05-16-2024 02:46 AM - last edited on 05-22-2024 05:35 PM by shule
Dear Community,
There are 3 ISE node in Deployment node.
Node1( Secondary node) locates at DC Primary.
Node 2 (PAN ) and Node 3 ( pxgrid node ) locate at DC Secondary.
Test scenario: we would like to test DC Secondary lost internet connection / connectivity cut off.
Before activity we would be ready for perquisite stage.
1. Remote to pxgrid node to stop services (application stop ise)?
2. Promote Node 2 to Primary Admin Node?
Kindly advice how to well prepared before activity.
When the DC2 secondary connection back
1. what we need to do step by step?
Kindly share good practice to ensure all ISE nodes services are running and not corrupts / crash ISE database ISE 3.1 P6
Thanks,
05-22-2024 08:20 PM
Hello @Da ICS16
You essentially have 3 ISE nodes in your deployment - each one of these nodes is technically capable of playing all the roles/personas that the product offers. You mentioned
Node1( Secondary node) locates at DC Primary.
Node 2 (PAN ) and Node 3 ( pxgrid node ) locate at DC Secondary.
You didn't mention which nodes are running the Services (RADIUS/TACACS/Portal)?
A three node setup is uncommon. it's more common to find two node setups, where each node runs all personas.
Here is how I would set things up
Primary DC
Node 1: Primary PAN / Secondary MNT / pxGrid / Services
Secondary DC
Node 2: Secondary PAN / Primary MNT / pxGrid / Services
(optional) Node 3: Services (why do you even have this third node??)
pxGrid has no concept of user-defined Primary/Secondary setting (ISE selects this by itself) and therefore you cannot promote a pxGrid node, nor is it required to do so. You should just ensure you have pxGrid enabled on two nodes in your deployment. That's it. When one of them dies, the other one does the work because the PAN will see it as the last remaining pxGrid node.
If you disconnect DC 2 from the ISE nodes in DC1, then the following will happen
Node 1 will still be the Primary active PAN, and the Monitoring role will need to be set to Primary (I don't recall ISE promoting the Monitoring Role automatically). Since you have enabled pxGrid on that node, it will work there. And all your services will still be running (RADIUS/TACACS/Portals). Your network devices (switches/routers/WLC etc) can use Node 1 or Node 2 (as long as they can reach these ISE nodes). I guess if you killed off DC2 comms, then network devices might not necessarily be able to talk to Node 2. But nothing changes on Node 2 - it continues running as it did before. Node 1 will complain that it has lost sync to Node 2.
There is no additional license cost to enable pxGrid on another ISE node.
Enabling TACACS is licensensed per node - be careful.
Enabling RADIUS and Portals on nodes also does not cost extra. You only pay for what is used per endpoint authenticated.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide