topic Re: ISE deployment in Network Access Control

ISE deployment

engahmedsaied — Sun, 31 Jan 2021 20:03:28 GMT

In ISE deployment I know that we can have two nodes acting as Admin P + Monitor S + PSN and Admin S + Monitor P + PSN

We can separate roles by having two nodes run as admin + monitor then we can add up to 5 PSNs

In case we have 3 nodes can run as the following ?

Admin P + Monitor S + PSN

Admin S + Monitor P + PSN

PSN

Re: ISE deployment

balaji.bandi — Sun, 31 Jan 2021 20:21:11 GMT

You can mix nodes, but what kind of deployment is this and also need to consider the size of deployment.

some notes for reference :

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_00.html

Re: ISE deployment

Damien Miller — Mon, 01 Feb 2021 05:05:21 GMT

The usual reason someone want's to run a three node deployment like this is so they can enable the automatic admin node failover. You have to be very careful when doing this, ensuring that every network device has the three nodes configured. When the PAN failover activates, the remaining admin node will also reload leaving just the third PSN online.

While there is no official support for a three node deployment, it sits between a standalone (1-2 node) and Hybrid (4+ node), it does in fact work. Nothing will prevent you from doing this, but you do so knowing that "officially" it's not tested or supported. TAC will still provide support, but if you get in to troubleshooting performance or other odd issues, they might ask you to disable the third node as a troubleshooting step.

Re: ISE deployment

engahmedsaied — Mon, 01 Feb 2021 09:58:42 GMT

Yeah for automatic admin node failover instead of manual method but this a different scenario here

What is the required, 3 nodes run as

Admin P + Monitor S + PSN

Admin S + Monitor P + PSN

PSN

I did not see this in Cisco documentation all about two nodes deployment or two nodes run as admin + monitor without PSN then you can add up to 5 PSNs

but in this way

Admin P + Monitor S + PSN

Admin S + Monitor P + PSN

PSN

Will there any issues ? performance, support tickets, ...

Re: ISE deployment

Marcelo Morais — Mon, 01 Feb 2021 11:39:03 GMT

Hi @engahmedsaied

take a look at the following post: ISE Performance & Scale. Check the ISE Architecture and Terminology (Hybrid Deployment).

Note: every ISE deployment must have one Primary PAN, one Primary MnT and at least one PSN.

Hope this helps !!!

Re: ISE deployment

engahmedsaied — Mon, 01 Feb 2021 12:18:17 GMT

yes this is a nice document but what I am asking about is not listed there

can this be done and supported ? or there issue will be related to this

In case we have 3 nodes can run as the following ?

Admin P + Monitor S + PSN

Admin S + Monitor P + PSN

PSN

as I always use Standalone / Dedicated Deployment , Hybrid / Medium Deployment or Fully distributed / Dedicated deployment

Re: ISE deployment

Marcelo Morais — Mon, 01 Feb 2021 14:15:49 GMT

Hi @engahmedsaied

although it's possible to have 3x Nodes just like this:

Admin P + Monitor S + PSN 
Admin S + Monitor P + PSN 
PSN

the problem is ... how you will calculate the PSN - Maximum Concurrent Sessions?

If you take a look at: ISE Performance & Scale - ISE PSN Performance topic, there is a difference between a Standalone vs Hybrid deployment (in terms of Maximum Concurrent Sessions) ... on the 3x Nodes case, you have a PSN with a different load than the others that have Admin & Monitor service enabled.

Hope this helps !!!