2-Node ISE Deployment - Best Practices?

CSCO10662744_2 · ‎08-23-2016

We're deploying a 2-node ISE cluster.

In the past we've always done:
Node1: PAN-Primary, MnTSecondary, PSN
Node2: PAN-Secondary, MnT-Primary, PSN

In a recent best practice slide deck, it shows using the same node1 for both primary PAN & MnT.

I wonder if that was a typo, or not a typo, but instead a new recommendation, or have I just been doing it the wrong way?
=======

Also, in a 2-node cluster, which node would you use as the "Primary" RADIUS server for the WLC & switches?
In the past I've always used whatever's NOT the primary MnT node, because it's busy doing a lot of logging and disk I/O.

However, doesn't the secondary MnT node also do the same logging as well, so it's just as busy?
So is the answer pretty much: doesn't matter, either node can provide equal amount of AAA service?

Gagandeep Singh · ‎08-26-2016

Hi,

You can have a cluster where Primary admin node can act as secondary Mnt and PSN.

However, load balancing on NAD devices set on the basis of PSN configured first in the list. It is always recommended to have authentication for some devices on one PSN and rest to another PSN as first radius server.

Make sure ISE should have suppression enabled just to suppress anomalous clients for best practices.

Under Administration > System > setting > Protocols > radius.

Let me know if you have any concerns.

Regards

Gagan

Gagandeep Singh · ‎09-02-2016

Hi,

Let me know if you still have any further concerns.

Regards

Gagan

PS: Please rate as correct if it helps!!!!