Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1617
Views
15
Helpful
8
Replies

ISE deployment with 9 PSNs

Go to solution
Przemyslaw Konitz
Level 1
Level 1

‎11-21-2019 01:15 PM

hi All,

 

I need someone to confirm one thing about deployment for 9 PSNs. 

I remember from most of the presentations that whenever you have more than 5 PSN you need to split PAN from MnT 

so how to interpret the following pictures? 

 

different presentations

 

does the first one say that if I have 2x PAN/MNT (no pxGrid) + i.e. 9x PSN + 0xPxGrid subscribers - is that supported or not?

the 2nd one is old  guide which means max of 5 PSN for 2x PAN/MNT

psn1.pngpsn2.png

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎11-21-2019 02:23 PM

If you have the PAN and MNT roles hosted on the same appliance/VM, then you can only have five additional nodes, 7 total including the PAN/MNTs. Any more than that and you need to put the PAN/MNT role on their own appliances or VM's.  

In your case if you want 9 PSN's, then you need the PAN and MNT roles on their own dedicated nodes. 

2x pan
2x mnt
9x psn

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎11-21-2019 02:23 PM

If you have the PAN and MNT roles hosted on the same appliance/VM, then you can only have five additional nodes, 7 total including the PAN/MNTs. Any more than that and you need to put the PAN/MNT role on their own appliances or VM's.  

In your case if you want 9 PSN's, then you need the PAN and MNT roles on their own dedicated nodes. 

2x pan
2x mnt
9x psn

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to Damien Miller

‎11-21-2019 02:27 PM

I have to admit I had not seen the slide from that BRKSEC-2430 session - I can see the confusion here. It does say "15 Max Subscriber nodes in a combined PAN/MnT scenario".

 

When did that come about? I have seen customers do this in the wild, but I thought it was a non-compliant deployment model

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to Arne Bier

‎11-21-2019 02:34 PM

Those aren't PSN counts, those are pxgrid v1 connection limits per deployment model/size.

Go to solution
Arne Bier
VIP
VIP
In response to Damien Miller

‎11-21-2019 02:42 PM

@Damien Miller - thanks for clarifying that ;-)

0 Helpful

Go to solution
Przemyslaw Konitz
Level 1
Level 1
In response to Damien Miller

‎11-22-2019 01:09 AM

Thx Damien for reply,

 

a question though. 

I though that in terms of pxgrid subscribes there was a limit of 4 of them

 

so how does that count?

 

psn3.png

 

0 Helpful

Go to solution
Przemyslaw Konitz
Level 1
Level 1
In response to Przemyslaw Konitz

‎11-22-2019 01:12 AM

ok I misunderstood what you wrote - pxGrid external connections / systems not the nodes itself. Right?
0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Przemyslaw Konitz

‎11-22-2019 03:00 AM

Pxgrid nodes count as nodes as you can see from his image

In a deployment of 5 psn nodes in a hybrid 2 could be designated out of the 5

In a large deployment you can use up to 4 out of the 50
0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to Jason Kunst

‎11-22-2019 04:50 AM

^this.

I can see how the confusion could start, in pxgrid we call connections subscribers. Overlapping terminology to psn nodes subscribing to the PAN.

Pxgrid subscriber = pxg connection
Psn subscriber = psn node

Pxgrid v1 had very poor scale, so it lists between 2 and 25 external "subscribers" (Max pxg connections). Unrelated to pxgrid/psn node count.
Customers Also Viewed These Support Documents