Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2918
Views
15
Helpful
3
Replies

ISE add PSN node

Go to solution
TM13
Level 1
Level 1

‎08-18-2020 10:37 PM

Hi,

 

  We have 3695 ISE HA configured Admin-PSN-MNT, and planning to add 2x3965 PSNs with cluster mode and is that possible right that mixing Large and Medium deployments.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎08-19-2020 09:04 AM

Yes you can mix different size ISE appliances and VM's within the same deployment. You just have to be mindful of the scaling limitations of each platform and plan accordingly.

I'm just assume you might have meant to say you have two 3595's running PAN/MNT/PSN in what we refer to as a 2 node standalone deployment? If so, then you will be going to a four node hybrid deployment when you add two more nodes. In a four node deployment, the guidance is to only run the PAN/MNT function on two nodes, then the PSN roles on the two you are adding.

Ideally you would swap the new nodes in and finish up with a deployment that looks like this.
2x 3695 = PAN/MNT roles enabled
2x 3595 = PSN role enabled

View solution in original post

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to Damien Miller

‎08-19-2020 05:01 PM - edited ‎08-19-2020 05:03 PM

Hi Tulga,

To add to what @Damien Miller stated, there are strict support guidelines for ISE deployment models. See the following document for those guidelines - ISE Performance & Scale

If you have a Standalone deployment (PSN, MnT, and PSN on the same node) and want to add PSNs, you need to move to a Hybrid model at a minimum (2x PAN/MnT + 2x PSN).

Unless I'm mistaken, I believe you are working in an environment with a Converged Plantwide Ethernet (CPwE) architecture. In that case, you should design for a minimum of six nodes to support the IT/OT separation defined in the Purdue model for Industrial Control Systems:

  • 2x PAN/MnT
  • 2x PSNs for the Enterprise (IT) environment (in the Enterprise Security zone)
  • 2x PSNs for the Process Control (OT) environment (in the Industrial DMZ zone)

You could further improve scalability and performance by separating the PAN & MnT personas onto Dedicated nodes.

View solution in original post

3 Replies 3

Go to solution
marce1000
VIP
VIP

‎08-19-2020 12:28 AM

 

 - Moved to Network Access Control

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎08-19-2020 09:04 AM

Yes you can mix different size ISE appliances and VM's within the same deployment. You just have to be mindful of the scaling limitations of each platform and plan accordingly.

I'm just assume you might have meant to say you have two 3595's running PAN/MNT/PSN in what we refer to as a 2 node standalone deployment? If so, then you will be going to a four node hybrid deployment when you add two more nodes. In a four node deployment, the guidance is to only run the PAN/MNT function on two nodes, then the PSN roles on the two you are adding.

Ideally you would swap the new nodes in and finish up with a deployment that looks like this.
2x 3695 = PAN/MNT roles enabled
2x 3595 = PSN role enabled

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to Damien Miller

‎08-19-2020 05:01 PM - edited ‎08-19-2020 05:03 PM

Hi Tulga,

To add to what @Damien Miller stated, there are strict support guidelines for ISE deployment models. See the following document for those guidelines - ISE Performance & Scale

If you have a Standalone deployment (PSN, MnT, and PSN on the same node) and want to add PSNs, you need to move to a Hybrid model at a minimum (2x PAN/MnT + 2x PSN).

Unless I'm mistaken, I believe you are working in an environment with a Converged Plantwide Ethernet (CPwE) architecture. In that case, you should design for a minimum of six nodes to support the IT/OT separation defined in the Purdue model for Industrial Control Systems:

  • 2x PAN/MnT
  • 2x PSNs for the Enterprise (IT) environment (in the Enterprise Security zone)
  • 2x PSNs for the Process Control (OT) environment (in the Industrial DMZ zone)

You could further improve scalability and performance by separating the PAN & MnT personas onto Dedicated nodes.

Customers Also Viewed These Support Documents