Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1436
Views
5
Helpful
1
Replies

ISE 3.0 redundancy remote location

Go to solution
mallyg2734
Level 1
Level 1

‎12-29-2021 07:44 AM

I have two ISE servers at my primary location but I also have two new ISE servers that will be deployed at another remote location as disaster recovery. I would like information to be shared across all four ISE servers in case of a failure at the primary location. Currently the ISE servers at the primary location both are admin, monitoring and policy service. I would like to know what’s the best practice in this situation. Should the nodes at my disaster recover be admin as well? How many admin nodes can you have?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎12-29-2021 01:30 PM

Hi @mallyg2734 

 

The general ISE deployment is discussed at great length in the ISE Installation Guide.

You can only have maximum of two admin nodes. It makes no sense to have more than that, because Admin database is synchronised at all times. If one Admin fails, you can promote the Standby Admin to be the new Active Admin.

You can decide where to place the Admin nodes - it doesn't matter to the system. But the consideration for me would be disk sizing. Dedicated Admin node does not need more than 300GB disk. But if Monitoring is combined into the Admin persona, then 300GB is too small. Use at least 600GB in that case. There are calculators to help you make those decisions.

Therefore, if you have two new ISE nodes that are to be deployed as "Disaster Recovery" nodes, then you won't be able to designate them as Admin or Admin/Monitoring nodes. You cannot replicate the master database beyond two Admin nodes.

Expanding an ISE deployment allows you to do things like

- place PSN processing closer to the location where it's needed (for HA or low latency reasons)

- horizontally scale the PSN processing ( up to 50 PSN's for a fully distributed deployment)

- split out the role of Admin and Monitoring for better performance 

 

Just do you daily ISE config backups and perhaps have a VM ready in your disaster recovery site to take on that config backup.

You have to also remember that the IP address of the DR nodes should be the same as that used in your NAS - without that in place, failing over to the DR site would not help you at all - you'd need to change all you NAS devices to point to the new ISE IP addresses. 

One approach (for VMs) might be to take a clone of the active admin node (while it's powered down of course and then load that image into the DR site VM hypervisor. If the day comes where the proverbial hits the fan, then you can spin up that VM - of course, all the same theory about IP addressing still holds true. Does the DR site have the same VLAN(s) that ISE uses?

 

I am sure this is documented somewhere in the Cisco docs too.

View solution in original post

1 Reply 1

Go to solution
Arne Bier
VIP
VIP

‎12-29-2021 01:30 PM

Hi @mallyg2734 

 

The general ISE deployment is discussed at great length in the ISE Installation Guide.

You can only have maximum of two admin nodes. It makes no sense to have more than that, because Admin database is synchronised at all times. If one Admin fails, you can promote the Standby Admin to be the new Active Admin.

You can decide where to place the Admin nodes - it doesn't matter to the system. But the consideration for me would be disk sizing. Dedicated Admin node does not need more than 300GB disk. But if Monitoring is combined into the Admin persona, then 300GB is too small. Use at least 600GB in that case. There are calculators to help you make those decisions.

Therefore, if you have two new ISE nodes that are to be deployed as "Disaster Recovery" nodes, then you won't be able to designate them as Admin or Admin/Monitoring nodes. You cannot replicate the master database beyond two Admin nodes.

Expanding an ISE deployment allows you to do things like

- place PSN processing closer to the location where it's needed (for HA or low latency reasons)

- horizontally scale the PSN processing ( up to 50 PSN's for a fully distributed deployment)

- split out the role of Admin and Monitoring for better performance 

 

Just do you daily ISE config backups and perhaps have a VM ready in your disaster recovery site to take on that config backup.

You have to also remember that the IP address of the DR nodes should be the same as that used in your NAS - without that in place, failing over to the DR site would not help you at all - you'd need to change all you NAS devices to point to the new ISE IP addresses. 

One approach (for VMs) might be to take a clone of the active admin node (while it's powered down of course and then load that image into the DR site VM hypervisor. If the day comes where the proverbial hits the fan, then you can spin up that VM - of course, all the same theory about IP addressing still holds true. Does the DR site have the same VLAN(s) that ISE uses?

 

I am sure this is documented somewhere in the Cisco docs too.

Customers Also Viewed These Support Documents