Hello
quick question
The BRKSEC-3699 document recommends that in a two node deployment the Primary ISE node should have Admin and Monitoring as Primary, and the Secondary ISE node should have Admin and Monitoring as Secondary. I wonder whether it makes any sense to change that slightly in the case of ISE hardware appliances. What if we make the Secondary node work a bit harder by making the Secondary node perform the Primary Monitoring role? At least in the hardware appliance world you could spread the CPU and disk load a bit by splitting up the work. In the VMWare world this is perhaps less relevant if the VM's are all hosted on the same hypervisor.
If the appliances are in separate locations (e.g. in two data centres 50Km apart ), would my suggestion make things worse because now the MnT traffic is always going between the two locations and incurring latency?
cheers