https://community.cisco.com/t5/network-access-control/ise-split-deployment-question/m-p/4561771#M573040 <P>PSN is by design active/active in nature. Meaning your NAD (switch, WLC) can always authenticate using any of the two PSN deployed.</P> <P>The request to PSN does depend on the RADIUS server priority configured on NAD.</P> <P>&nbsp;</P> <P>Now speaking about automatic PAN failover, you definitely need a 3rd health check node. If your concern is about disruption of services during a PAN outage, refer to the list of services that would and wouldn't work in such a scenario -&nbsp;<A href="https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20/b_ise_admin_guide_20_chapter_010.html#ID90" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20/b_ise_admin_guide_20_chapter_010.html#ID90</A>&nbsp;(section&nbsp;High Availability for the Administrative Node)</P> <P class="p">&nbsp;</P> <P class="p">If you aren't necessarily using services that are affected during such an outage, 2 node deployment should be good.</P> <DIV class="tableContainer"> <TABLE id="ID59__table_1815D190CAF74F6BAD2AD03388346987" class="table" border="1" width="100%"> <TBODY class="tbody"> <TR class="row"> <TD width="70.3%" class="entry">&nbsp;</TD> </TR> </TBODY> </TABLE> </DIV> Wed, 02 Mar 2022 03:29:32 GMT Udupi Krishna. 2022-03-02T03:29:32Z https://community.cisco.com/t5/network-access-control/ise-split-deployment-question/m-p/4560826#M573020 <P>Hi,</P><P>I have two ISE VMs and am thinking of deploying them as a "split deployment".&nbsp; Which as per my understanding places the two nodes in an Active/Active HA pair. So basically I want PAN, PSN and MnT personas to be running on both nodes and should one of them go down then all AAA requests will automatically failover to the one that's still up.</P><P>&nbsp;</P><P>I'm not entirely clear how I can achieve this?</P><P>&nbsp;</P><P>I can see the option to configure PAN failover in the interface but it says I would still need a third "secondary" node to be able to enable this. I guess I could do this but I'm not sure how that would affect licencing as we only purchased for two VMs. Besides, this page suggests it's possible to do it without a 3rd node.&nbsp;<A href="https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_00.html#ID-1413-000000a7" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_00.html#ID-1413-000000a7</A></P><P>&nbsp;</P><P>Can anyone help advise please?</P><P>&nbsp;</P><P>Thanks</P> Mon, 28 Feb 2022 16:10:27 GMT https://community.cisco.com/t5/network-access-control/ise-split-deployment-question/m-p/4560826#M573020 Hassaan 2022-02-28T16:10:27Z https://community.cisco.com/t5/network-access-control/ise-split-deployment-question/m-p/4561771#M573040 <P>PSN is by design active/active in nature. Meaning your NAD (switch, WLC) can always authenticate using any of the two PSN deployed.</P> <P>The request to PSN does depend on the RADIUS server priority configured on NAD.</P> <P>&nbsp;</P> <P>Now speaking about automatic PAN failover, you definitely need a 3rd health check node. If your concern is about disruption of services during a PAN outage, refer to the list of services that would and wouldn't work in such a scenario -&nbsp;<A href="https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20/b_ise_admin_guide_20_chapter_010.html#ID90" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20/b_ise_admin_guide_20_chapter_010.html#ID90</A>&nbsp;(section&nbsp;High Availability for the Administrative Node)</P> <P class="p">&nbsp;</P> <P class="p">If you aren't necessarily using services that are affected during such an outage, 2 node deployment should be good.</P> <DIV class="tableContainer"> <TABLE id="ID59__table_1815D190CAF74F6BAD2AD03388346987" class="table" border="1" width="100%"> <TBODY class="tbody"> <TR class="row"> <TD width="70.3%" class="entry">&nbsp;</TD> </TR> </TBODY> </TABLE> </DIV> Wed, 02 Mar 2022 03:29:32 GMT https://community.cisco.com/t5/network-access-control/ise-split-deployment-question/m-p/4561771#M573040 Udupi Krishna. 2022-03-02T03:29:32Z https://community.cisco.com/t5/network-access-control/ise-split-deployment-question/m-p/4562004#M573049 <P class="lia-align-justify">Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/930727">@Hassaan</a>&nbsp;,</P> <P class="lia-align-justify">&nbsp;beyond what&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1277181">@Udupi Krishna.</a>&nbsp;said ... please take a look at <A href="https://www.cisco.com/c/en/us/td/docs/security/ise/performance_and_scalability/b_ise_perf_and_scale.html" target="_blank" rel="noopener">Performance and Scalability Guide for Cisco IS</A>E, search for <STRONG>Different Types of Cisco ISE Deployment</STRONG>&nbsp;and&nbsp;<A href="https://community.cisco.com/t5/security-documents/ise-secure-wired-access-prescriptive-deployment-guide/ta-p/3641515" target="_blank" rel="noopener">ISE Secure Wired Access Prescriptive Deployment Guide</A>, search for <STRONG>ISE Deployment Considerations</STRONG>.</P> <P class="lia-align-justify">&nbsp;</P> <P class="lia-align-justify">Hope this helps !!!</P> Wed, 02 Mar 2022 10:55:53 GMT https://community.cisco.com/t5/network-access-control/ise-split-deployment-question/m-p/4562004#M573049 Marcelo Morais 2022-03-02T10:55:53Z