https://community.cisco.com/t5/network-access-control/what-is-the-best-way-to-design-cisco-ise-roles/m-p/5366454#M599681 <P>what you have is not bad, you should look at it not just from node persona distribution point of view but more holistically.</P> <P>There are some great presentations in Cisco live on demand library, just search for "<SPAN>Cisco ISE Best Practices"</SPAN></P> Sat, 31 Jan 2026 05:37:49 GMT Ambuj M 2026-01-31T05:37:49Z https://community.cisco.com/t5/network-access-control/what-is-the-best-way-to-design-cisco-ise-roles/m-p/5366281#M599675 <P>Hello. Could you please tell me how to do this better?</P><P>What is the best way to design Cisco ISE roles: keep Primary/Secondary PAN and MnT separated “crosswise” on different management nodes or combine Primary PAN and Primary MnT on a single node from an HA and best practices perspective?</P> Fri, 30 Jan 2026 10:32:35 GMT https://community.cisco.com/t5/network-access-control/what-is-the-best-way-to-design-cisco-ise-roles/m-p/5366281#M599675 nastiakhon 2026-01-30T10:32:35Z https://community.cisco.com/t5/network-access-control/what-is-the-best-way-to-design-cisco-ise-roles/m-p/5366282#M599676 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1739732">@nastiakhon</a>&nbsp;it all depends on the environment, number of concurrent connections, features, redundancy etc. At a minimum you should have two nodes, with redundant personas (PAN, MnT, PSN) - refer to the performance and scale guide <A href="https://www.cisco.com/c/en/us/td/docs/security/ise/performance_and_scalability/b_ise_perf_and_scale.html" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/ise/performance_and_scalability/b_ise_perf_and_scale.html</A></P> <P>&nbsp;</P> Fri, 30 Jan 2026 10:36:24 GMT https://community.cisco.com/t5/network-access-control/what-is-the-best-way-to-design-cisco-ise-roles/m-p/5366282#M599676 Rob Ingram 2026-01-30T10:36:24Z https://community.cisco.com/t5/network-access-control/what-is-the-best-way-to-design-cisco-ise-roles/m-p/5366289#M599677 <P>Yes, I read this article, but I still can't make the right decision.<BR />Attached is a screenshot of my deployed environment.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="nastiakhon_0-1769771745721.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/258829i6A0203CF3CEB8106/image-size/medium?v=v2&amp;px=400" role="button" title="nastiakhon_0-1769771745721.png" alt="nastiakhon_0-1769771745721.png" /></span></P><P>&nbsp;</P> Fri, 30 Jan 2026 11:16:49 GMT https://community.cisco.com/t5/network-access-control/what-is-the-best-way-to-design-cisco-ise-roles/m-p/5366289#M599677 nastiakhon 2026-01-30T11:16:49Z https://community.cisco.com/t5/network-access-control/what-is-the-best-way-to-design-cisco-ise-roles/m-p/5366295#M599678 <P>I'll add that we have an automatic fileover configured for pan nodes.</P> Fri, 30 Jan 2026 11:36:07 GMT https://community.cisco.com/t5/network-access-control/what-is-the-best-way-to-design-cisco-ise-roles/m-p/5366295#M599678 nastiakhon 2026-01-30T11:36:07Z https://community.cisco.com/t5/network-access-control/what-is-the-best-way-to-design-cisco-ise-roles/m-p/5366297#M599679 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1739732">@nastiakhon</a>&nbsp;looks like you've configured the ISE cluster as a medium sized, with PAN and MnT roles on the same hardware, that will suffice for cluster size up to 150K active sessions (depending on VM/hardware resources). So if you do not have a larger deploy that will be fine.</P> <P>If you were designing a very large ISE cluster, you'd have to configured PAN and MnT personas on different nodes to support the scalability.</P> Fri, 30 Jan 2026 11:43:03 GMT https://community.cisco.com/t5/network-access-control/what-is-the-best-way-to-design-cisco-ise-roles/m-p/5366297#M599679 Rob Ingram 2026-01-30T11:43:03Z https://community.cisco.com/t5/network-access-control/what-is-the-best-way-to-design-cisco-ise-roles/m-p/5366408#M599680 <P>Hi,</P> <P>&nbsp; &nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1739732">@nastiakhon</a>&nbsp;Using separate boxes for PAN &amp; MNT roles should be done only when necessary, if scale requires it, otherwise its add complication with no benefits. Take a look at this document and make your decision based on scaling numbers, MEDIUM means PAN &amp; MNT roles on same box, while LARGE means PAN &amp; MNT roles on separate boxes:</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/security/ise/performance_and_scalability/b_ise_perf_and_scale.html" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/ise/performance_and_scalability/b_ise_perf_and_scale.html</A></P> <P><A href="https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2025/pdf/BRKSEC-3234.pdf" target="_blank">https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2025/pdf/BRKSEC-3234.pdf</A></P> <P>Thanks,</P> <P>Cristian.</P> Fri, 30 Jan 2026 20:13:26 GMT https://community.cisco.com/t5/network-access-control/what-is-the-best-way-to-design-cisco-ise-roles/m-p/5366408#M599680 Cristian Matei 2026-01-30T20:13:26Z https://community.cisco.com/t5/network-access-control/what-is-the-best-way-to-design-cisco-ise-roles/m-p/5366454#M599681 <P>what you have is not bad, you should look at it not just from node persona distribution point of view but more holistically.</P> <P>There are some great presentations in Cisco live on demand library, just search for "<SPAN>Cisco ISE Best Practices"</SPAN></P> Sat, 31 Jan 2026 05:37:49 GMT https://community.cisco.com/t5/network-access-control/what-is-the-best-way-to-design-cisco-ise-roles/m-p/5366454#M599681 Ambuj M 2026-01-31T05:37:49Z