Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1354
Views
3
Helpful
5
Replies

ISE 2 node deployment - Monitoring Role question

Go to solution
Arne Bier
VIP
VIP

‎06-10-2018 09:44 PM

Hello

quick question

The BRKSEC-3699 document recommends that in a two node deployment the Primary ISE node should have Admin and Monitoring as Primary, and the Secondary ISE node should have Admin and Monitoring as Secondary.  I wonder whether it makes any sense to change that slightly in the case of ISE hardware appliances.   What if we make the Secondary node work a bit harder by making the Secondary node perform the Primary Monitoring role?  At least in the hardware appliance world you could spread the CPU and disk load a bit by splitting up the work.  In the VMWare world this is perhaps less relevant if the VM's are all hosted on the same hypervisor.

If the appliances are in separate locations (e.g. in two data centres 50Km apart ), would my suggestion make things worse because now the MnT traffic is always going between the two locations and incurring latency?

cheers

1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10
In response to Arne Bier

‎06-11-2018 05:13 AM

I was actually sitting in the ISE Techtorial at Cisco Live yesterday morning where a similar comment was made by one of the presenters,i.e. to split active roles.  I took a note to discuss with the speaker after Live to ensure common message being delivered to customers. 

Technically, there is no mandate set as to which nodes are primary in a standalone or hybrid deployment model. The reason why I recommend the consolidation of Primary PAN, MNT and optionally pxGrid on same node is the fact that the MnT node is always processing the same logs whether primary or secondary.  Furthermore, the operational data and reports displayed by PAN are fetched from Active MnT, which when collocated, are local to PAN.  And finally, the Active PAN and MNT publish to the active pxGrid controller, which again would also be local. 

In many cases, the redundant PAN+MNT nodes may be in different locations.  Especially for these cases, you would want to avoid the delay between nodes.  It also makes the HA design a bit more intuitive to have all services active on same node.

So although at a high level it may seem like a good idea to split active role for PAN, MNT and PXG across personas, I have yet to come across sufficient justification to do so, and actually came across an escalation where customer had issues until they consolidated active PAN and MNT on same node in a dual datacenter setup.

Craig

View solution in original post

5 Replies 5

Go to solution
Nidhi
Cisco Employee
Cisco Employee

‎06-11-2018 04:00 AM

Hi Arne,

This is not recommended design

Thanks,

Nidhi

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎06-11-2018 04:12 AM

Kind of a wash I would think and not worth the effort of validation

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to Jason Kunst

‎06-11-2018 04:56 AM

The idea came from a book I read https://www.elsevier.com/books/practical-deployment-of-cisco-identity-services-engine-ise/richter/978-0-12-804457-5 (chapter 2). The author didn’t specifically call out why he recommended it but he referenced the design a few times. If Cisco doesn’t sanction this design then maybe someone ought to tell Mr Richter et al.  in case there is a second edition on its way     The book is a bit dated by now. Still a good read by any standards. Not too many books on ISE available.

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10
In response to Arne Bier

‎06-11-2018 05:13 AM

I was actually sitting in the ISE Techtorial at Cisco Live yesterday morning where a similar comment was made by one of the presenters,i.e. to split active roles.  I took a note to discuss with the speaker after Live to ensure common message being delivered to customers. 

Technically, there is no mandate set as to which nodes are primary in a standalone or hybrid deployment model. The reason why I recommend the consolidation of Primary PAN, MNT and optionally pxGrid on same node is the fact that the MnT node is always processing the same logs whether primary or secondary.  Furthermore, the operational data and reports displayed by PAN are fetched from Active MnT, which when collocated, are local to PAN.  And finally, the Active PAN and MNT publish to the active pxGrid controller, which again would also be local. 

In many cases, the redundant PAN+MNT nodes may be in different locations.  Especially for these cases, you would want to avoid the delay between nodes.  It also makes the HA design a bit more intuitive to have all services active on same node.

So although at a high level it may seem like a good idea to split active role for PAN, MNT and PXG across personas, I have yet to come across sufficient justification to do so, and actually came across an escalation where customer had issues until they consolidated active PAN and MNT on same node in a dual datacenter setup.

Craig

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Craig Hyps

‎06-11-2018 05:43 AM

I know Andy and he’s great. Either way it’s fine and I don’t think there is any recommendation against it. Makes sense but I just don’t see the issue because load issues at that size are minimal regardless

0 Helpful
Customers Also Viewed These Support Documents