cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
588
Views
0
Helpful
3
Replies

Expanding a Basic 2-Node ISE Deployment (2.6)

laboggis
Level 1
Level 1

I was asked about the options to expand a Basic 2-Node Distributed ISE Deployment and if simply adding a tertiary (3rd) node to the deployment was an officially supported design.  So from an "official" deployment perspective they would be moving from a "Basic 2-Node Distributed Deployment" to a "Hybrid-Distributed Deployment".

 

In the design docs, scaling guide, presentations (BRKSEC-3432), etc ... all show dedicated PSNs in a Hybrid Deployment.  So the question is, are dedicated PSNs required beyond a basic 2-node solution or can the PSN persona continue to be supported on the 2 PAN/MNT nodes when adding 1 or more additional PSNs?   This is strictly looking at it from a supported deployment model perspective and NOT from a max session perspective.

 

Existing 2-node deployment:

Screen Shot 2020-02-12 at 8.38.06 AM.png

 

Is this officially supported? (adding 1 additional PSN and PSN persona continue to run on PAN/MNT nodes):

Screen Shot 2020-02-12 at 8.41.54 AM.png

 

 

Or, does the PSN persona have to be broken out for every node once moving beyond a basic 2-node solution to be an officially supported deployment?:

Screen Shot 2020-02-12 at 8.44.04 AM.png

 

 

1 Accepted Solution

Accepted Solutions

Colby LeMaire
VIP Alumni
VIP Alumni

To be officially supported, once you add the third node, the Admin/MnT nodes should be dedicated to Admin/MnT and all additional nodes would be dedicated for PSN.  That is the official answer.

But it would work just fine.  You just may have an issue with TAC if you ever have to open a case.  They will want the deployment to match official recommendations.

View solution in original post

3 Replies 3

Colby LeMaire
VIP Alumni
VIP Alumni

To be officially supported, once you add the third node, the Admin/MnT nodes should be dedicated to Admin/MnT and all additional nodes would be dedicated for PSN.  That is the official answer.

But it would work just fine.  You just may have an issue with TAC if you ever have to open a case.  They will want the deployment to match official recommendations.

That was our thought as well. Thanks for confirming.

@Colby LeMaire comments are all true. I would add though, that I have personal experience with customers who have "violated" the sacred tenets of ISE deployment design, and they still enjoyed normal TAC support. In my 20 years of dealing with Cisco TAC I have yet to come across an instance where Cisco have refused to support me/customer, even if the customer was not conforming to the "tested approach".  It's more common to receive the classic "you need to upgrade to version x" ... as a step in the right direction.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: