Cisco ISE DR DC Deployment

Kamran Mustafayev · ‎04-30-2025

Hello Team,

We have two small physical ISE appliances in main Data Center, both are using same personas (MnT, PSN, PAN and etc), in case I want to add two VM ISE (same model as physical) to the Disaster Recovery Data Center, does it mean I need to add them to the existing cluster and there is no way to make it "active" and "standby" manner, nodes in DR DC will have a different IP addresses

If I create united cluster including DC and DR DC ISE nodes then I suppose load will be distributed between all 4 nodes (of course if I configure it on each NAS), I wonder what is the best practice in this case

Thank you in advance

Ben Walters · ‎04-30-2025

I would suggest having all ISE nodes in the same deployment, it just makes sense from a configuration perspective and then create deployment groups for the PSNs.

Based on a 4 node deployment, Cisco suggests splitting the PSN functionality from the PAN/MnT beyond 2 nodes. In this case your deployment would have to be 2 PAN/MnT and 2 PSNs.

Considering that, your deployment should look like this once completed:

2 physical nodes - 1 primary PAN/MnT and 1 PSN

2 DR VM nodes - 1 secondary PAN/MnT and 1 PSN

Point your NADs at the PSNs and just have the physical PSN as the first choice although I would personally include the second PSN and have the devices load balance sessions between them where possible.

With this setup it can scale to add up to 6 PSNs if you ever need to expand.

Kamran Mustafayev · ‎05-02-2025

Thank you for your answer, just one additional question, once I deploy new two ISE nodes in DC and will change roles i.e will move MnT and Adm roles to DR DC ISE nodes will it create any downtime?

Thank you

Marcelo Morais · ‎05-03-2025

Hi @Kamran Mustafayev ,

beyond what @Ben Walters said ... please take a look at: Performance and Scalability Guide for Cisco Identity Services Engine, search for Table 2. Types of Cisco ISE Deployments.

About your question related to downtime ... please take a look at: Cisco Identity Services Engine Administrator Guide, Release 3.4, search for High Availability for Administrative Node (pay special attention to Table 10. Availability of Features)

Hope this helps !!!

Kamran Mustafayev · ‎05-05-2025

Thank you so in summary

If I turn off secondary node in main DC MnT and ADM roles and move it to tertiary node in backup DC - this won't make any impact anyway

Just one additional question - when I add new nodes to the deployment will it automatically deploy system certificates to new nodes from the admin node,

Thank you.

Marcelo Morais · ‎05-06-2025

Hi @Kamran Mustafayev ,

at Administration > System > Certificates > Certificate Management > System Certificates > are you using a Self-Signed Certificate or a CA (take a look at the Used By column) ?

Note: remember to delete Old Certificates please take a look at:

ISE - CSCwo05386 - Baltimore CyberTrust Root expirando (ISE 3.x).

ISE - Queue Link Error, search for: "delete Old Internal Certificates"

Hope this helps !!!

Kamran Mustafayev · ‎05-07-2025

Hello Marcello

We use some CA certificates

Marcelo Morais · ‎05-07-2025

@Kamran Mustafayev ,

whenever you add new Nodes to the Deployment, you must import the Certificates for these Nodes generated by your CA in Administration > System > Certificates > Certificate Management > System Certificates.

Hope this helps !!!