Thanks Jason is a three or a four node deployment doable at all I know it’s not in the deployment guide but will Cisco still support this model? and How would you configure the personas? the customer keeps asking for a three or four node deployment. 

 

Also of we go with 3 or 4 would be the same process to add psns down the road?

The guide shows what’s supported

If you want standalone PSNs you have to move to medium deployment that doesn’t allow that persona to run on same box as PAN/MNT

I would recommend starting in small deployment and then later migrate PSNs to medium or even large down the road. You could start with a large appliance so that could always be ready for any deployment size . You can always disable the small deployment psn easily in the UI

So pretty much start with a small deployment with al all personas then down the road disable the PSNs in the UI, and add standalone PSNs.

Yes

Sounds good. Is it possible to just add one standalone psn to the existing 2?

No as stated before its not supported unless you separate into medium deployment

Thanks. We will be going with a 4 node deployment.
HQ:
Node #1: Primary Admin, Secondary MnT
Node #2: PSN#1
DC
Node #3: Secondary Admin, Primary MnT
Node #4: PSN#2

Hi Jason, the customer is insisting on 3 standalone ISE nodes and mirroring the config on all nodes. His excuse is that ISE isn't doing what ISE is supposed to be doing. What would be the implications of a such design.

Now you’re talking about two different things.

As stated before the supported options are in the guys that I shared with you. Other combinations are not tested and therefore not supported.

I see no issue going with a standalone deployment using two separate boxes for high-availability . Each box has a policy service now and running on it and your network access devices would point to each for failover. As we discussed before this can be easily scaled up by removing those personas and then turning them up on separate boxes. This is the recommended approach.If he you are utilizing virtual machines then it makes it even easier to size and split them out. If you’re going with appliances You can start small and when customer decides to split then they could repurpose them as PSNs and then buy larger appliance as admin/monitor

Otherwise It seems like you’re now talking about three separate ise deployments. This is wrong on many levels.
#1 information and configuration will not be synchronized between the deployments . There is no manager of managers
#2 since your network access devices will point to a PSN in one deployment and then fail over to another deployment The endpoint information will be mismatch and start fresh
#3 I believe you have to pay for services support for each?
#4 for standard licensing you would have to purchase separate licenses
#5 There are more but I’m pretty much tapped out. This is not a good approach

Thank you Jason. I'm proposing all the supported designs from the Cisco design guide but the customer keeps coming back and insisting on the wrong design and he doesn't care much about re-desigining down the road or being unsupported. I liked all the reasons you provided for a 3 standalone deployment and I agree it's wrong.

I suggested a small deployment with 2 nodes running all personas or a 4 node deployment like I mentioned before but he came back asking for 3!!

When you say "I see no issue going with a standalone deployment using two separate boxes for high-availability" are you referring to the small deployment with 2 admin (1primary one secondary) 2 MnTs (1 primary, one secondary) and 2 PSNs (both active) and of course building that trust relationship between the 2.

Thanks for your help and prompt responses to me.

Hoping he will today :) Thanks for your help.