topic SXP on ISE distributed deployment in Network Access Control

SXP on ISE distributed deployment

Antonio Macia — Tue, 24 May 2022 14:08:42 GMT

Hi,

I'm looking for advice on a distributed PSN deployment with SXP services enabled.

When enabling the SXP service on two PSNs, I understand that I have to duplicate the SXP connections on each network device pointing to each PSN IP address, correct? Both SXP connections will be in ON state and exchanging the same IP-SGT mappings, right?

In case of failure of any of the PSN nodes, the IP-SGT mapping should remain intact and once the PSN node is recovered it will not affect either the mapping.

Is there anything I should take care of?

Regards.

Re: SXP on ISE distributed deployment

Rob Ingram — Wed, 25 May 2022 09:01:08 GMT

@Antonio Macia you correct, each NAD (switch) would peer with both PSN SXP nodes. The switch would have 2 IP-SGT bindings, one for each ISE SXP peer.

Check the TrustSec matrix to determine the number of SXP bindings your model access layer switch can support.

https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/software-platform-capability-matrix.pdf

Re: SXP on ISE distributed deployment

b.haxhiaj — Wed, 25 May 2022 10:57:54 GMT

Hi Rob,

Thanks in advance for your assistance.

Since this thread is somehow related to the situation I'm facing, kindly clarify if the following is correct.

In a distributed deployment, in case of hardware refresh:

Replacing the nodes with from 34xx (old) to 36xx (new) with same IP address and hostnames (FQDNs)

1. Configure first the 36xx in an offline environment with the same IP addresses as the nodes to be replaced.

2. Generate the CSRs of the 36xx and have them sign those certificates.

3. Bind the signed certificate to the CSRs of the 36xx.

4. De-register 34xx secondary node, then take it out of the network.

5. Register the configured 36xx as the secondary node (PAN, MNT, PSN).

6. Have your AD admin join the node to the Active Directory domain.

7. Promote the 36xx secondary node as the new Primary Node.

8. De-register the 34xx primary node, then take it out of the network.

9. Register the other prepared 36xx as the secondary node (PSN).

10. Have your AD admin join the node to the Active Directory domain.

Regarding TACACS+ network device administration:

a. There are 2 TACACS+ servers configured on IOS devices (router, switch etc...).

b. Each TACACS+ server has different key hash on running-config on IOS.

Is all information is propagated from PRI -> SEC ISE node, including both TACACS+ keys for network device administration?