How to design 3 Nodes ISE?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-18-2018 05:17 AM - edited 02-21-2020 10:49 AM
We have 3 ISE nodes license, Want to use 2 in Primary DC, with HA. and then use the 3rd one in the DR.
IN Primary DC, 1 is Primary for Admin, Policy and Monitor.
2 is Secondary for Admin, Policy and Monitor
Then how to do with the 3rd one in DR?
thanks
- Labels:
-
Other NAC
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-18-2018 09:53 AM
How many users/devices will it be supporting? What services - wired, wireless 802.1x? Guest portals? BYOD?.
3 is an awkward number. How about this:
1 - Primary PAN and MNT
2 - Secondary PAN and MNT + PSN
3 - PSN
this leaves the first ISE node dedicated mgmt and provides redundancy for all personas.
HTH
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-18-2018 10:19 AM
- By not using such a model , use standard deploymens; 2 admin + monitor , +2 PSN = 4!
M.
-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-19-2018 01:32 PM
My 2 cents.
-The ISE radius or tacacs servers for authentication are the ones running PSN persona not PAN/MNT (admin nodes).
-You should NOT combine multiple personas into the same appliance or VM. But if you have resources constrains then, you should ONLY have 1 primary PAN/MNT, 1 Secondary PAN/MNT and 1 PSN. But still, 1 PSN is not enough because you need redundancy for authentication.
-Running 3495 servers + 2 personas is NOT a good combination, I have seen performance issues so it is much better to run at least 3595.
-At the end, you need minimum 4 appliances or VM's.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-22-2018 12:14 AM
I've made this topology of our new ISE deployment. I'll be happy to receive any comments or suggestions for better planning, since I've properly missed something. The PSN in the top is deployed, IF the redundant links towards the DC's i disconnected.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-25-2018 05:18 PM
Primary PAN+MnT and Secondary PAN+MnT with 3 x PSNs looks good
I would put all three PSNs in a nodegroup to provide redudancy
happy to receive feedback on my thoughts
