topic Re: ISE Multiple deployment (3595 and 3615) in Network Access Control

ISE Multiple deployment (3595 and 3615)

likewinered — Fri, 13 Mar 2020 23:06:29 GMT

Hello Experts!

I'm currently using three 3595 ISEs.

I want to add another 3615 here as a PSN.

Currently information

ISE1 : PAN(Primary) + MNT(Secondary) + PSN

ISE2 : PAN(Secondary) + MNT (Primary) + PSN

ISE3 : PSN (Health-Check node)

Is there problem to use?

Re: ISE Multiple deployment (3595 and 3615)

Arne Bier — Fri, 27 Sep 2019 05:11:36 GMT

Hi @likewinered

Not a problem - you are using ISE 2.4 on the existing network?

When registering a node, the new (soon to be added) node needs to have the same software and patch level as the rest of the deployment

Re: ISE Multiple deployment (3595 and 3615)

Damien Miller — Fri, 27 Sep 2019 18:01:37 GMT

This is not a supported or tested deployment model. It would probably work, but it introduces new items that should be covered.

1. If the third psn is only there for the sole purpose of being a healthcheck node, then when ISE automatically fails over, the still working PAN (which is also acting as your only working PSN at that time) will go down. You will cause an unplanned authentication outage as services restart.

2. Running more than two nodes in a deployment where all three personas are running on the PAN/MNT nodes, violates the tested and supported standalone/hybrid deployment models. If you have more than two nodes, then the first two nodes should only host the PAN/MNT roles, and you dedicate PSNs to authentication duty. So adding one more node shouldn't be done, you should add two more to include HA in conjunction with the restructuring of roles to a hybrid deployment.
2x PSN/MNT nodes (no other personas should run on these)
2x Dedicated PSN nodes to provide HA

3. Even though this works, and ISE won't stop you from deploying a standalone deployment then adding a third node, you shouldn't do it. If you open up a TAC case, there is a high probability that TAC will ask for it to be corrected to a tested/supported model.

Re: ISE Multiple deployment (3595 and 3615)

Arne Bier — Sat, 28 Sep 2019 09:32:18 GMT

@Damien Miller - I don't believe @likewinered intention was to run three PAN/MnT combos - there is no way to even try to select such a function. What they were asking was whether adding a PSN to a deployment consisting of two PAN+MnT+PSN would be a problem.

The official Cisco deployment guide says this is not allowed and the "next steps" for customers who wish to expand by ONE PSN from a 2 node all-in-one system, is to buy three more nodes:

Existing Deployment:

PAN+MnT+PSN
PAN+MnT+PSN

PAN+MnT
PAN+MnT
PSN
PSN
PSN

This is the official stannce but I know customers who are simply adding a third node for simple stuff like Guest Portals. Why would anyone in their right mind buy three ISE nodes just so that their system can add one more PSN for Guest Portal functionality? The load will be negligible and Cisco should be more clear on the technical reasons why this is a bad idea. I think it's a great idea. If a TAC engineer can prove to me that I have broken the system by doing this then I will concede that it's wrong. Of course I would never want to have a two node system hammering away at 40,000 concurrent sessions and then dare to add another PSN to that. That would probably end badly.

The ISE Deployment "models" are very rigid and not everyone wants to split off their PSN from the PAN/MnT, or even go fully distributed. Sometimes the PSN is just there for fallback in emergency and may do very little work.

I have seen a fair bit of "creative deployments" in the field that don't fit the Cisco model and they work very well. The TAC have even supported them, and since the issues we were having were not related to scale-out or load, the TAC didn't object.

I guess my point is simply that in a world of infinite resources (hardware/VM/money) just do what Cisco tells you - but these rigid guidelines are not founded on a lot of technical argumentation, other than "not tested by Cisco". But that is no good reason not to run such a setup, if, as I say, the load is minimal. I could imagine 6 PSN's each doing around 500 concurrent sessions all linked to a PAN+MnT+PSN combo would still perform better than a PAN+MnT+PSN combo doing 40,000 concurrent sessions. Therefore it's not the number of PSN's that kills a system.

Re: ISE Multiple deployment (3595 and 3615)

Damien Miller — Mon, 30 Sep 2019 16:30:49 GMT

At the end of the day it is untested and you are assuming the risk if you go down that path, so it really shouldn't be recommend here. There should be more push back to the BU if there is an untested deployment model people are asking for. At the end of the day it's rigid because that provides known working deployment models that can be supported by TAC.

Re: ISE Multiple deployment (3595 and 3615)

paul — Mon, 30 Sep 2019 19:00:22 GMT

Just to chime in here. We have had customers for years running the 3 node deployment where they needed an extra PSN for various reasons. There is no technical reason to not do this. It works just fine. The only reason, as has been said, is it is not a supported model by Cisco. I don't recommend a deployment model outside of the 3 supported models, but technically it works just fine.

Re: ISE Multiple deployment (3595 and 3615)

likewinered — Tue, 01 Oct 2019 01:43:01 GMT

Yes. I using ISE 2.4.

Thanks for your reply.

Re: ISE Multiple deployment (3595 and 3615)

likewinered — Tue, 01 Oct 2019 01:51:42 GMT

Thank you everyone!

I think my explanation is a bit lacking.

This is the composition I want to use.
ISE1: PAN + MNT + PSN
ISE2: PAN + MNT + PSN
ISE3: PSN (Health check node)
ISE4 (New 3615): PSN

The bottom line is that although this configuration is not recommended by Cisco, it does not seem technically problematic.