Solved: ISE add PSN node

TM13 · ‎08-18-2020

Hi,

We have 3695 ISE HA configured Admin-PSN-MNT, and planning to add 2x3965 PSNs with cluster mode and is that possible right that mixing Large and Medium deployments.

Damien Miller · ‎08-19-2020

Yes you can mix different size ISE appliances and VM's within the same deployment. You just have to be mindful of the scaling limitations of each platform and plan accordingly.

I'm just assume you might have meant to say you have two 3595's running PAN/MNT/PSN in what we refer to as a 2 node standalone deployment? If so, then you will be going to a four node hybrid deployment when you add two more nodes. In a four node deployment, the guidance is to only run the PAN/MNT function on two nodes, then the PSN roles on the two you are adding.

Ideally you would swap the new nodes in and finish up with a deployment that looks like this.
2x 3695 = PAN/MNT roles enabled
2x 3595 = PSN role enabled

View solution in original post

Greg Gibbs · ‎08-19-2020

Hi Tulga,

To add to what @Damien Miller stated, there are strict support guidelines for ISE deployment models. See the following document for those guidelines - ISE Performance & Scale

If you have a Standalone deployment (PSN, MnT, and PSN on the same node) and want to add PSNs, you need to move to a Hybrid model at a minimum (2x PAN/MnT + 2x PSN).

Unless I'm mistaken, I believe you are working in an environment with a Converged Plantwide Ethernet (CPwE) architecture. In that case, you should design for a minimum of six nodes to support the IT/OT separation defined in the Purdue model for Industrial Control Systems:

2x PAN/MnT
2x PSNs for the Enterprise (IT) environment (in the Enterprise Security zone)
2x PSNs for the Process Control (OT) environment (in the Industrial DMZ zone)

You could further improve scalability and performance by separating the PAN & MnT personas onto Dedicated nodes.

View solution in original post

marce1000 · ‎08-19-2020

- Moved to Network Access Control

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Damien Miller · ‎08-19-2020

Yes you can mix different size ISE appliances and VM's within the same deployment. You just have to be mindful of the scaling limitations of each platform and plan accordingly.

I'm just assume you might have meant to say you have two 3595's running PAN/MNT/PSN in what we refer to as a 2 node standalone deployment? If so, then you will be going to a four node hybrid deployment when you add two more nodes. In a four node deployment, the guidance is to only run the PAN/MNT function on two nodes, then the PSN roles on the two you are adding.

Ideally you would swap the new nodes in and finish up with a deployment that looks like this.
2x 3695 = PAN/MNT roles enabled
2x 3595 = PSN role enabled

Greg Gibbs · ‎08-19-2020

Hi Tulga,

To add to what @Damien Miller stated, there are strict support guidelines for ISE deployment models. See the following document for those guidelines - ISE Performance & Scale

If you have a Standalone deployment (PSN, MnT, and PSN on the same node) and want to add PSNs, you need to move to a Hybrid model at a minimum (2x PAN/MnT + 2x PSN).

Unless I'm mistaken, I believe you are working in an environment with a Converged Plantwide Ethernet (CPwE) architecture. In that case, you should design for a minimum of six nodes to support the IT/OT separation defined in the Purdue model for Industrial Control Systems:

2x PAN/MnT
2x PSNs for the Enterprise (IT) environment (in the Enterprise Security zone)
2x PSNs for the Process Control (OT) environment (in the Industrial DMZ zone)

You could further improve scalability and performance by separating the PAN & MnT personas onto Dedicated nodes.