06-10-2018 09:44 PM
Hello
quick question
The BRKSEC-3699 document recommends that in a two node deployment the Primary ISE node should have Admin and Monitoring as Primary, and the Secondary ISE node should have Admin and Monitoring as Secondary. I wonder whether it makes any sense to change that slightly in the case of ISE hardware appliances. What if we make the Secondary node work a bit harder by making the Secondary node perform the Primary Monitoring role? At least in the hardware appliance world you could spread the CPU and disk load a bit by splitting up the work. In the VMWare world this is perhaps less relevant if the VM's are all hosted on the same hypervisor.
If the appliances are in separate locations (e.g. in two data centres 50Km apart ), would my suggestion make things worse because now the MnT traffic is always going between the two locations and incurring latency?
cheers
Solved! Go to Solution.
06-11-2018 05:13 AM
I was actually sitting in the ISE Techtorial at Cisco Live yesterday morning where a similar comment was made by one of the presenters,i.e. to split active roles. I took a note to discuss with the speaker after Live to ensure common message being delivered to customers.
Technically, there is no mandate set as to which nodes are primary in a standalone or hybrid deployment model. The reason why I recommend the consolidation of Primary PAN, MNT and optionally pxGrid on same node is the fact that the MnT node is always processing the same logs whether primary or secondary. Furthermore, the operational data and reports displayed by PAN are fetched from Active MnT, which when collocated, are local to PAN. And finally, the Active PAN and MNT publish to the active pxGrid controller, which again would also be local.
In many cases, the redundant PAN+MNT nodes may be in different locations. Especially for these cases, you would want to avoid the delay between nodes. It also makes the HA design a bit more intuitive to have all services active on same node.
So although at a high level it may seem like a good idea to split active role for PAN, MNT and PXG across personas, I have yet to come across sufficient justification to do so, and actually came across an escalation where customer had issues until they consolidated active PAN and MNT on same node in a dual datacenter setup.
Craig
06-11-2018 04:00 AM
Hi Arne,
This is not recommended design
Thanks,
Nidhi
06-11-2018 04:12 AM
Kind of a wash I would think and not worth the effort of validation
06-11-2018 04:56 AM
The idea came from a book I read https://www.elsevier.com/books/practical-deployment-of-cisco-identity-services-engine-ise/richter/978-0-12-804457-5 (chapter 2). The author didn’t specifically call out why he recommended it but he referenced the design a few times. If Cisco doesn’t sanction this design then maybe someone ought to tell Mr Richter et al. in case there is a second edition on its way The book is a bit dated by now. Still a good read by any standards. Not too many books on ISE available.
06-11-2018 05:13 AM
I was actually sitting in the ISE Techtorial at Cisco Live yesterday morning where a similar comment was made by one of the presenters,i.e. to split active roles. I took a note to discuss with the speaker after Live to ensure common message being delivered to customers.
Technically, there is no mandate set as to which nodes are primary in a standalone or hybrid deployment model. The reason why I recommend the consolidation of Primary PAN, MNT and optionally pxGrid on same node is the fact that the MnT node is always processing the same logs whether primary or secondary. Furthermore, the operational data and reports displayed by PAN are fetched from Active MnT, which when collocated, are local to PAN. And finally, the Active PAN and MNT publish to the active pxGrid controller, which again would also be local.
In many cases, the redundant PAN+MNT nodes may be in different locations. Especially for these cases, you would want to avoid the delay between nodes. It also makes the HA design a bit more intuitive to have all services active on same node.
So although at a high level it may seem like a good idea to split active role for PAN, MNT and PXG across personas, I have yet to come across sufficient justification to do so, and actually came across an escalation where customer had issues until they consolidated active PAN and MNT on same node in a dual datacenter setup.
Craig
06-11-2018 05:43 AM
I know Andy and he’s great. Either way it’s fine and I don’t think there is any recommendation against it. Makes sense but I just don’t see the issue because load issues at that size are minimal regardless
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide