Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1411
Views
1
Helpful
3
Replies

pxGrid persona in standalone deployment for small number of concurrent sessions

Go to solution
danbates
Cisco Employee
Cisco Employee

‎09-08-2016 10:56 AM

Hi everyone,

From reading the design guides on pxGrid, I understand that it is recommended to use a distributed deployment model with separate, dedicated nodes for the primary and secondary pxGrid controller.  However, for small deployments where we would usually recommend a standalone ISE appliance or HA pair of appliances running administration, MNT, and PSN all at once, would it be possible to add the pxGrid to the standalone appliance(s) to enable Rapid Threat Containment?  And if so, is there a maximum number of concurrent sessions that would be recommended before we would need to design a medium deployment with dedicated pxGrid nodes?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jeppich
Cisco Employee
Cisco Employee
In response to danbates

‎09-08-2016 03:07 PM

Hey Daniel, Jason,

Just to close the loop on the thread,  i had a webex with Daniel to discuss.

in the past, 2 separate dedicated pxGrid nodes were required, however, this is now based on the number of pxGrid clients subscribing to the pxGrid topics,  if you have 2 pxGrid clients you should be fine in a stand-alone deployment.  If you are considering Threat-Centric NAC-AMP/Qualys as well, than these should be dedicated pxGrid nodes.

Thanks,

John

jeppich@cisco.com

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎09-08-2016 11:13 AM

I have asked the SEM to chime in to validate this but something similar discussed here: Re: pxGrid Implementation

  • Please be advised that pxgrid requires its own psn to run by itself on
  • Make sure you use deployment size of medium to support up to 5 standalone PSNs
  • Small deployment doesn't support splitting out psn

https://www.cisco.com/c/en/us/td/docs/security/ise/2-1/install_guide/b_ise_InstallationGuide21/b_ise_InstallationGuide21…

There are docs here about pxgrid

ISE Design & Integration Guides

Go to solution
danbates
Cisco Employee
Cisco Employee
In response to Jason Kunst

‎09-08-2016 11:43 AM

Hi Jason,

Thanks for the reply.  I did see that other discussion previously, but I wanted to confirm whether pxGrid absolutely had to run on a dedicated node or if it could be used alongside the other personas for a very small number of concurrent sessions.

0 Helpful

Go to solution
jeppich
Cisco Employee
Cisco Employee
In response to danbates

‎09-08-2016 03:07 PM

Hey Daniel, Jason,

Just to close the loop on the thread,  i had a webex with Daniel to discuss.

in the past, 2 separate dedicated pxGrid nodes were required, however, this is now based on the number of pxGrid clients subscribing to the pxGrid topics,  if you have 2 pxGrid clients you should be fine in a stand-alone deployment.  If you are considering Threat-Centric NAC-AMP/Qualys as well, than these should be dedicated pxGrid nodes.

Thanks,

John

jeppich@cisco.com

0 Helpful
Customers Also Viewed These Support Documents