Re: Cisco ISE Deplyment

hirenparekh12 · ‎12-03-2017

Hi

i am going to deploy ISE setup at two different geo location DC with distributed mode (i.e. PAN, PSN & MnT at each location) so can i proceed with one license or required two different license?

also i want to keep local logs locally & only local PAN or MnT failed PSN should be contact to different geo location MnT or PAN node. is it right way to do it?.

Marvin Rhoads · ‎12-04-2017

You didn't mention whether you are using hardware appliances of VMs as your IDE nodes. VMs each require you purchase a VM although it is not technically a "license" but rather right-to-use the VM software.

The ISE deployment as a whole is licensed for the entire deployment (no matter how many appliances or VMs). That includes Base, Plus and Apex licenses as well as Device Admin if you are using that feature. You install the licenses once on the primary Policy Administration Node (PAN) and that covers the deployment as a whole.

Logs for a given deployment always go to the primary Monitoring and Troubleshooting (MnT) node (with replication to the secondary MnT in a fully distributed deployment). You cannot direct some logs to one MnT server and other logs to a different one.

hirenparekh12 · ‎12-04-2017

Hi Marvin,

i'm using SNS 3595 Appliance for this setup.

got you point for license installation but setup is like one PAN node is in India & other PAN node is Singapore so can i use both PAN node for their geo location PSN & MnT for management.

Marvin Rhoads · ‎12-04-2017

A given ISE deployment will never have more than two MnT nodes. One is primary and all logs go to it. The other is secondary and it holds a replicated database of the logs.

As long as you have <300 ms of latency between the PSNs and the Primary MnT, it should work fine.

For more details, please refer to Cisco Live presentation "BRKSEC-3699 Designing ISE for Scale and High Availability-reference (2017 Las Vegas)".