Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
583
Views
0
Helpful
7
Replies

ISE 1.3 Distributed environment

Go to solution
Augustgood
Level 1
Level 1

‎07-27-2015 07:57 AM - edited ‎03-10-2019 10:56 PM

Hi all,

in a network with two main campus and ten remote office with 3000 total device, for implement Cisco Ise 1.3 distributed, we want to buy 2 appliance SNS- 3415-K9 for management/monitoring/policy sync and 10 VM  for policy sevice node, but we found that in distributed environment we need a pair of inline posture node, we must buy other two appliance or VM for inline posture  ?? 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jan.nielsen
Level 7
Level 7
In response to Augustgood

‎07-27-2015 12:48 PM

Well, it's not been officially said by Cisco, but it's already been removed from working on the SNS.3495, so i would say it's not something that one should design new ISE solution with.

No, the secondary PAN/MNT will manage the same PSNs as the primary, you can't divide your PSNs between PAN/MNT nodes.

 

"you are telling me that If one remote office fail, lose psn .... ?"

Not sure what you are asking,?

View solution in original post

0 Helpful
7 Replies 7

Go to solution
jan.nielsen
Level 7
Level 7

‎07-27-2015 09:25 AM

1.You should look through the ISE design guides, i believe that you should have MNT and PAN on different servers to support more than 5 dedicated PSN's. Having one 3415 as Primary PAN, Secondary MNT, and one as Primary MNT, Secondary PAN is only supported with up to 5 PSNs.

Distributed environment does not require inline nodes, and that functionality is also on the way out. What is the reason you think this would be required ?.Is it for a non-cisco network ?

Check this url for more information on scaling ise deployments :

http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/installation_guide/b_ise_InstallationGuide13/b_ise_InstallationGuide12_chapter_00.html#ID-1413-000000dc

0 Helpful

Go to solution
Augustgood
Level 1
Level 1
In response to jan.nielsen

‎07-27-2015 12:27 PM

Why this feature is on the way out ? is not a required,  but can be a customer request ? 

 

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/user_guide/ise_user_guide/ise_ipep_deploy.html#pgfId-1265599

 

But the secondary  MNT/PAN can manage 5 psn or work in standby ?

you are telling me that If one remote office fail, lose psn .... ?

0 Helpful

Go to solution
jan.nielsen
Level 7
Level 7
In response to Augustgood

‎07-27-2015 12:48 PM

Well, it's not been officially said by Cisco, but it's already been removed from working on the SNS.3495, so i would say it's not something that one should design new ISE solution with.

No, the secondary PAN/MNT will manage the same PSNs as the primary, you can't divide your PSNs between PAN/MNT nodes.

 

"you are telling me that If one remote office fail, lose psn .... ?"

Not sure what you are asking,?

0 Helpful

Go to solution
Augustgood
Level 1
Level 1
In response to jan.nielsen

‎07-27-2015 09:30 PM

ok thank you

 

i ask you, if my PAm/mnt primary fail , my secondary can manage only the same psn of primary, not other

 

0 Helpful

Go to solution
jan.nielsen
Level 7
Level 7
In response to Augustgood

‎07-28-2015 12:25 AM

Yes, your primary and secondary PAN are the same, the primary replicates it's config to the secondary, so when the primary fails, the secondary takes over (only automatically from ise 1.4), they can't manage different PSNs.

0 Helpful

Go to solution
Augustgood
Level 1
Level 1
In response to jan.nielsen

‎07-28-2015 12:36 AM

other question ..

if my wlc rel 7.6 support  CoA i can exclude inline posture ??

0 Helpful

Go to solution
jan.nielsen
Level 7
Level 7
In response to Augustgood

‎07-28-2015 12:39 AM

Yes

0 Helpful
Customers Also Viewed These Support Documents