cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
729
Views
0
Helpful
2
Replies

SD-Access Multisite with Distributed ISE

mhaleem1985
Level 1
Level 1

if we have SD-Access with multisite deployment and we need to put ISE PSN at each fabric site so assume we have 10 fabric sites and we have two ISE PAN at HQ so i have four questions here.

1- we will integrate the DNAC with ISE PAN only that is right or not ?

2- we will put ISE PSN at each fabric site so how can we configure the AAA at network devices for this fabric site to point to local PSN as primary AAA and the ISE at HQ as secondary,so we will configure each fabric site individually with its local PSN as AAA server so is this is applicable ?

3- what is the best location of ISE PSN at each fabric site it will be connected directly to the border or we should connect it to the fusion at each fabric site ?

4- if we need to achieve host mobility between fabric sites as i know there is no host mobility between fabric sites but i think we can achieve it by configure same VN,SGT for users at each fabric site and the VN will have unique ip subnet at each fabric site but at this case the ISE will control host mobility as for example if user moved from fabric site 1 to fabric site 2 i think ISE can match on the source  ip of the switch that the user will be connected and the switch will send the radius packet to the ISE then ISE can match on ip of the edge then assign specific vlan and SGT to the user depending on the edge switch ip address,so with this we can achieve host mobility but with different ip address at each site but we don't care about ip as policy applied depend on identity,so this approach is right or wrong and if wrong please give me the right answer ?

2 Replies 2

JL421-Retired
Level 1
Level 1

1) Yes, you will integrate DNA-C with your PAN.

2) If you decide to put a PSN at each fabric site, you can configure each site to use the local as a primary and the HQ as a secondary under Design > Network Settings > Network.

3) For now I would recommend against connecting the PSN to the border, and would advise your fusion router, or another device.

4) I believe that your plan is correct. Your authorization policy would be bound to each fabric site, and ISE would assign the SGT and and Subnet based on the site.

 

Of note, unless your organization has design requirements necessitating a PSN at each site, DNA itself doesn't require a PSN everywhere. It is recommended to have a PSN within a certain latency window, but it doesn't have to be at every site.

Thanks JL421 for your reply

Review Cisco Networking for a $25 gift card