topic Re: Recommendation on PSN node groups in Network Access Control

Recommendation on PSN node groups

blandrum — Mon, 16 Sep 2019 13:24:42 GMT

I have a customer who's wanting to build out a highly scalable, fully distributed ISE deployment and they've asked me if we have any recommendations on when to split out the PSNs into different node groups. All ISE personas are connected across the same high-speed MAN, so latency isn't a concern. The campus is spread into quadrants, so they were wondering if there were scaling / performance benefits to break the PSNs out into multiple node groups based on the user's location and likelihood of hitting certain PSNs. For example, if the user is in the NE quadrant of the campus they could only possibly hit a single HA pair of PSNs (based on the RADIUS definitions in the NADs), so should they create a PSN group for just that pair of PSNs?

Re: Recommendation on PSN node groups

Colby LeMaire — Mon, 16 Sep 2019 14:21:56 GMT

Node groups are ideal for PSNs that are in the same load balancing pool or same Radius server group in IOS. Usually those PSNs would also be in the same physical location too. So yes, if you typically will group PSNs together logically in your NAD Radius configurations based on location, then put those PSNs together in a node group.

Re: Recommendation on PSN node groups

Damien Miller — Mon, 16 Sep 2019 18:58:13 GMT

Just keep in mind that nodes in a node group should be in the same L2 domain. Most MAN connections I have seen are pseudo L2, and not true L2 service. Even if the nodes are not behind a LB, but endpoints/NAD have the chance of using any of the PSNs within the group of PSNs, then a node group would be beneficial.