ISE Cluster

bella964hadid · ‎12-25-2024

Can four ISE nodes be deployed across two clusters to ensure high availability between two data-centers with the following criteria :

- An active cluster of 2 nodes in Datacenter 01. Click Here

- A standby cluster of 2 nodes in Datacenter 02

- Configuration synchronization between the two platforms.

- Automatic failover in case of an issue with one of the datacenters.

As far as I know, the four nodes will be deployed within a single ISE distributed deployment, all configured with the active PSN role, and we will select two nodes to handle the PAN and MNT roles

JPavonM · ‎12-25-2024

As far as I know you cannot sync two differnt ISE deployments.

Is this setup the result of a M&A? If so you should be looking into adapting the 2nd deployment policies in your primary one and merge all the PSN's at the end. If this is something you want to have on a fresh deployment, the best way to go is to have a distributes ISE deployment with PPAN and PMNT at DC#1, and SPAN and SMNT at DC#2 and then enable Automatic Failover on the deployment (If you also have a DNS' load balance technology enble it for the ISE admin portal resolution to point to the good one under the failover scenario)

Karsten Iwen · ‎12-26-2024

I would assume that this requirement came from a misunderstanding of the way an ISE deployment works. I you want the redunduncy that this requirement implies, you can build one deployment with two servers each in DC1 and DC2. The servers in DC1 would run primary PAN and MNT, the two servers in DC2 would run secondary PAN and MNT. Depending on the load all four could run PSN or the PSNs are separated to other nodes.

For the automatic failover, I just assume that you are mainly interested in RADIUS/TACACS failover. But that is a NAD functionality firsthand.