topic Re: Regarding ISE HA deployment design in Network Access Control

Regarding ISE HA deployment design

Bluevery1103 — Fri, 08 Dec 2023 05:02:19 GMT

We plan to operate two nodes.
I have one concern regarding design. If ISE HA is not implemented and two NODEs with PAN/MNT/PSN persona roles are operated as ACTIVE/ACTIVE as shown in the configuration diagram, will there be any problems?

From a service perspective, when HQ collapses, we plan to implement DR so that the service can be restored to normal.

Re: Regarding ISE HA deployment design

Arne Bier — Fri, 08 Dec 2023 05:56:13 GMT

The two node design in your diagram is a classic 2 node design and it's perfectly acceptable. You can suffer an outage of one of the ISE nodes, and the RADIUS/TACACS+ services will still run on the other node. If you get unlucky and the Primary Admin Node fails, then you won't see any Live Logs. You can promote the Standby PAN to be Primary, and then you will have Live Logs again.

RADIUS and TACACS+ HA is implemented in the Network Devices and not in ISE. The "Services" are enabled on both nodes and each node has the same programming.

Re: Regarding ISE HA deployment design

Bluevery1103 — Fri, 08 Dec 2023 08:19:30 GMT

Thanks for your response.

One additional question: Would it be okay if two nodes operate as primary for the Admin node?

In other words, it is assumed that when the HQ Primary PAN fails, the DR PAN status is also operating as Primary, not Standby. (In the case of DR PAN, it is not Standby, so there is no need to promote it)

Re: Regarding ISE HA deployment design

Arne Bier — Fri, 08 Dec 2023 11:49:14 GMT

That type of setup would mean that the ISE nodes are not related to each other. Each one is a PAN and therefore is the authority on the database. You have to configure each ISE node separately. Not much fun.

Being PAN is not the most important achievement in the life of an ISE node. You benefit more by joining the nodes and having them sync the config from Primary to Secondary. if the PAN fails then you promote the standby. It’s a very rare event.

Re: Regarding ISE HA deployment design

Bluevery1103 — Mon, 11 Dec 2023 01:43:50 GMT

Thanks to you, my curiosity has been somewhat resolved.

I agree with you saying it's not fun. I think we need to re-establish our goal in the direction of forming HA.

Re: Regarding ISE HA deployment design

Scott Fella — Mon, 11 Dec 2023 03:58:15 GMT

I agree with @Arne Bier, even though it's possible to run two seperate instances, I don't see the benefit since you would have to manually keep everything in sync between the two. With the normal deployment of a two node cube, you can promote the secondary which is easy. You also have an option with configuring PAN failover which will do that automatically , but not really recommended. Keep in mind that the PSN is active on both and your network devices would have entries for both.