Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
451
Views
2
Helpful
2
Replies

ISE - Configuring Node Groups

JC779
Level 1
Level 1

‎12-10-2024 06:05 AM

We have a dozen node 3.2 deployment and we're looking to configure Node Groups based on location/LAN.

Based on the admin guide, I understand how to configure the groups and the benefit but I haven't been able to get any information about the possible impact of doing so in a production environment.

Is there any impact to creating node groups and assigning nodes such as ISE applications restarting or them being unavailable to process authentication requests, etc.?

Also, should we create node groups for our dedicated Admin nodes and Monitoring nodes or does it only make sense to create node groups for the Policy nodes?

 

Thank you,

0 Helpful
2 Replies 2

Arne Bier
VIP
VIP

‎12-10-2024 01:27 PM

It's quite an old ISE feature now, and not much discussion around it. If I recall from the stuff I have read, the feature is optional and it won't hurt NOT implementing it. However, if you operate a guest portal on two PSNs, then it makes sense to implement Node Groups, because the session persistence will be across both PSNs - if an endpoint is redirected to PSN1 but for some reason the redirection doesn't work, then there is some kind of failover (CoA I think ... I can't remember the details) to cause the endpoint to get re-directed to PSN2, which has the same state information for that guest redirection. To the end user it should look seamless. 

Cisco goes into technical details about JGroups etc. - in my opinion, these are developer optimisations that I don't understand, and I always hope that I am doing the right thing by putting PSNs (which are in the same data center ... not necessarily the same VLAN) will have some benefit. How will we know for sure?  No idea. I have not bothered to look into the details again of why I should use Node Groups. I just do it. It doesn't seem to make anything worse. Don't implement Node Groups on PSNs that are connected over a WAN.

If anyone has any pragmatic advice around Node Groups, I'd love to hear it.

ahollifield
VIP
VIP
In response to Arne Bier

‎12-11-2024 06:39 AM

Agree with @Arne here.  Node groups used to be more important before the ISE Messaging service came along for things like optimized replication, etc.

0 Helpful
Customers Also Viewed These Support Documents