Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
996
Views
6
Helpful
10
Replies

Cisco ISE distributed deployment

Go to solution
Debabrata Majhi
Level 1
Level 1

‎11-27-2018 08:30 PM

Hi

 

We have two ISE in different subnet and location.Can we make it as single cluster?

Is it certificate mandatory ?

What are the prequation needs to be taken care?

Can any one help me 

Debu

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Surendra
Cisco Employee
Cisco Employee

‎11-27-2018 11:32 PM

Answer to your first question, Yes, you can have two ISE nodes in different subnets and locations as long as you allow the ports mentioned here between the nodes https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_0110.html

Answer to your second question, Yes, certificates are mandatory as the registration happens over secure HTTP tunnel.

For the third question,
Recommend you to follow this https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_011.pdf

View solution in original post

10 Replies 10

Go to solution
Surendra
Cisco Employee
Cisco Employee

‎11-27-2018 11:32 PM

Answer to your first question, Yes, you can have two ISE nodes in different subnets and locations as long as you allow the ports mentioned here between the nodes https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_0110.html

Answer to your second question, Yes, certificates are mandatory as the registration happens over secure HTTP tunnel.

For the third question,
Recommend you to follow this https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_011.pdf

Go to solution
Debabrata Majhi
Level 1
Level 1
In response to Surendra

‎11-28-2018 04:24 AM

Hi Surendra

Thanks for your prompt response.

Apricate your help

Hi Surendra

Thanks for your prompt response.

Appreciate your help. Just to understand

If there is any existing ISE cluster already running, can we move one node from existing ISE cluster for new location, is it possible?

Is there any licensing issue ? If I change the IP address

If possible What Shall we do

  1. Unregister the server from existing cluster
  2. Change the ISE IP according to new location
  3. Again join the node in cluster

Am I right? Or please guide me proper steps

Thanks

 

0 Helpful

Go to solution
Surendra
Cisco Employee
Cisco Employee
In response to Debabrata Majhi

‎11-28-2018 04:34 AM

You can do that as long as you have connectivity. No additional licenses are required.
0 Helpful

Go to solution
Debabrata Majhi
Level 1
Level 1
In response to Surendra

‎11-28-2018 04:51 AM

Hi Surendra

 

Thanks

 

In that case ,I have to follow the following steps right?

  1. Unregister the Node from existing cluster
  2. Change the ISE IP according to new location
  3. Again join the node in cluster

Thanks

 

0 Helpful

Go to solution
Debabrata Majhi
Level 1
Level 1
In response to Surendra

‎12-04-2018 05:18 AM

Hello Surenda

 

Is there any Delay which needs to be match ,If the server is defferent location/Subnet?

 

Thanks

Debu

0 Helpful

Go to solution
Surendra
Cisco Employee
Cisco Employee
In response to Debabrata Majhi

‎12-04-2018 05:41 AM

200ms is the tolerance.
0 Helpful

Go to solution
paul
Level 10
Level 10
In response to Surendra

‎12-04-2018 11:02 AM

200 ms was the old guidance. In 2.1 and later it was change and to 300 ms.  Of course there are other factors other than latency.

0 Helpful

Go to solution
Debabrata Majhi
Level 1
Level 1
In response to paul

‎12-05-2018 12:41 AM

Thanks Paul and all for make it sence ,

Paul,Can your please let me know some example of "other factors" which needs to be consider.Which will help us to design the cluster.

 

Thanks

 

 

 

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Debabrata Majhi

‎12-05-2018 05:09 AM

Have you reviewed scale and high availability or ise tips tricks

https://community.cisco.com/t5/security-documents/ise-training/ta-p/3619944#toc-hId-1281981443
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents