topic Re: ISE Cluster in Network Access Control

ISE Cluster

bella964hadid — Thu, 26 Dec 2024 06:00:56 GMT

Can four ISE nodes be deployed across two clusters to ensure high availability between two data-centers with the following criteria :

- An active cluster of 2 nodes in Datacenter 01. Click Here

- A standby cluster of 2 nodes in Datacenter 02

- Configuration synchronization between the two platforms.

- Automatic failover in case of an issue with one of the datacenters.

As far as I know, the four nodes will be deployed within a single ISE distributed deployment, all configured with the active PSN role, and we will select two nodes to handle the PAN and MNT roles

Re: ISE Cluster

JPavonM — Thu, 26 Dec 2024 07:35:51 GMT

As far as I know you cannot sync two differnt ISE deployments.

Is this setup the result of a M&A? If so you should be looking into adapting the 2nd deployment policies in your primary one and merge all the PSN's at the end. If this is something you want to have on a fresh deployment, the best way to go is to have a distributes ISE deployment with PPAN and PMNT at DC#1, and SPAN and SMNT at DC#2 and then enable Automatic Failover on the deployment (If you also have a DNS' load balance technology enble it for the ISE admin portal resolution to point to the good one under the failover scenario)

Re: ISE Cluster

Karsten Iwen — Thu, 26 Dec 2024 10:32:21 GMT

I would assume that this requirement came from a misunderstanding of the way an ISE deployment works. I you want the redunduncy that this requirement implies, you can build one deployment with two servers each in DC1 and DC2. The servers in DC1 would run primary PAN and MNT, the two servers in DC2 would run secondary PAN and MNT. Depending on the load all four could run PSN or the PSNs are separated to other nodes.

For the automatic failover, I just assume that you are mainly interested in RADIUS/TACACS failover. But that is a NAD functionality firsthand.