Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1147
Views
6
Helpful
4
Replies

Cisco ISE Small Deployment High Availability

Go to solution
khalid.meraj
Level 1
Level 1

‎07-12-2017 05:42 AM

Hi please can someone help me with the below question.

I have a splatted deployment.

DC1 -> ISE1(2.2): Primary (Administration, Monitoring, Policy Service)

DC2 ->ISE2(2.2): Secondary (Administration, Monitoring, Policy Service)


DC3 -> ISE3(old deployment, 1.X)


My questions are:


I've done the two new ise2.2 node deployment as per above setup. I know above model does not going to support the automatic failover between the nodes. AS both nodes are used as PSN as well can i use each node (primary and secondary) IPs for each DC endpoints and NAD devices.


not able to understand the PSN behavior of the Secondary node.

can we use both PSNs nodes at a time for policy configuration?

what will happen in case of manual failover?


Any suggestion would be really appreciated.

1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎07-12-2017 06:19 AM

Policy config is done on the PAN not the PSN. The PSN is the policy engine that does all the work

PSNs are always active so in a standalone environment both node1 and 2 have PSN running on them.

Yes you can manually failover PAN and MNT in this environment

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎07-12-2017 06:19 AM

Policy config is done on the PAN not the PSN. The PSN is the policy engine that does all the work

PSNs are always active so in a standalone environment both node1 and 2 have PSN running on them.

Yes you can manually failover PAN and MNT in this environment

0 Helpful

Go to solution
paul
Level 10
Level 10

‎07-12-2017 06:32 AM

PSNs are always active all the time and it is up to the network device (NAD) to utilize the PSNs in a fault tolerant manner.

M&Ts nodes are always active all the time and all nodes in the deployment log to the M&Ts.  If one the primary M&Ts fails the admin node will automatically pull logs from other M&T.

The only part you won't have failover for is Admin persona.  You will just need to manually failover so you can administer the system.

Go to solution
khalid.meraj
Level 1
Level 1
In response to paul

‎07-12-2017 07:24 AM

Thanks for a wonderful explanation. just one question.

In regards to my above setup. I'v already a PSN configured and running if i need to include that in the new clustering with the existing config what will happen. does it going to add the existing config to my new PSN config or going to overright it?

can i configure policies on secondary M&T which is also a PSN persona?

Many Thanks

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to khalid.meraj

‎07-12-2017 01:10 PM

When you join the PSN to the new deployment everything it had from the old deployment should be overwritten and the data will be sync'd from the new deployment.

0 Helpful
Customers Also Viewed These Support Documents