topic Re: ISE Cluster in Network Access Control

ISE Cluster

GHOZLANE Haroun — Wed, 25 Dec 2024 19:06:52 GMT

Can four ISE nodes be deployed across two clusters to ensure high availability between two data-centers with the following criteria :

- An active cluster of 2 nodes in Datacenter 01.

- A standby cluster of 2 nodes in Datacenter 02

- Configuration synchronization between the two platforms.

- Automatic failover in case of an issue with one of the datacenters.

As far as I know, the four nodes will be deployed within a single ISE distributed deployment, all configured with the active PSN role, and we will select two nodes to handle the PAN and MNT roles

Re: ISE Cluster

Ambuj M — Wed, 25 Dec 2024 20:17:44 GMT

Yes all these 4 nodes can be deployed in a single distributed deployment, make sure roundtrip latency between sites is under 300 ms, you can have few variations of deployment depending on how you want to distribute and scale, table 4 has more details when deployed shared Vs standalone persona in the scalability guide

Here are some additional best practices to keep in mind

Re: ISE Cluster

GHOZLANE Haroun — Tue, 21 Jan 2025 15:25:41 GMT

Dear Ammahend,

I would like to confirm the following setup for distributed deployment , 2 Nodes in each DC as bellow :

In Each DC, we will have two Nodes as bellow:

- One Node with the PAN, MNT, and PSN roles.
- A second Node dedicated to the PSN role.

is this configuration good or it is mandatory to have pan & mnt nodes in one DC ?

Additionally, could you clarify how the failover mechanism would work in case the link between two data centers goes down?

Re: ISE Cluster

Rob Ingram — Tue, 21 Jan 2025 15:40:09 GMT

@GHOZLANE Haroun What hardware have you purhcased or VM specs? How many concurrent sessions does the cluster need to support? https://www.cisco.com/c/en/us/td/docs/security/ise/performance_and_scalability/b_ise_perf_and_scale.html#Cisco_Reference.dita_59d6eb45-48a9-422f-9369-d9e8c2dacb76

Having the PAN/MNT roles in different DCs ensures you have resilency if one DC is unavailable.

Automatic failover can be achieved using one of the PSNs as a health check node. The health check node checks the health of the primary PAN at configured intervals. If the health check response received for the primary PAN is unreachable, the health check node initiates the promotion of the secondary PAN to take over the primary role https://www.cisco.com/c/en/us/td/docs/security/ise/3-3/admin_guide/b_ise_admin_3_3/b_ISE_admin_33_deployment.html#concept_6C3FA27523BC44FC8B7C56731997B71C

You should also ensure that AD, DNS, NTP etc is also available in both DCs, as ISE relies on these for authentication.

Re: ISE Cluster

GHOZLANE Haroun — Tue, 21 Jan 2025 15:50:00 GMT

@Rob Ingram

Does it work as follows ? :

I am planning to deploy 4 VM nodes across two data centers as follows:

DC01: Primary PAN (PPAN), Primary MNT (PMNT), PSN, and an additional PSN.
DC02: Secondary PAN (SPAN), Secondary MNT (SMNT), PSN, and an additional PSN.

If the link between the data centers goes down, each DC will operate independently with its own admin node. Once the link is restored, the system will revert to a single PAN managing both DCs.

Re: ISE Cluster

Rob Ingram — Tue, 21 Jan 2025 16:01:00 GMT

@GHOZLANE Haroun the health check node should be in the same DC as the node it's monitoring. The WAN must be up for health check to function correctly and failover, to avoid split brain.

Re: ISE Cluster

Marcelo Morais — Tue, 21 Jan 2025 22:13:44 GMT

Hi @GHOZLANE Haroun ,

Deployment

Please take a look at: Performance and Scalability Guide for Cisco Identity Services Engine.

1st, you can create a Medium Deployment - ISE Cluster (search for Different Types of Cisco ISE Deployment)

Datacenter01

Node 1: PPAN + SMnT
Node 2: PSN (always active)

Datacenter02

Node 3: SPAN + PMnT
Node 4: PSN (always active)

2nd, for ISE Deployment Sizing (search for Sizing Guidelines for ISE Deployment), you MUST know the Maximum Concurrent Active Sessions of your Deployment.

This is an important number to create the correct SNS/VM (search for Cisco ISE Hardware Appliances).

Software

Please take a look at Cisco ISE Software Download

1st, today Cisco ISE Suggested Release is ISE 3.3 Patch 4.

Load Balancer / NAD

If you have a Load Balancer,

then load balance your RADIUS Request between Node 2 and Node 4
else manually point

half of your NADs to Node 2 as a Primary PSN & Node 4 as a Secondary PSN

the other half to Node 4 as a Primary PSN & Node 2 as a Secondary PSN

Hope this helps !!!

Re: ISE Cluster

GHOZLANE Haroun — Wed, 22 Jan 2025 09:40:11 GMT

@Marcelo Morais

Thanks ,

How does failover work between Node 1 and Node 3 if the link goes down?

During the downtime, do will we have two distributed ISE nodes, and will both be manageable? Additionally, what happens when the link is restored?

Is it mandatory to have two nodes dedicated to PAN and MNT roles?, I intend to assign the PSN role to all four VM nodes.

Re: ISE Cluster

Marcelo Morais — Wed, 22 Jan 2025 13:21:14 GMT

Hi @GHOZLANE Haroun

about: " ... Is it mandatory to have two nodes dedicated to PAN and MNT roles? ... "

PAN and MnT are important Roles, that is why a PPAN/SPAN and PMnT/SMnT is a MUST on a Small, Medium or Large Deployment (please take a look at Performance and Scalability Guide for Cisco Identity Services Engine, search for Different Types of Cisco ISE Deployment).

about: " ... During the downtime, do will we have two distributed ISE nodes, and will both be manageable? Additionally, what happens when the link is restored? ... "

If Datacenter02 is down,

you can use PPAN at Node 1 for Administration
you can use PSN at Node 2 for RADIUS Request

If Datacenter01 is down,

you can manually Promote the SPAN at Node 3 for Administration

you can use PSN at Node 4 for RADIUS Request

about " ... How does failover work between Node 1 and Node 3 if the link goes down? ... "

PPAN and SPAN will automatically synchronize (you can also you the SyncUp option):

Hope this helps !!!

Re: ISE Cluster

GHOZLANE Haroun — Wed, 22 Jan 2025 13:35:53 GMT

@Marcelo Morais

thanks very much for awsome clarifications

Is it possible to assign the PSN role to all four VM nodes, with two of them also serving as PAN and MNT.

My goal is to have two PSN nodes for each data center, with one node in each data center acting as PAN, MNT, and PSN, while the second node is dedicated to PSN

Re: ISE Cluster

Marcelo Morais — Thu, 23 Jan 2025 10:55:01 GMT

Hi @GHOZLANE Haroun ,

yes, it's possible to assign a PSN Role to a PAN & MnT Node, it's considered a Shared PSN and not a Dedicated PSN.

Note: remember that, if your Hardware/VM is compatible with a SNS 3655, then each Dedicated PSN is capable of handle up to 50K Concurrent Active Sessions., in other words, double check if you really need a PSN Role into the PAN & MnT Node.

Hope this helps !!!

Re: ISE Cluster

Aref Alsouqi — Sat, 25 Jan 2025 12:39:55 GMT

Nothing wroing with having the PSN services running on the same node where you also have the administration and monitoring services, actually it is quite common to have a deployment like that.

Here is my take on the auto-failover, this will only be applicable to the administration services and I think it will depend on how you configure it if it will be triggered or not. For instance, if the configured failover monitoring node is sitting in DC1 then I don't believe the failover will happen in that case, because from that failover monitoring node perspective the primary PAN will still be available. In this scenario you wouldn't be able to manage the nodes sitting in DC2.

However, if the configured failover monitoring node is sitting in DC2 and the link between DC1 and 2 goes down, then I think the failover will happen because that failover monitoring node will not be able to reach the primary PAN and it will instruct the secondary PAN to become the primary. I think in this scenario you would have a split-brain deployment because you would have the primary PAN in DC1 and the new primary PAN in DC2.

Although I think you could manage the nodes in DC1 via the PAN in DC1 and the nodes in DC2 via the PAN in DC2 there is a caveat here which is that there is no preemption with ISE auto-failover. This means that even when the link between the two DCs is restored the new PAN in DC2 will remain as is. I'm not sure if in that case the primary PAN in DC1 would be automatically demoted.

Re: ISE Cluster

Scott Fella — Sat, 25 Jan 2025 20:41:23 GMT

@Marcelo Morais I have a new deployment I'm testing with with two 3795's in two different DC's. I have one in each running PAN, PMNT and the other a PSN, then other DC I have one running SAN, SMNT and PSN. I did have the one node in each running all personas for a few months. Our production has 20 nodes and the PAN/MNT are dedicated nodes and are located in a different DC than the SAN and MNT. I didn't like the auto-failover, because I wanted to be able to control which was the PAN. Like what the others have already mentioned, it's possible to do, but you need to also look at the various types of failures. Node failure, traffic to a specific DC, failure between the DC and maybe AD, etc. That way you have a grasp of what can happen in various situations.