Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
427
Views
6
Helpful
12
Replies

ISE Cluster

haroungh
Level 1
Level 1

‎12-25-2024 11:06 AM

Can four ISE nodes be deployed across two clusters to ensure high availability between two data-centers with the following criteria :

-  An active cluster of 2 nodes in Datacenter 01.

- A standby cluster of 2 nodes in Datacenter 02

- Configuration synchronization between the two platforms.

- Automatic failover in case of an issue with one of the datacenters.

As far as I know, the four nodes will be deployed within a single ISE distributed deployment, all configured with the active PSN role, and we will select two nodes to handle the PAN and MNT roles

12 Replies 12

ammahend
VIP Alumni
VIP Alumni

‎12-25-2024 12:15 PM - edited ‎12-25-2024 12:17 PM

Yes all these 4 nodes can be deployed in a single distributed deployment, make sure roundtrip latency between sites is under 300 ms, you can have few variations of deployment depending on how you want to distribute and scale, table 4 has more details when deployed shared Vs standalone persona in the scalability guide

Here are some additional best practices to keep in mind 

-hope this helps-
0 Helpful

haroungh
Level 1
Level 1

‎01-21-2025 07:25 AM

Dear Ammahend,

I would like to confirm the following setup for distributed deployment , 2 Nodes in each DC as bellow  :

In Each DC, we will have two Nodes  as bellow:

  •       - One Node with the PAN, MNT, and PSN roles.
  •       -  A second Node dedicated to the PSN role.

is this configuration good or it is mandatory to have pan & mnt nodes in one DC ?

Additionally, could you clarify how the failover mechanism would work in case the link between two data centers goes down?

0 Helpful

Rob Ingram
VIP
VIP
In response to haroungh

‎01-21-2025 07:40 AM

@haroungh What hardware have you purhcased or VM specs? How many concurrent sessions does the cluster need to support? https://www.cisco.com/c/en/us/td/docs/security/ise/performance_and_scalability/b_ise_perf_and_scale.html#Cisco_Reference.dita_59d6eb45-48a9-422f-9369-d9e8c2dacb76

Having the PAN/MNT roles in different DCs ensures you have resilency if one DC is unavailable.

Automatic failover can be achieved using one of the PSNs as a health check node. The health check node checks the health of the primary PAN at configured intervals. If the health check response received for the primary PAN is unreachable, the health check node initiates the promotion of the secondary PAN to take over the primary role https://www.cisco.com/c/en/us/td/docs/security/ise/3-3/admin_guide/b_ise_admin_3_3/b_ISE_admin_33_deployment.html#concept_6C3FA27523BC44FC8B7C56731997B71C

You should also ensure that AD, DNS, NTP etc is also available in both DCs, as ISE relies on these for authentication.

0 Helpful

haroungh
Level 1
Level 1
In response to Rob Ingram

‎01-21-2025 07:50 AM

@Rob Ingram 

Does it work as follows  ? :

 I am planning to deploy 4 VM nodes across two data centers as follows:

  • DC01: Primary PAN (PPAN), Primary MNT (PMNT), PSN, and an additional PSN.
  • DC02: Secondary PAN (SPAN), Secondary MNT (SMNT), PSN, and an additional PSN.

If the link between the data centers goes down, each DC will operate independently with its own admin node. Once the link is restored, the system will revert to a single PAN managing both DCs.

0 Helpful

Rob Ingram
VIP
VIP
In response to haroungh

‎01-21-2025 08:01 AM

@haroungh the health check node should be in the same DC as the node it's monitoring. The WAN must be up for health check to function correctly and failover, to avoid split brain.

 

0 Helpful

Marcelo Morais
VIP
VIP

‎01-21-2025 02:13 PM

Hi @haroungh  ,

 

Deployment

Please take a look at: Performance and Scalability Guide for Cisco Identity Services Engine.

1st, you can create a Medium Deployment - ISE Cluster (search for Different Types of Cisco ISE Deployment)

Datacenter01

  • Node 1: PPAN + SMnT
  • Node 2: PSN (always active)

Datacenter02

  • Node 3: SPAN + PMnT
  • Node 4: PSN (always active)

2nd, for ISE Deployment Sizing (search for Sizing Guidelines for ISE Deployment), you MUST know the Maximum Concurrent Active Sessions of your Deployment.

This is an important number to create the correct SNS/VM (search for Cisco ISE Hardware Appliances).

 

Software

Please take a look at Cisco ISE Software Download

1st, today Cisco ISE Suggested Release is ISE 3.3 Patch 4.

 

Load Balancer / NAD

If you have a Load Balancer,

  1. then load balance your RADIUS Request between Node 2 and Node 4
  2. else manually point

half of your NADs to Node 2 as a Primary PSN & Node 4 as a Secondary PSN

the other half to Node 4 as a Primary PSN & Node 2 as a Secondary PSN

 

Hope this helps !!!

haroungh
Level 1
Level 1

‎01-22-2025 01:40 AM

@Marcelo Morais 

Thanks , 

How does failover work between Node 1 and Node 3  if the link goes down?

During the downtime, do will we have two distributed ISE nodes, and will both be manageable? Additionally, what happens when the link is restored?

Is it mandatory to have two nodes dedicated to PAN and MNT roles?,  I intend to assign the PSN role to all four VM nodes.

0 Helpful

Marcelo Morais
VIP
VIP
In response to haroungh

‎01-22-2025 05:21 AM

Hi @haroungh  

 about: " ... Is it mandatory to have two nodes dedicated to PAN and MNT roles? ... "

PAN and MnT are important Roles, that is why a PPAN/SPAN and PMnT/SMnT is a MUST on a Small, Medium or Large Deployment (please take a look at Performance and Scalability Guide for Cisco Identity Services Engine, search for Different Types of Cisco ISE Deployment).

 

about: " ... During the downtime, do will we have two distributed ISE nodes, and will both be manageable? Additionally, what happens when the link is restored? ... "

If Datacenter02 is down,

  • you can use PPAN at Node 1 for Administration
  • you can use PSN at Node 2 for RADIUS Request

If Datacenter01 is down,

  • you can manually Promote the SPAN at Node 3 for Administration

Promote to Primary.png

 

  • you can use PSN at Node 4 for RADIUS Request

 

about " ... How does failover work between Node 1 and Node 3  if the link goes down? ... "

PPAN and SPAN will automatically synchronize (you can also you the SyncUp option):

Syncup.png

 

Hope this helps !!!

haroungh
Level 1
Level 1

‎01-22-2025 05:35 AM

@Marcelo Morais 

thanks very much for awsome clarifications 

Is it possible to assign the PSN role to all four VM nodes, with two of them also serving as PAN and MNT.

My goal is to have two PSN nodes for each data center, with one node in each data center acting as PAN, MNT, and PSN, while the second node is dedicated to PSN 

 

0 Helpful

Marcelo Morais
VIP
VIP
In response to haroungh

‎01-22-2025 08:47 AM - edited ‎01-23-2025 02:55 AM

Hi @haroungh  ,

 yes, it's possible to assign a PSN Role to a PAN & MnT Node, it's considered a Shared PSN and not a Dedicated PSN.

Note: remember that, if your Hardware/VM is compatible with a SNS 3655, then each Dedicated PSN is capable of handle up to 50K Concurrent Active Sessions., in other words, double check if you really need a PSN Role into the PAN & MnT Node.

 

Hope this helps !!!

Aref Alsouqi
VIP
VIP

‎01-25-2025 04:39 AM

Nothing wroing with having the PSN services running on the same node where you also have the administration and monitoring services, actually it is quite common to have a deployment like that.

Here is my take on the auto-failover, this will only be applicable to the administration services and I think it will depend on how you configure it if it will be triggered or not. For instance, if the configured failover monitoring node is sitting in DC1 then I don't believe the failover will happen in that case, because from that failover monitoring node perspective the primary PAN will still be available. In this scenario you wouldn't be able to manage the nodes sitting in DC2.

However, if the configured failover monitoring node is sitting in DC2 and the link between DC1 and 2 goes down, then I think the failover will happen because that failover monitoring node will not be able to reach the primary PAN and it will instruct the secondary PAN to become the primary. I think in this scenario you would have a split-brain deployment because you would have the primary PAN in DC1 and the new primary PAN in DC2.

Although I think you could manage the nodes in DC1 via the PAN in DC1 and the nodes in DC2 via the PAN in DC2 there is a caveat here which is that there is no preemption with ISE auto-failover. This means that even when the link between the two DCs is restored the new PAN in DC2 will remain as is. I'm not sure if in that case the primary PAN in DC1 would be automatically demoted.

Scott Fella
Hall of Fame
Hall of Fame

‎01-25-2025 12:41 PM

@Marcelo Morais I have a new deployment I'm testing with with two 3795's in two different DC's.  I have one in each running PAN, PMNT and the other a PSN, then other DC I have one running SAN, SMNT and PSN.  I did have the one node in each running all personas for a few months.  Our production has 20 nodes and the PAN/MNT are dedicated nodes and are located in a different DC than the SAN and MNT. I didn't like the auto-failover, because I wanted to be able to control which was the PAN.  Like what the others have already mentioned, it's possible to do, but you need to also look at the various types of failures. Node failure, traffic to a specific DC, failure between the DC and maybe AD, etc.  That way you have a grasp of what can happen in various situations.

-Scott
*** Please rate helpful posts ***
Customers Also Viewed These Support Documents