topic Re: Cisco ISE DR DC Deployment in Network Access Control

Cisco ISE DR DC Deployment

Kamran Mustafayev — Wed, 30 Apr 2025 10:57:15 GMT

Hello Team,

We have two small physical ISE appliances in main Data Center, both are using same personas (MnT, PSN, PAN and etc), in case I want to add two VM ISE (same model as physical) to the Disaster Recovery Data Center, does it mean I need to add them to the existing cluster and there is no way to make it "active" and "standby" manner, nodes in DR DC will have a different IP addresses

If I create united cluster including DC and DR DC ISE nodes then I suppose load will be distributed between all 4 nodes (of course if I configure it on each NAS), I wonder what is the best practice in this case

Thank you in advance

Re: Cisco ISE DR DC Deployment

Ben Walters — Wed, 30 Apr 2025 15:37:41 GMT

I would suggest having all ISE nodes in the same deployment, it just makes sense from a configuration perspective and then create deployment groups for the PSNs.

Based on a 4 node deployment, Cisco suggests splitting the PSN functionality from the PAN/MnT beyond 2 nodes. In this case your deployment would have to be 2 PAN/MnT and 2 PSNs.

Considering that, your deployment should look like this once completed:

2 physical nodes - 1 primary PAN/MnT and 1 PSN

2 DR VM nodes - 1 secondary PAN/MnT and 1 PSN

Point your NADs at the PSNs and just have the physical PSN as the first choice although I would personally include the second PSN and have the devices load balance sessions between them where possible.

With this setup it can scale to add up to 6 PSNs if you ever need to expand.

Re: Cisco ISE DR DC Deployment

Kamran Mustafayev — Fri, 02 May 2025 07:13:48 GMT

Thank you for your answer, just one additional question, once I deploy new two ISE nodes in DC and will change roles i.e will move MnT and Adm roles to DR DC ISE nodes will it create any downtime?

Thank you

Re: Cisco ISE DR DC Deployment

Marcelo Morais — Sat, 03 May 2025 07:16:55 GMT

Hi @Kamran Mustafayev ,

beyond what @Ben Walters said ... please take a look at: Performance and Scalability Guide for Cisco Identity Services Engine, search for Table 2. Types of Cisco ISE Deployments.

About your question related to downtime ... please take a look at: Cisco Identity Services Engine Administrator Guide, Release 3.4, search for High Availability for Administrative Node (pay special attention to Table 10. Availability of Features)

Hope this helps !!!

Re: Cisco ISE DR DC Deployment

Kamran Mustafayev — Tue, 06 May 2025 05:42:44 GMT

Thank you so in summary

If I turn off secondary node in main DC MnT and ADM roles and move it to tertiary node in backup DC - this won't make any impact anyway

Just one additional question - when I add new nodes to the deployment will it automatically deploy system certificates to new nodes from the admin node,

Thank you.

Re: Cisco ISE DR DC Deployment

Marcelo Morais — Tue, 06 May 2025 10:28:09 GMT

Hi @Kamran Mustafayev ,

at Administration > System > Certificates > Certificate Management > System Certificates > are you using a Self-Signed Certificate or a CA (take a look at the Used By column) ?

Note: remember to delete Old Certificates please take a look at:

ISE - CSCwo05386 - Baltimore CyberTrust Root expirando (ISE 3.x).

ISE - Queue Link Error, search for: "delete Old Internal Certificates"

Hope this helps !!!

Re: Cisco ISE DR DC Deployment

Kamran Mustafayev — Wed, 07 May 2025 09:20:17 GMT

Hello Marcello

We use some CA certificates

Re: Cisco ISE DR DC Deployment

Marcelo Morais — Wed, 07 May 2025 17:38:46 GMT

@Kamran Mustafayev ,

whenever you add new Nodes to the Deployment, you must import the Certificates for these Nodes generated by your CA in Administration > System > Certificates > Certificate Management > System Certificates.

Hope this helps !!!

Re: Cisco ISE DR DC Deployment

Kamran Mustafayev — Wed, 04 Feb 2026 12:40:24 GMT

Its seems they are being uploaded automatically when we add new ISE nodes to the deployment from the admin node