cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3773
Views
10
Helpful
9
Replies

Cisco ISE Standalone HA to Distributed Deployment

jj2048
Level 1
Level 1

Overview:

A customer has 2 sets of Standalone ISE that is in HA Primary and Secondary.

Currently in Production

Model: SNS-3655-K9

Software Version: 2.7 Patch 2

Older Model

Model: SNS-3595-K9

Software Version: 2.7 Patch 1

 

Objective:

1. Customer would like to use the Older Model as PSNs to make a distributed deployment.

Challenges:

- All network devices pointed to the IP address of the production ISE will have to be configured 1 by 1.

 

***UPDATE***

Questions:

1. Is it recommended to re-use the Older Models (SNS-3595-K9) as PSNs, does it have benefits?

- Estimated sessions are around 20,000 (VPN, WLAN)

A: I just found out that there are hybrid deployments as stated below replies.

2. Is it recommended to re-use the Older Models (SNS-3595-K9) as the new (ADM,MNT) Primary and Secondary nodes, and use the Newer Models (SNS-3655-K9) as the PSNs which currently in production. (I'm suggesting this to avoid service interruptions and the challenges above)

A: Based on the reference link below. Using the 3595 as PAN and MNT will have a max sessions of 20,000 while 3655 as PAN and MNT has a max sessions of 25,000.
- https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/InstallGuide27/b_ise_InstallationGuide27/b_ise_InstallationGuide27_chapter_00.html

3. If item 1 pushes through, will I be able to run SNS-3655-K9 as (ADM,MNT,PSN) and SNS-3595-K9 (PSN) in parallel joined in the cluster and sync configurations.

 - so that after migrating all network devices services (Radius,Tacacs) to the new IP of SNS-3595-K9 (PSN), we will then turn off the service for PSN on the SNS-3655-K9.

A:***To be continued*** currently conducting simulations

4. If item 2 pushes through, will I be able to run SNS-3595-K9 as (ADM,MNT) and SNS-3655-K9 as (ADM,MNT,PSN), to verify all configurations are synced, then remove the ADM and MNT services on the SNS-3655-K9.

A: I will not simulate this anymore as the max sessions for 3595 as ADM and MNT will have a max session of 20,000.

 

Summary Deployment Options

Option A: [related to item 1 and 3 questions] ***Ongoing Simulations***

Before

SNS-3655-K9 (ADM,MNT,PSN) -PRI,SEC

SNS-3655-K9 (ADM,MNT,PSN) -SEC,PRI

After

SNS-3655-K9 (ADM,MNT) - PRI,SEC

SNS-3655-K9 (ADM,MNT) - SEC,PRI

SNS-3595-K9 x 2 (PSN)

 

Option B: [related to item 2 and 4 questions] ***Will not simulate anymore***

Before

SNS-3655-K9 (ADM,MNT,PSN) -PRI,SEC

SNS-3655-K9 (ADM,MNT,PSN) -SEC,PRI

After

SNS-3595-K9 (ADM,MNT) - PRI,SEC

SNS-3595-K9 (ADM,MNT) - SEC,PRI

SNS-3655-K9 x 2 (PSN)


***UPDATE***
Action Plans for Option A Deployment

Scenario 1: Replacing the nodes with from 3655 to 3595 (Same IP Address but Different Hostnames)
a. Prepare first the 3595s in an offline environment where you prepare configure the IP address same as the node to be replaced.

b. Generate the CSRs of the 3595s and have them sign those certificates

c. Bind the signed certificate to the CSRs of the 3595s.
d. De-register 3655 secondary node, then take it out of the network.

- Have your AD / DNS admin to delete the forward and reverse lookup record of the 3655 secondary node.

e. Register the prepared 3595 as the secondary node (PAN, MNT, PSN)

- Have your AD / DNS admin add the new hostname and IP address of this node.

f. Have your AD admin join the node to the Active Directory domain

g. Promote the 3595 secondary node as the new Primary Node.

h. De-register the 3655 primary node, then take it out of the network

- Have your AD / DNS admin to delete the forward and reverse lookup record of the 3655 secondary node.

j. Register the other prepared 3595 as the secondary node (PSN)

- Have your AD / DNS admin add the new hostname and IP address of this node.

k. Have your AD admin join the node to the Active Directory domain

l. Have your 3655 nodes re-image or just do "reset-config" to change the IP address.

- make sure you generate a CSR again and have them signed then bind it to the ISE Servers.

j. Register the 3655 node as the secondary node (PAN, MNT) (SEC, SEC)\

- Have your AD / DNS admin add the new hostname and IP address of this node.

l. Have your AD admin join the node to the Active Directory domain

m. Promote the 3655 secondary node as the final Primary (PAN, MNT) (PRI, SEC)

n. Turn off the ADM and MNT of the 3595

m. Register the other 3655 node as the secondary node (PAN,MNT) (SEC, PRI)

- Have your AD / DNS admin add the new hostname and IP address of this node.

 

*** I've conducted this on a lab environment using Virtual machines ***
Pros:
- No need to config the network devices to a new IP address
Cons:
- Must be in coordination with another team for AD joining, CSR Signing, Updating DNS Records

 

Scenario 2: Join the 3595 to the cluster as PSN with new Hostname and IP Address

*** See below reply ***

Pros:

- Less coordination with other teams.

Cons:

- Manually configure each network device to point to the new PSNs (Unless you have a load balancer or VIP for the PSNs)

 

Thank you in advance.

1 Accepted Solution

Accepted Solutions

Hi @jj2048 ,

 your ISE Deployment is a Medium/Hybrid Deployment (PAN & MnT on the same Node and PSNs on a dedicated Node).

 The Maximum Active Sessions for Medium/Hybrid Deployment is:

 . for 3655: 25K

 . for 3595: 20K

 

Note: please check ISE Performance & Scale search for ISE Deployment Scale and Limits, ISE PSN Performance and ISE 2.6 RADIUS Performance.

 

Since your "... Estimated sessions are around 20,000 (VPN, WLAN) ..." and this is the 3595 upper limit ... using the 3655 as a PSN is not a bad idea (25,000 upper limit) !!!

 

Although "... 1. Customer would like to use the Older Model as PSNs to make a distributed deployment ...", please take a look at the link provided to provide some inputs for a better decision.

 

Hope this helps !!!

 

View solution in original post

9 Replies 9

Hi @jj2048 ,

 your ISE Deployment is a Medium/Hybrid Deployment (PAN & MnT on the same Node and PSNs on a dedicated Node).

 The Maximum Active Sessions for Medium/Hybrid Deployment is:

 . for 3655: 25K

 . for 3595: 20K

 

Note: please check ISE Performance & Scale search for ISE Deployment Scale and Limits, ISE PSN Performance and ISE 2.6 RADIUS Performance.

 

Since your "... Estimated sessions are around 20,000 (VPN, WLAN) ..." and this is the 3595 upper limit ... using the 3655 as a PSN is not a bad idea (25,000 upper limit) !!!

 

Although "... 1. Customer would like to use the Older Model as PSNs to make a distributed deployment ...", please take a look at the link provided to provide some inputs for a better decision.

 

Hope this helps !!!

 

Thanks @Marcelo Morais 

 

This is very helpful, for now ill do some simulation for the Option B deployment scenario, on how I can deploy the end state with minimal downtime.

 

I just need further clarifications on the attached link, I understood that the maximum active session per PSN is 25,000 for model 3655, but then there is a maximum active session of 20,000 for model 3595 (PAN+MNT) does this two information not in conflict?

 

I saw in other threads that they were using higher models for PAN and MNT and lower model for PSNs.


Does using lower model for PAN and MNT pose any performance drop or any issues?

 

Because as per my understanding all services for RADIUS and TACACS etc are all to the PSN, while configuration and monitoring are all in PAN and MnT. That is one of the main reasons I suggested item 2 since 3655 are newer.

 

 

Hi @jj2048 ,

 it's not a bad idea to use a higher model on PAN and MnT if you have a Large/Dedicated Deployment (that supports <= 50 PSN + PXG Nodes).

 I consider the "3695 PAN, MnT", "3695 PAN+MnT" and "3695" as references for "Large/Dedicated Deployment", "Medium/Hybrid Deployment" and "Small/Standalone Deployment" respectively.

 

Hope this helps !!!

jj2048
Level 1
Level 1

Hi, All.

Just to share my recent simulations.

I've updated the question, where I've included action plans.

We've decided to go for the 3655 as the ADM and MNT node due to the fact that 3655 has max 25,000 sessions while 3595 as ADM and MNT node has max 20,000 sessions.


Scenario 2 will be updated next week.

Hi @jj2048 ,

 please take a look at the following post: Exceeding ISE Performance and Scale - what happens then?.

"...

we are coincidentally in the process creating a new ISE Performance and Scale doc that will be posted on cisco.com!

..."

 

Hope this helps !!!

jj2048
Level 1
Level 1

Hi, Everyone.


As promised I'll be updating the scenario 2 simulation.

Scenario 2: Join the 3595 to the cluster as PSN with new Hostname and IP Address

a. Reset the config for 3595 and change the Hostname and IP Address

b. Application reset-ise

c. Patch the ISE similar to the existing SNS-3655-K9

d. Generate CSR and let the company sign the certificate

e. Upload the signed certificate to both ISE>

f. From the 3655 Primary Node add the two (2) 3595 as PSNs only.

g. Join the 3595 PSNs to the domain.

h. Migrate all first the network devices pointing to the 3655 nodes to 3595 nodes.

i. Turn off the PSNs on the SNS-3655-K9 nodes.

 

All were done via simulation cisco ise vm.

 

Thank you!

 

b.haxhiaj
Level 1
Level 1

Great job by the way.

 

I'm in the same situation as "Scenario 1" due to hardware refresh.

 

Regarding TACACS+ network device administration:

a. If there are 2 TACACS+ servers configured on IOS devices (router, switch etc...).

b. Each TACACS+ server has different key hash on running-config on IOS.

 

Is all information is propagated from PRI -> SEC ISE node, including both TACACS+ keys for network device administration?

Hi @b.haxhiaj ,

1st remember that (Import and Export Certificates in ISE)

" ... When you take the Configuration Backup, the Backup of Configuration Data and Certificate of the Admin Node is taken. However, for other Nodes, the Backup of Certificates is taken individually... "

2nd double check if the PPAN and SPAN are in sync (at Administration > System > Deployment > green icon)

3rd if you de-register the SPAN, it will become a Standalone Node and the TACACS+/RADIUS Authentication Settings (at Administration > Network Resources > Network Devices) will remain.

 

Hope this helps !!!

Hi Marcelo,

 

Thanks for your reply.

 

1. We already have taken care of the certificates on the new node that will be registered.

2. New node is the same version/patch as existing PPAN, so no surprises there.

3. We don't intend to keep the de-registered node anymore (it's already EoL).

 

I'm just confused and wondering, if the configurations are only done on PPAN and synched to SPAN (you can add a network device for TACACS+ administration only on PPAN), how come on the Cisco switch running-config each TACACS+ server (PPAN IP address & SPAN IP address) has a different hash for the same key?