cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

669
Views
15
Helpful
8
Replies

ISE deployment with 9 PSNs

hi All,

 

I need someone to confirm one thing about deployment for 9 PSNs. 

I remember from most of the presentations that whenever you have more than 5 PSN you need to split PAN from MnT 

so how to interpret the following pictures? 

 

different presentations

 

does the first one say that if I have 2x PAN/MNT (no pxGrid) + i.e. 9x PSN + 0xPxGrid subscribers - is that supported or not?

the 2nd one is old  guide which means max of 5 PSN for 2x PAN/MNT

psn1.pngpsn2.png

1 ACCEPTED SOLUTION

Accepted Solutions
Damien Miller
VIP Advisor

If you have the PAN and MNT roles hosted on the same appliance/VM, then you can only have five additional nodes, 7 total including the PAN/MNTs. Any more than that and you need to put the PAN/MNT role on their own appliances or VM's.  

In your case if you want 9 PSN's, then you need the PAN and MNT roles on their own dedicated nodes. 

2x pan
2x mnt
9x psn

View solution in original post

8 REPLIES 8
Damien Miller
VIP Advisor

If you have the PAN and MNT roles hosted on the same appliance/VM, then you can only have five additional nodes, 7 total including the PAN/MNTs. Any more than that and you need to put the PAN/MNT role on their own appliances or VM's.  

In your case if you want 9 PSN's, then you need the PAN and MNT roles on their own dedicated nodes. 

2x pan
2x mnt
9x psn

View solution in original post

I have to admit I had not seen the slide from that BRKSEC-2430 session - I can see the confusion here. It does say "15 Max Subscriber nodes in a combined PAN/MnT scenario".

 

When did that come about? I have seen customers do this in the wild, but I thought it was a non-compliant deployment model

Those aren't PSN counts, those are pxgrid v1 connection limits per deployment model/size.

@Damien Miller - thanks for clarifying that ;-)

Thx Damien for reply,

 

a question though. 

I though that in terms of pxgrid subscribes there was a limit of 4 of them

 

so how does that count?

 

psn3.png

 

ok I misunderstood what you wrote - pxGrid external connections / systems not the nodes itself. Right?

Pxgrid nodes count as nodes as you can see from his image

In a deployment of 5 psn nodes in a hybrid 2 could be designated out of the 5

In a large deployment you can use up to 4 out of the 50

^this.

I can see how the confusion could start, in pxgrid we call connections subscribers. Overlapping terminology to psn nodes subscribing to the PAN.

Pxgrid subscriber = pxg connection
Psn subscriber = psn node

Pxgrid v1 had very poor scale, so it lists between 2 and 25 external "subscribers" (Max pxg connections). Unrelated to pxgrid/psn node count.
Content for Community-Ad