cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1242
Views
0
Helpful
13
Replies

ISE Deployment Advise

NETAD
Level 4
Level 4

Hello, I have a client who will be deploying ISE as a radius proxy server only. He will be doing it for corp wireless to relay authentication requests to an MFA server and he doesn't want to do any further authorization on ISE. 

 

He has a about 1 to 2 thousands wireless devices and might scale to a slightly higher number of devices in the future. 

 

60 sites with 3 data centers and want to deploy the ISE nodes across those 3 DC locations for high availability. 

 

What's the minimum number of ISE nodes can we deploy for him and put him in a position that allows him to scale in the future if he decides to do more on ISE and add more PSNs following the Cisco recommendations. 

 

Is a 2 node deployment an option: 

Node 1: Primary Admin, Secondary MnT, PSN 

Node 2: Secondary Admin, Primary MnT, PSN

 

Or is a 3 node deployment a supported Cisco design? 

 

Node 1: primary Admin, Secondary MnT, PSN 

Node 2: Secondary Admin, Primary MnT, PSN 

Node 3: PSN 

 

or 4 or 5? 


Thanks 

2 Accepted Solutions

Accepted Solutions

Jason Kunst
Cisco Employee
Cisco Employee
I would recommend a small ise deployment with 2 servers running all personas (PAN,MNT,PSN) for HA

The supported configurations are here:
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_00.html#ID-1413-0000008e

View solution in original post

Sorry unfortunately customer is wrong and this has to stop :)

Quote:
When you say "I see no issue going with a standalone deployment using two separate boxes for high-availability" are you referring to the small deployment with 2 admin (1primary one secondary) 2 MnTs (1 primary, one secondary) and 2 PSNs (both active) and of course building that trust relationship between the 2.

Recommendation is
Small deployment standalone
2 boxes running pan/mnt/pan on each box.
Box1 runs primary pan/mnt
Box2 runs secondaries
Each box has active psn
This is all in the deployment guide

View solution in original post

13 Replies 13

Jason Kunst
Cisco Employee
Cisco Employee
I would recommend a small ise deployment with 2 servers running all personas (PAN,MNT,PSN) for HA

The supported configurations are here:
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_00.html#ID-1413-0000008e

Thanks Jason is a three or a four node deployment doable at all I know it’s not in the deployment guide but will Cisco still support this model? and How would you configure the personas? the customer keeps asking for a three or four node deployment. 

 

Also of we go with 3 or 4 would be the same process to add psns down the road?

The guide shows what’s supported

If you want standalone PSNs you have to move to medium deployment that doesn’t allow that persona to run on same box as PAN/MNT

I would recommend starting in small deployment and then later migrate PSNs to medium or even large down the road. You could start with a large appliance so that could always be ready for any deployment size . You can always disable the small deployment psn easily in the UI


So pretty much start with a small deployment with al all personas then down the road disable the PSNs in the UI, and add standalone PSNs.

Yes

Sounds good. Is it possible to just add one standalone psn to the existing 2?

No as stated before its not supported unless you separate into medium deployment

Thanks. We will be going with a 4 node deployment.
HQ:
Node #1: Primary Admin, Secondary MnT
Node #2: PSN#1
DC
Node #3: Secondary Admin, Primary MnT
Node #4: PSN#2

Hi Jason, the customer is insisting on 3 standalone ISE nodes and mirroring the config on all nodes. His excuse is that ISE isn't doing what ISE is supposed to be doing. What would be the implications of a such design.

Now you’re talking about two different things.

As stated before the supported options are in the guys that I shared with you. Other combinations are not tested and therefore not supported.

I see no issue going with a standalone deployment using two separate boxes for high-availability . Each box has a policy service now and running on it and your network access devices would point to each for failover. As we discussed before this can be easily scaled up by removing those personas and then turning them up on separate boxes. This is the recommended approach.If he you are utilizing virtual machines then it makes it even easier to size and split them out. If you’re going with appliances You can start small and when customer decides to split then they could repurpose them as PSNs and then buy larger appliance as admin/monitor

Otherwise It seems like you’re now talking about three separate ise deployments. This is wrong on many levels.
#1 information and configuration will not be synchronized between the deployments . There is no manager of managers
#2 since your network access devices will point to a PSN in one deployment and then fail over to another deployment The endpoint information will be mismatch and start fresh
#3 I believe you have to pay for services support for each?
#4 for standard licensing you would have to purchase separate licenses
#5 There are more but I’m pretty much tapped out. This is not a good approach

Thank you Jason. I'm proposing all the supported designs from the Cisco design guide but the customer keeps coming back and insisting on the wrong design and he doesn't care much about re-desigining down the road or being unsupported. I liked all the reasons you provided for a 3 standalone deployment and I agree it's wrong.

I suggested a small deployment with 2 nodes running all personas or a 4 node deployment like I mentioned before but he came back asking for 3!!

When you say "I see no issue going with a standalone deployment using two separate boxes for high-availability" are you referring to the small deployment with 2 admin (1primary one secondary) 2 MnTs (1 primary, one secondary) and 2 PSNs (both active) and of course building that trust relationship between the 2.

Thanks for your help and prompt responses to me.

Sorry unfortunately customer is wrong and this has to stop :)

Quote:
When you say "I see no issue going with a standalone deployment using two separate boxes for high-availability" are you referring to the small deployment with 2 admin (1primary one secondary) 2 MnTs (1 primary, one secondary) and 2 PSNs (both active) and of course building that trust relationship between the 2.

Recommendation is
Small deployment standalone
2 boxes running pan/mnt/pan on each box.
Box1 runs primary pan/mnt
Box2 runs secondaries
Each box has active psn
This is all in the deployment guide

Hoping he will today :) Thanks for your help.