https://community.cisco.com/t5/network-access-control/cisco-ise-distributed-deployment/m-p/3754119#M487693 Answer to your first question, Yes, you can have two ISE nodes in different subnets and locations as long as you allow the ports mentioned here between the nodes <A href="https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_0110.html" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_0110.html</A> <BR /><BR />Answer to your second question, Yes, certificates are mandatory as the registration happens over secure HTTP tunnel. <BR /><BR />For the third question,<BR />Recommend you to follow this <A href="https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_011.pdf" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_011.pdf</A> Wed, 28 Nov 2018 07:32:45 GMT Surendra 2018-11-28T07:32:45Z https://community.cisco.com/t5/network-access-control/cisco-ise-distributed-deployment/m-p/3754059#M487692 <P>Hi</P> <P>&nbsp;</P> <P>We have two ISE in different subnet and location.Can we make it as single cluster?</P> <P>Is it certificate mandatory ?</P> <P>What are the prequation needs to be taken care?</P> <P>Can any one help me&nbsp;</P> <P>Debu</P> Wed, 28 Nov 2018 04:30:55 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-distributed-deployment/m-p/3754059#M487692 Debabrata Majhi 2018-11-28T04:30:55Z https://community.cisco.com/t5/network-access-control/cisco-ise-distributed-deployment/m-p/3754119#M487693 Answer to your first question, Yes, you can have two ISE nodes in different subnets and locations as long as you allow the ports mentioned here between the nodes <A href="https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_0110.html" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_0110.html</A> <BR /><BR />Answer to your second question, Yes, certificates are mandatory as the registration happens over secure HTTP tunnel. <BR /><BR />For the third question,<BR />Recommend you to follow this <A href="https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_011.pdf" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_011.pdf</A> Wed, 28 Nov 2018 07:32:45 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-distributed-deployment/m-p/3754119#M487693 Surendra 2018-11-28T07:32:45Z https://community.cisco.com/t5/network-access-control/cisco-ise-distributed-deployment/m-p/3754292#M487695 <P>Hi Surendra</P> <P>Thanks for your prompt response.</P> <P>Apricate your help</P> <P>Hi Surendra</P> <P>Thanks for your prompt response.</P> <P>Appreciate your help. Just to understand</P> <P>If there is any existing ISE cluster already running, can we move one node from existing ISE cluster for new location, is it possible?</P> <P>Is there any licensing issue ? If I change the IP address</P> <P>If possible What Shall we do</P> <OL> <LI>Unregister the server from existing cluster</LI> <LI>Change the ISE IP according to new location</LI> <LI>Again join the node in cluster</LI> </OL> <P>Am I right? Or please guide me proper steps</P> <P>Thanks</P> <P>&nbsp;</P> Wed, 28 Nov 2018 12:24:43 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-distributed-deployment/m-p/3754292#M487695 Debabrata Majhi 2018-11-28T12:24:43Z https://community.cisco.com/t5/network-access-control/cisco-ise-distributed-deployment/m-p/3754301#M487697 You can do that as long as you have connectivity. No additional licenses are required.<BR /> Wed, 28 Nov 2018 12:34:04 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-distributed-deployment/m-p/3754301#M487697 Surendra 2018-11-28T12:34:04Z https://community.cisco.com/t5/network-access-control/cisco-ise-distributed-deployment/m-p/3754321#M487699 <P>Hi Surendra</P> <P>&nbsp;</P> <P>Thanks</P> <P>&nbsp;</P> <P>In that case ,I have to follow the following steps right?</P> <OL> <LI>Unregister the&nbsp;Node from existing cluster</LI> <LI>Change the ISE IP according to new location</LI> <LI>Again join the node in cluster</LI> </OL> <P>Thanks</P> <P>&nbsp;</P> Wed, 28 Nov 2018 12:51:28 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-distributed-deployment/m-p/3754321#M487699 Debabrata Majhi 2018-11-28T12:51:28Z https://community.cisco.com/t5/network-access-control/cisco-ise-distributed-deployment/m-p/3757486#M487701 <P>Hello Surenda</P> <P>&nbsp;</P> <P>Is there any Delay which needs to be match ,If the server is defferent location/Subnet?</P> <P>&nbsp;</P> <P>Thanks</P> <P>Debu</P> Tue, 04 Dec 2018 13:18:50 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-distributed-deployment/m-p/3757486#M487701 Debabrata Majhi 2018-12-04T13:18:50Z https://community.cisco.com/t5/network-access-control/cisco-ise-distributed-deployment/m-p/3757494#M487703 200ms is the tolerance.<BR /> Tue, 04 Dec 2018 13:41:29 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-distributed-deployment/m-p/3757494#M487703 Surendra 2018-12-04T13:41:29Z https://community.cisco.com/t5/network-access-control/cisco-ise-distributed-deployment/m-p/3757520#M487705 please see <A href="https://community.cisco.com/t5/security-documents/ise-performance-amp-scale/ta-p/3642148#toc-hId-798633198" target="_blank">https://community.cisco.com/t5/security-documents/ise-performance-amp-scale/ta-p/3642148#toc-hId-798633198</A> Tue, 04 Dec 2018 14:28:39 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-distributed-deployment/m-p/3757520#M487705 Jason Kunst 2018-12-04T14:28:39Z https://community.cisco.com/t5/network-access-control/cisco-ise-distributed-deployment/m-p/3757737#M487706 <P>200 ms was the old guidance. In 2.1 and later it was change and to 300 ms.&nbsp; Of course there are other factors other than latency.</P> Tue, 04 Dec 2018 19:02:16 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-distributed-deployment/m-p/3757737#M487706 paul 2018-12-04T19:02:16Z https://community.cisco.com/t5/network-access-control/cisco-ise-distributed-deployment/m-p/3758052#M487707 <P>Thanks Paul and all for make it sence ,</P> <P>Paul,Can your please let me know some example of "other factors" which needs to be consider.Which will help us to design the cluster.</P> <P>&nbsp;</P> <P>Thanks</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 05 Dec 2018 08:41:10 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-distributed-deployment/m-p/3758052#M487707 Debabrata Majhi 2018-12-05T08:41:10Z https://community.cisco.com/t5/network-access-control/cisco-ise-distributed-deployment/m-p/3758211#M487708 Have you reviewed scale and high availability or ise tips tricks<BR /><BR /><A href="https://community.cisco.com/t5/security-documents/ise-training/ta-p/3619944#toc-hId-1281981443" target="_blank">https://community.cisco.com/t5/security-documents/ise-training/ta-p/3619944#toc-hId-1281981443</A><BR /> Wed, 05 Dec 2018 13:09:31 GMT https://community.cisco.com/t5/network-access-control/cisco-ise-distributed-deployment/m-p/3758211#M487708 Jason Kunst 2018-12-05T13:09:31Z