Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3208
Views
5
Helpful
3
Replies

Design clarification for ISE PAN/MNT Personas

Go to solution
yasirirfan
Level 4
Level 4

‎04-19-2017 02:12 AM

Hi All

I have a query related to ISE deployment for 10 K users.

We have a set of dedicated ISE appliances ( 3595) for PAN/MNT personas.

We are planning to have active PAN/ secondary MNT personas  in distributed model  and other appliance as Secondary PAN/ active MNT personas.

This is a known design and often it is observed both sets are in same data centre. However I have a query can we have one set in Data Center 1 and other in Data Centre 2. Data Center 1 and Data Centre are connected with 1 gig link as primary and 20 MBPS MPLS link.

PSN will connect to these PAN/MNT personas  for both wired and wireless network.

I have attached the propose topolgy , can any one share their views is this a correct way of deployment?

Proposed ISE design.png

Cheers

Yasir

1 person had this problem
1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10

‎04-19-2017 10:19 AM

Certainly, you can split the nodes across DCs, but I would also recommend collocating the Primary for both Admin and MnT in one DC and Secondary at the other (i.e. not split Primary/Secondary).  The diagram looks like it was based on one I created a while back, but current diagram (from BRKSEC-3699) reflects my recommendation.

Craig

View solution in original post

3 Replies 3

Go to solution
Craig Hyps
Level 10
Level 10

‎04-19-2017 10:19 AM

Certainly, you can split the nodes across DCs, but I would also recommend collocating the Primary for both Admin and MnT in one DC and Secondary at the other (i.e. not split Primary/Secondary).  The diagram looks like it was based on one I created a while back, but current diagram (from BRKSEC-3699) reflects my recommendation.

Craig

Go to solution
Timothy Abbott
Cisco Employee
Cisco Employee

‎04-19-2017 10:21 AM

Yasir,

Your design proposal is a supported configuration.  Just be sure to observe latency requirements.  We have tons of resources you can use here in the community you can reference.

Regards,

-Tim

Go to solution
yasirirfan
Level 4
Level 4

‎04-19-2017 09:53 PM

Hi chyps thanks for your valuable feedback. Really appreciate your inputs. I will look into that.

Hi tiabbott nice point about the latency. Well we are in the specified latency limits.

Regards

Yasir

0 Helpful
Customers Also Viewed These Support Documents