Re: Cisco ISE DR DC Deployment

Kamran Mustafayev · ‎04-30-2025

Hello Team,

We have two small physical ISE appliances in main Data Center, both are using same personas (MnT, PSN, PAN and etc), in case I want to add two VM ISE (same model as physical) to the Disaster Recovery Data Center, does it mean I need to add them to the existing cluster and there is no way to make it "active" and "standby" manner, nodes in DR DC will have a different IP addresses

If I create united cluster including DC and DR DC ISE nodes then I suppose load will be distributed between all 4 nodes (of course if I configure it on each NAS), I wonder what is the best practice in this case

Thank you in advance

Ben Walters · ‎04-30-2025

I would suggest having all ISE nodes in the same deployment, it just makes sense from a configuration perspective and then create deployment groups for the PSNs.

Based on a 4 node deployment, Cisco suggests splitting the PSN functionality from the PAN/MnT beyond 2 nodes. In this case your deployment would have to be 2 PAN/MnT and 2 PSNs.

Considering that, your deployment should look like this once completed:

2 physical nodes - 1 primary PAN/MnT and 1 PSN

2 DR VM nodes - 1 secondary PAN/MnT and 1 PSN

Point your NADs at the PSNs and just have the physical PSN as the first choice although I would personally include the second PSN and have the devices load balance sessions between them where possible.

With this setup it can scale to add up to 6 PSNs if you ever need to expand.

Kamran Mustafayev · ‎05-02-2025

Thank you for your answer, just one additional question, once I deploy new two ISE nodes in DC and will change roles i.e will move MnT and Adm roles to DR DC ISE nodes will it create any downtime?

Thank you