Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
461
Views
0
Helpful
4
Replies

Cisco ISE Medium Deployment without Splitting Off PSN Persona

Go to solution
jl7
Level 1
Level 1

‎04-08-2024 11:41 AM

Question 1

We currently have a two node Cisco ISE small distributed deployment. Our two ISE nodes are centralized at our main Data Center.

Node 1 = PAN, Secondary MNT, pxGrid & PSN.
Node 2 = SAN, Primary MNT, pxGrid & PSN.

We now need to add a ISE PSN's to a few of our branch offices, for local auth support, when the WAN connection to the Data Center goes down.

Can we still keep the same exact persona deployment above and just add a few remote PSN's to the design? We don't want to buy licensing for more PSN's when they are not really needed.

In this guide, there is a note that states "In a medium-sized network deployment, you cannot enable the Policy Service persona on a node that runs the Administration persona, Monitoring persona, or both. You need dedicated policy service node(s)". If that is true, can we no longer have the PSN persona on our main data center ISE nodes, if we start adding in remote PSN's? We don't want to add more PSN's to our Data Center, we want to leave it the same as it is and just add a few remote PSN's, while the data center ISE nodes continue to run the PSN persona.

https://www.cisco.com/c/en/us/td/docs/security/ise/3-2/install_guide/b_ise_installationGuide32/b_ise_InstallationGuide32_chapter_1.html 

Question 2

Is it recommended or possible to split the main data center nodes above between two physical data centers?

e.g.
Data Center 1:
Node 1 = PAN, Secondary MNT, pxGrid & PSN.

Data Center 2:
Node 2 = SAN, Primary MNT, pxGrid & PSN.

Branch Office 1:
Node 3 = PSN.

Branch Office 2:
Node 4 = PSN.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP
In response to jl7

‎04-08-2024 03:17 PM

Your three-node deployment is supported. If you wanted to add a fourth PSN, then (officially) you'd have to split the PSN persona from the PAN/MNT nodes, and build the next-tier ISE deployment, which is PAN+MNT combo, and up to 6 x PSN.

Having said that, I have seen customers run a four-node deployment: 2 x PAN+MNT+PSN, and 2 x PSN - strictly speaking, that is not supported (why? don't ask me ... for small deployments this is perfect and efficient).

And in my 7 years of working with ISE, I have never been refused TAC support because of some wonky design like this. The ISE deployment guidelines are obstruse, and at best, only make sense if you plan to run ISE at the design limits (20,000 concurrent sessions or whatever). For small customers, the more realistic concerns are ISE licensing costs and VM resources. 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
PradeepSingh
Level 1
Level 1

‎04-08-2024 12:23 PM

Hi, With small deployment you only can add one more PSN for load sharing. It doesn't really expand ISE deployment capacity.

See this ISE scaling guide for more details.

Performance and Scalability Guide for Cisco Identity Services Engine - Cisco

Answer to the question no. 2, Yes you can split the nodes between datacenter. You just need to ensure connectivity between nodes and latency must be less then 300 ms.

 

0 Helpful

Go to solution
jl7
Level 1
Level 1

‎04-08-2024 12:45 PM

Thanks for the information.

Would a setup like this work then?

Data Center 1
Node 1 = PAN, Primary MNT, pxGrid & PSN.
Node 3 = PSN, Health Check

Data Center 2
Node 2 = SAN, Secondary MNT, pxGrid & PSN.

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to jl7

‎04-08-2024 03:17 PM

Your three-node deployment is supported. If you wanted to add a fourth PSN, then (officially) you'd have to split the PSN persona from the PAN/MNT nodes, and build the next-tier ISE deployment, which is PAN+MNT combo, and up to 6 x PSN.

Having said that, I have seen customers run a four-node deployment: 2 x PAN+MNT+PSN, and 2 x PSN - strictly speaking, that is not supported (why? don't ask me ... for small deployments this is perfect and efficient).

And in my 7 years of working with ISE, I have never been refused TAC support because of some wonky design like this. The ISE deployment guidelines are obstruse, and at best, only make sense if you plan to run ISE at the design limits (20,000 concurrent sessions or whatever). For small customers, the more realistic concerns are ISE licensing costs and VM resources. 

0 Helpful

Go to solution
jl7
Level 1
Level 1

‎04-09-2024 05:35 AM

Thanks for the information, that is good to know. My company will be nowhere near the design session limits for performance, we just need to add a PSN to branch offices, in scenarios where there is already onsite WLC and AD. We need this so our manufacturing floor IoT devices can continue to use wireless, even if the WAN connection goes down.

Forcing you to split off the PSN persona in a Medium design, just seems like a way for Cisco to make more money on VM licenses.

0 Helpful
Customers Also Viewed These Support Documents