Distributed ISE in an ACI EPG across two Data Centers.

JasonMahan · ‎09-18-2019

I've read posts and documentation about the distributed deployment. Primary PAN and MnT in one DC, Secondary PAN and MnT in another DC. My understanding is that this requires at least 1 heath check node.

Has anyone one done this in ACI with an EPG across the two datacenters? Is a heath check node still required since the EPG will look and should behave like the same VLAN from the ACI perspective? I assume yes, health check node(s) would still be required in this distributed deployment but I didn't know for sure.

Any thoughts and input are greatly appreciated.

Thanks,

-Jason

Damien Miller · ‎09-18-2019

You do not require health checks in an ISE deployment. If you want the PAN to automatically fail over then you need the third node, but otherwise it would be a manual promotion. If you have two PAN nodes, then you can use one of the MNT's or PSNs for the healthcheck node role.

I'm also trying to understand what you are trying to do with EPGs and VLANs. ACI is independent of ISE unless you are integrating TrustSec and ACI. What is the problem you are trying to address?

JasonMahan · ‎09-18-2019

Thank you for the reply.

Working on the best way to state this. Previous companies / customers have done two different ISE deployments. They would put a "cube" in one DC and a "cube" in another DC. Then switch configurations were used to point the endpoint to a primary or secondary radius server (ISE Cube).

That requires two sets of configs to be maintained even if they are exactly the same because the deployments are two different deployments and NADs direct where the endpoints connect and the two cubes act as fail over for each other. My leadership wants to have a PAN and MnT in two different data centers but would prefer a primary and backup scenario. They do not want to maintain two difference ISE deployments even if they are technically they are the same.

Assuming I am reading the Cisco Documentation correctly, this = a distributed deployment.

I was asked if ACI was used; does this make it a single deployment over a distributed deployment? I assume the same is true for VxLAN as well. My apologies for not stating that previously.

In short, Primary and Secondary ISE functionality is required across two DCs. That according to Cisco Documentation appears = distributed deployment. Also the documentation reads as if there is a requirement for a health check node in a distributed deployment. Since it is labeled in the persona section in the documentation I must have missed where an active node role can also be the Health Check Node. I do realize a node can have more than once persona. But this appeared to me that a health check node is required if you have a single ISE deployment span more than one location. https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20/b_ise_admin_guide_20_chapter_010.html#typesofpersonas

Does distributed deployment mean single ISE infrastructure/ deployment across multiple locations - DC or otherwise?

I am trying to solve for having ISE replicate across two DC without additional nodes being added based on the interpretation of the documentation.

Does that make sense? or is more information needed?

Please let me know. My apologies if my explanation isn't what's needed here.