ISE best practice/ Fail-over scenarios

john5 · ‎06-07-2018

Hi,

I have a large implementation of ISE in a distributed model with 2 ISEs for PAN and 2 for MnT and centralized PSNs in multiple regions "4 in each region" which will cover a lot of branches.

unfortunately we can't afford a load balancers behind PSNs.

I want to know best practice solution to configure NADs in one region to saturate all PSNs in that region and consider the fail-over in case of multiple PSNs become down or the entire region.

also i want to know in case that WAN connection is down and no reachable PSN in any region how wireless connections will be treated ? Is there anything like a fail open or fall back to a Vlan like switches for WLC ?

Timothy Abbott · ‎06-07-2018

Hi,

Have you seen the below ISE high availability and load balancing doc?

https://communities.cisco.com/docs/DOC-64434#jive_content_id_Cisco_Live_Breakout_Session_BRKSEC3699_on_ISE_HALB

Regards,

-Tim

john5 · ‎06-07-2018

Thanks for your reply Timothy.

I went through the document quickly and as I understand and as I don't have load balancer and have 4 PSNs in each region I should configure each branch in each region to use one PSN and wait till it fails and then goes for the other till the entire region goes down then it will try another PSN in another region.

and as i can't use anycast i will need at least 5 servers configuration in each NAD "switch or WLC" , am i correct ?

but still these doc don't answer my question about wireless connection in case of WAN failure. do you know if there an equivalent thing to critical VLAN or fail open in WLC ?

hslai · ‎06-08-2018

For WLC, there is no critical VLAN. Instead, we simply create another WLAN not using RADIUS.