cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

490
Views
5
Helpful
10
Replies
Debabrata Majhi
Beginner

Cisco ISE distributed deployment

Hi

 

We have two ISE in different subnet and location.Can we make it as single cluster?

Is it certificate mandatory ?

What are the prequation needs to be taken care?

Can any one help me 

Debu

2 ACCEPTED SOLUTIONS

Accepted Solutions
Surendra
Cisco Employee

Answer to your first question, Yes, you can have two ISE nodes in different subnets and locations as long as you allow the ports mentioned here between the nodes https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_0110.html

Answer to your second question, Yes, certificates are mandatory as the registration happens over secure HTTP tunnel.

For the third question,
Recommend you to follow this https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_011.pdf

View solution in original post

10 REPLIES 10
Surendra
Cisco Employee

Answer to your first question, Yes, you can have two ISE nodes in different subnets and locations as long as you allow the ports mentioned here between the nodes https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_0110.html

Answer to your second question, Yes, certificates are mandatory as the registration happens over secure HTTP tunnel.

For the third question,
Recommend you to follow this https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_011.pdf

View solution in original post

Hi Surendra

Thanks for your prompt response.

Apricate your help

Hi Surendra

Thanks for your prompt response.

Appreciate your help. Just to understand

If there is any existing ISE cluster already running, can we move one node from existing ISE cluster for new location, is it possible?

Is there any licensing issue ? If I change the IP address

If possible What Shall we do

  1. Unregister the server from existing cluster
  2. Change the ISE IP according to new location
  3. Again join the node in cluster

Am I right? Or please guide me proper steps

Thanks

 

You can do that as long as you have connectivity. No additional licenses are required.

Hi Surendra

 

Thanks

 

In that case ,I have to follow the following steps right?

  1. Unregister the Node from existing cluster
  2. Change the ISE IP according to new location
  3. Again join the node in cluster

Thanks

 

Hello Surenda

 

Is there any Delay which needs to be match ,If the server is defferent location/Subnet?

 

Thanks

Debu

200ms is the tolerance.

200 ms was the old guidance. In 2.1 and later it was change and to 300 ms.  Of course there are other factors other than latency.

Thanks Paul and all for make it sence ,

Paul,Can your please let me know some example of "other factors" which needs to be consider.Which will help us to design the cluster.

 

Thanks

 

 

 

Content for Community-Ad