https://community.cisco.com/t5/network-access-control/difference-between-enabling-primary-secondary-in-ise-and/m-p/3417249#M547920 <P>Thanks everyone for your suggestions but I think I have not made myself clear; so i will rephrase. My question was: Whats the difference between enabling failover between 2 devices/personas and&nbsp;configuring primary/secondary between 2 devices/personas.&nbsp; Which method is better?&nbsp;</P> Wed, 18 Jul 2018 01:27:55 GMT abhijith891 2018-07-18T01:27:55Z https://community.cisco.com/t5/network-access-control/difference-between-enabling-primary-secondary-in-ise-and/m-p/3417106#M547915 <P>Hi all,</P> <P>&nbsp;</P> <P>I have received a distributed environment for Cisco ISE from a client where they have configured an ISE node in one location as Primary in Admin, Sec in Monitoring and another ISE in another location as Secondary&nbsp;<SPAN>in Admin, Primary in Monitoring. So I just wanted to know how different is this scenario if failover was enabled between them.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Regards,</SPAN></P> <P><SPAN>Abhijit</SPAN></P> Fri, 21 Feb 2020 19:01:02 GMT https://community.cisco.com/t5/network-access-control/difference-between-enabling-primary-secondary-in-ise-and/m-p/3417106#M547915 abhijith891 2020-02-21T19:01:02Z https://community.cisco.com/t5/network-access-control/difference-between-enabling-primary-secondary-in-ise-and/m-p/3417157#M547916 <P>I suggest to have a look at one of the cisco Live presentation, and you have more clarity about the setup.</P> <P>It all depends on how you choose and deploy.</P> <P>&nbsp;</P> <P><A href="http://d2zmdbbm9feqrf.cloudfront.net/2015/eur/pdf/BRKSEC-3699.pdf" target="_blank">http://d2zmdbbm9feqrf.cloudfront.net/2015/eur/pdf/BRKSEC-3699.pdf</A></P> <P>&nbsp;</P> <P>BB</P> Tue, 17 Jul 2018 20:56:26 GMT https://community.cisco.com/t5/network-access-control/difference-between-enabling-primary-secondary-in-ise-and/m-p/3417157#M547916 balaji.bandi 2018-07-17T20:56:26Z https://community.cisco.com/t5/network-access-control/difference-between-enabling-primary-secondary-in-ise-and/m-p/3417227#M547918 <P>I had the same question once because I read about that exact scenario in an ISE book called "</P> <H2 class="a-size-medium s-inline s-access-title a-text-normal" data-attribute="Practical Deployment of Cisco Identity Services Engine (ISE): Real-World Examples of AAA Deployments" data-max-rows="2">Practical Deployment of Cisco Identity Services Engine (ISE): Real-World Examples of AAA Deployments"</H2> <P>The author talks about this and it appears to make sense for hardware ISE nodes where you want to spread the work load between Active PAN and Active MnT.&nbsp; Why make one node Active PAN and Active MnT, while the other node just sits around in Secondary mode?&nbsp;</P> <P>But when I asked this question to the Cisco TME's on the ISE Community Forum, they told me not to do what you're describing.&nbsp; In other words, keep both the PAN and MnT personas Active on one node, and Standby on the other node.</P> Wed, 18 Jul 2018 00:06:58 GMT https://community.cisco.com/t5/network-access-control/difference-between-enabling-primary-secondary-in-ise-and/m-p/3417227#M547918 Arne Bier 2018-07-18T00:06:58Z https://community.cisco.com/t5/network-access-control/difference-between-enabling-primary-secondary-in-ise-and/m-p/3417249#M547920 <P>Thanks everyone for your suggestions but I think I have not made myself clear; so i will rephrase. My question was: Whats the difference between enabling failover between 2 devices/personas and&nbsp;configuring primary/secondary between 2 devices/personas.&nbsp; Which method is better?&nbsp;</P> Wed, 18 Jul 2018 01:27:55 GMT https://community.cisco.com/t5/network-access-control/difference-between-enabling-primary-secondary-in-ise-and/m-p/3417249#M547920 abhijith891 2018-07-18T01:27:55Z https://community.cisco.com/t5/network-access-control/difference-between-enabling-primary-secondary-in-ise-and/m-p/3417250#M547921 <P><SPAN>Thanks everyone for your suggestions but I think I have not made myself clear; so i will rephrase. My question was: Whats the difference between enabling failover between 2 devices/personas and&nbsp;configuring primary/secondary between 2 devices/personas.&nbsp; Which method is better?&nbsp;</SPAN></P> Wed, 18 Jul 2018 01:29:41 GMT https://community.cisco.com/t5/network-access-control/difference-between-enabling-primary-secondary-in-ise-and/m-p/3417250#M547921 abhijith891 2018-07-18T01:29:41Z https://community.cisco.com/t5/network-access-control/difference-between-enabling-primary-secondary-in-ise-and/m-p/3417256#M548011 <P>Just to be clear, I understand you have two nodes that have the Admin and Monitoring personas enabled.</P> <P>&nbsp;</P> <P>In that case there are two possible combinations</P> <P>Combo 1:</P> <P>Node 1: Primary Admin, <FONT color="#00ff00">Primary</FONT> MnT</P> <P>Node 2: Secondary Admin, <FONT color="#00ff00">Secondary</FONT> MnT</P> <P>&nbsp;</P> <P>Combo 2</P> <P>Node 1: Primary Admin,&nbsp;<FONT color="#ff9900">Secondary</FONT> MnT</P> <P>Node 2: Secondary Admin,<FONT color="#ff9900">&nbsp;Primary</FONT> MnT</P> <P>&nbsp;</P> <P>Now your question is about failover?&nbsp;</P> <P>There is no MnT failover as such, but as you probably know, you can promote the Secondary MnT to Primary and this will not cause any disturbance or changes to the PAN persona.</P> <P>The PAN is a bit different.&nbsp; If you promote the Secondary PAN to Primary, then the application services will restart on both nodes.</P> <P>&nbsp;</P> <P>After a PAN promotion the result will be as follows:</P> <P>&nbsp;</P> <P>Combo 1: (no change to MnT)</P> <P>Node 1:&nbsp;Secondary Admin, <FONT color="#00ff00">Primary</FONT> MnT</P> <P>Node 2:&nbsp;Primary Admin, <FONT color="#00ff00">Secondary</FONT> MnT</P> <P>&nbsp;</P> <P>Combo 2: (no change to MnT)</P> <P>Node 1:&nbsp;Secondary Admin,&nbsp;<FONT color="#ff9900">Secondary</FONT> MnT</P> <P>Node 2:&nbsp;Primary Admin,<FONT color="#ff9900">&nbsp;Primary</FONT> MnT</P> <P>&nbsp;</P> <P>I don't understand what the question is - there is no design choice (or considerations) as far as I can see. Unless I still haven't understood the question.</P> <P>&nbsp;</P> <P>By the way, what do you mean by "enable failover"?&nbsp; Are you talking about Automatic PAN Failover?&nbsp; As far as I know, it's just the automated way of doing the same thing as I described above.&nbsp; You need an outside PSN (in your case) to be the monitors who decide when to trigger the promotion.&nbsp; Is that what you're trying to achieve?&nbsp; In that case the design question is, WHICH PSN do I designate to monitor which PAN node.&nbsp;</P> <P>I would argue that the PSN closest to the PAN (i.e. in same data centre) is the one to use because it would allow the PAN to be monitored in the event of an inter-data centre WAN failure.&nbsp; If WAN link fails then there will be no PAN promotion since each PSN believes their PAN is alive.&nbsp; If you chose the alternative, using cross-DC PSN monitors, then a WAN failure would cause the Standby PAN to be promoted, and you'll have two active PAN nodes with a split brain network.&nbsp; This is to my knowledge how it would work - but I stand to be corrected.</P> Wed, 18 Jul 2018 01:57:07 GMT https://community.cisco.com/t5/network-access-control/difference-between-enabling-primary-secondary-in-ise-and/m-p/3417256#M548011 Arne Bier 2018-07-18T01:57:07Z