Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
355
Views
0
Helpful
1
Replies

ISE 1.d Distributed Deployment - PSN IP Addressing

andrewswanson
Level 7
Level 7

‎07-02-2015 03:24 AM - edited ‎03-10-2019 10:52 PM

Hello

I'm looking at setting up ISE 1.4 in a distributed deployment. There are 5 appliances in the deployment:

  • 3x SNS-3415-K9 (psn persona)
  • 2x SNS-3495-K9 (pan and mnt personas)

In line with the ISE 1.4 Administrator's Guide, the 3 psn's will be in a node group and be layer 2 adjacent (the default gateway for the psn vlan will be on an upstream switch). Interface Gi0 on each psn will be used for this.

The ISE 1.4 Hardware Installation guide states that psn management is restricted to Gi0. Radius Authentication/Accounting etc can be carried out on any Gi interface on the psn appliance.

The final aim of the deployment would be to have the psn's behind a loadbalancer (Citrix MPX). There is some good documentation on how to do this with F5 and also a Cisco Live session on ISE and HA (BRKSEC-3699 "Advanced Designing ISE for Scale and High Availability").

The load balanacer traffic flow for the deployment (Radius and profiling - no web services) will be Fully Inline: VLAN Separation (logical network separation using single LB interface and VLAN trunking). The psn's will be layer 2 adjacent and the default gateway for the psn vlan will be on the load balancer. In this scenario could I use:

  • Gi0: psn management, node clustering etc (vlan for this will have default gateway on an upstream switch)
  • Gi1: radius session, profiling (vlan for this will have default gateway on loadbalancer)

Is this a valid design?

As a side note, the Cisco Live ssession BRKSEC-3699 states that when configuring Node Groups for a LB cluster, the node group members can be L2 or L3 - can anyone clarify this?

Thanks
Andy

Labels:
0 Helpful
1 Reply 1

nspasov
Cisco Employee
Cisco Employee

‎07-11-2015 07:48 PM

Hi Andy-

The interface setup that you are planning looks correct to me. Of course, make sure that your NADs are pointing to the VIP assigned to front end the G1 based subnet :)

For the Node Group: The PSNs can be L2 or L3. They just need to be able to communicate with each other. Prior to version 1.3, the communication happened via multicast. This setup also supported L3 but you just had to make sure that the multicast address/traffic is properly routed. I think it is safe to assume that not many networks out there have multicast running, thus, most users/admins kept the nodes local to the same L2 domain. With v1.3, the multicast requirement is gone which made things a lot easier. 

I hope this helps!

 

Thank you for rating helpful posts!

Thank you for rating helpful posts!
0 Helpful
Customers Also Viewed These Support Documents