https://community.cisco.com/t5/network-access-control/how-to-design-3-nodes-ise/m-p/3350442#M549681 <P>We have 3 ISE nodes license, Want to use 2 in Primary DC, with HA. and then use the 3rd one in the DR.</P> <P>&nbsp;</P> <P>IN Primary DC,&nbsp; 1 is Primary for Admin, Policy and Monitor.</P> <P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;2 is Secondary for Admin, Policy and Monitor</P> <P>&nbsp;</P> <P>Then how to do with the 3rd one in DR?</P> <P>&nbsp;</P> <P>thanks</P> Fri, 21 Feb 2020 18:49:13 GMT ccie14007 2020-02-21T18:49:13Z https://community.cisco.com/t5/network-access-control/how-to-design-3-nodes-ise/m-p/3350442#M549681 <P>We have 3 ISE nodes license, Want to use 2 in Primary DC, with HA. and then use the 3rd one in the DR.</P> <P>&nbsp;</P> <P>IN Primary DC,&nbsp; 1 is Primary for Admin, Policy and Monitor.</P> <P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;2 is Secondary for Admin, Policy and Monitor</P> <P>&nbsp;</P> <P>Then how to do with the 3rd one in DR?</P> <P>&nbsp;</P> <P>thanks</P> Fri, 21 Feb 2020 18:49:13 GMT https://community.cisco.com/t5/network-access-control/how-to-design-3-nodes-ise/m-p/3350442#M549681 ccie14007 2020-02-21T18:49:13Z https://community.cisco.com/t5/network-access-control/how-to-design-3-nodes-ise/m-p/3350513#M549683 Hi,<BR />How many users/devices will it be supporting? What services - wired, wireless 802.1x? Guest portals? BYOD?.<BR /><BR />3 is an awkward number. How about this:<BR /><BR />1 - Primary PAN and MNT<BR />2 - Secondary PAN and MNT + PSN<BR />3 - PSN<BR /><BR />this leaves the first ISE node dedicated mgmt and provides redundancy for all personas.<BR /><BR />HTH Sun, 18 Mar 2018 16:53:10 GMT https://community.cisco.com/t5/network-access-control/how-to-design-3-nodes-ise/m-p/3350513#M549683 Rob Ingram 2018-03-18T16:53:10Z https://community.cisco.com/t5/network-access-control/how-to-design-3-nodes-ise/m-p/3350515#M549685 <P>&nbsp;</P> <P>&nbsp;-&nbsp; By <FONT color="#FF0000">not</FONT> using such a model , use <STRONG><FONT color="#008000">standard</FONT></STRONG> deploymens; 2 admin + monitor , +2 PSN =<STRONG> 4!</STRONG></P> <P>M.</P> Sun, 18 Mar 2018 17:19:27 GMT https://community.cisco.com/t5/network-access-control/how-to-design-3-nodes-ise/m-p/3350515#M549685 Mark Elsen 2018-03-18T17:19:27Z https://community.cisco.com/t5/network-access-control/how-to-design-3-nodes-ise/m-p/3351179#M549686 <P>My 2 cents.</P> <P>&nbsp;</P> <P>-The ISE radius or tacacs servers&nbsp;for authentication are the ones running PSN persona not PAN/MNT (admin nodes).</P> <P>-You should NOT combine multiple personas into the same appliance or VM. But if you have resources constrains then, you should ONLY have 1 primary PAN/MNT, 1 Secondary PAN/MNT and 1 PSN. But still, 1 PSN is&nbsp;not enough because you need redundancy for authentication.</P> <P>-Running 3495 servers + 2 personas is NOT a good combination, I have seen performance issues so it is much better to run at least 3595.</P> <P>-At the end, you need minimum 4 appliances or VM's.</P> Mon, 19 Mar 2018 20:32:06 GMT https://community.cisco.com/t5/network-access-control/how-to-design-3-nodes-ise/m-p/3351179#M549686 ajc 2018-03-19T20:32:06Z https://community.cisco.com/t5/network-access-control/how-to-design-3-nodes-ise/m-p/3352901#M549687 <P>I've made this topology of our new ISE deployment. I'll be happy to receive any comments or suggestions for better planning, since I've properly missed something. The PSN in the top is deployed, IF the redundant links towards the DC's i disconnected.</P> Thu, 22 Mar 2018 07:14:55 GMT https://community.cisco.com/t5/network-access-control/how-to-design-3-nodes-ise/m-p/3352901#M549687 Michael Bartholomæussen 2018-03-22T07:14:55Z https://community.cisco.com/t5/network-access-control/how-to-design-3-nodes-ise/m-p/3354798#M549689 <P>Primary PAN+MnT and Secondary PAN+MnT with 3 x PSNs looks good</P> <P>&nbsp;</P> <P>I would put all three PSNs in a nodegroup to provide redudancy</P> <P>&nbsp;</P> <P>happy to receive feedback on my thoughts</P> Mon, 26 Mar 2018 00:18:40 GMT https://community.cisco.com/t5/network-access-control/how-to-design-3-nodes-ise/m-p/3354798#M549689 paul46 2018-03-26T00:18:40Z