topic Re: Cisco ISE Small Deployment High Availability in Network Access Control

Cisco ISE Small Deployment High Availability

khalid.meraj — Wed, 12 Jul 2017 12:42:01 GMT

Hi please can someone help me with the below question.

I have a splatted deployment.

DC1 -> ISE1(2.2): Primary (Administration, Monitoring, Policy Service)

DC2 ->ISE2(2.2): Secondary (Administration, Monitoring, Policy Service)

DC3 -> ISE3(old deployment, 1.X)

My questions are:

I've done the two new ise2.2 node deployment as per above setup. I know above model does not going to support the automatic failover between the nodes. AS both nodes are used as PSN as well can i use each node (primary and secondary) IPs for each DC endpoints and NAD devices.

not able to understand the PSN behavior of the Secondary node.

can we use both PSNs nodes at a time for policy configuration?

what will happen in case of manual failover?

Any suggestion would be really appreciated.

Re: Cisco ISE Small Deployment High Availability

Jason Kunst — Wed, 12 Jul 2017 13:19:31 GMT

Policy config is done on the PAN not the PSN. The PSN is the policy engine that does all the work

PSNs are always active so in a standalone environment both node1 and 2 have PSN running on them.

Yes you can manually failover PAN and MNT in this environment

Re: Cisco ISE Small Deployment High Availability

paul — Wed, 12 Jul 2017 13:32:49 GMT

PSNs are always active all the time and it is up to the network device (NAD) to utilize the PSNs in a fault tolerant manner.

M&Ts nodes are always active all the time and all nodes in the deployment log to the M&Ts. If one the primary M&Ts fails the admin node will automatically pull logs from other M&T.

The only part you won't have failover for is Admin persona. You will just need to manually failover so you can administer the system.

Re: Cisco ISE Small Deployment High Availability

khalid.meraj — Wed, 12 Jul 2017 14:24:12 GMT

Thanks for a wonderful explanation. just one question.

In regards to my above setup. I'v already a PSN configured and running if i need to include that in the new clustering with the existing config what will happen. does it going to add the existing config to my new PSN config or going to overright it?

can i configure policies on secondary M&T which is also a PSN persona?

Many Thanks

Re: Cisco ISE Small Deployment High Availability

paul — Wed, 12 Jul 2017 20:10:28 GMT

When you join the PSN to the new deployment everything it had from the old deployment should be overwritten and the data will be sync'd from the new deployment.