13:08 GMT https://community.cisco.com/t5/network-access-control/ise-node-group-behind-load-balancer/m-p/2193494#M137866 huangedmc 2019-03-11T03:13:08Z https://community.cisco.com/t5/network-access-control/ise-node-group-behind-load-balancer/m-p/2193495#M137886 <HTML><HEAD></HEAD><BODY><P>I have had close to zero experience with LBs so my answers will be limited:</P><P></P><P>Q1: I don't think the multicast plays any role with the LB. The multicast address is needed for the ISE nodes for replication</P><P></P><P>Q2: You will have to create a new node group with a new multicast address</P><P></P><P>Q3: No help here</P><P></P><P>Couple of other things to remember:</P><P>1. The nodes must be layer 2 adjacent</P><P>2. You must use routed mode...no NAT/SNAT. Each node must be reachable directly from the end clients</P><P>3. You must perform sticky</P><P>4. The Load balancers must be listed as NADs in ISE</P><P></P><P>Hope this provides some help to you.</P><P></P><P><EM>Thank you for rating!</EM></P></BODY></HTML> Wed, 20 Mar 2013 17:58:54 GMT https://community.cisco.com/t5/network-access-control/ise-node-group-behind-load-balancer/m-p/2193495#M137886 nspasov 2013-03-20T17:58:54Z https://community.cisco.com/t5/network-access-control/ise-node-group-behind-load-balancer/m-p/2193496#M137919 <HTML><HEAD></HEAD><BODY><P>Thanks Neno.</P><P>Follow-up question:</P><P></P><P>Where do people usually place their ISE nodes? Internal or DMZ?</P><P>I heard they're typically put in the internal networks...</P><P>Why it's a good idea to keep ISE in the internal networks, instead of DMZ?</P><P></P><P>If guests can interface directly w/ the ISE, wouldn't it be safer to place it in the DMZ?</P></BODY></HTML> Wed, 20 Mar 2013 18:20:54 GMT https://community.cisco.com/t5/network-access-control/ise-node-group-behind-load-balancer/m-p/2193496#M137919 huangedmc 2013-03-20T18:20:54Z https://community.cisco.com/t5/network-access-control/ise-node-group-behind-load-balancer/m-p/2193497#M137948 <HTML><HEAD></HEAD><BODY><P>You can place them in either. The trouble becomes with having to deal with all of the ACL rules that you have to manage. There are a lot of ports and protocols used by ISE. Also, it is not not uncommon for some of those ports to change with new releases <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P><EM>Thank you for rating!</EM></P></BODY></HTML> Wed, 20 Mar 2013 18:27:03 GMT https://community.cisco.com/t5/network-access-control/ise-node-group-behind-load-balancer/m-p/2193497#M137948 nspasov 2013-03-20T18:27:03Z