Re: ISE deployment

engahmedsaied · ‎01-31-2021

In ISE deployment I know that we can have two nodes acting as Admin P + Monitor S + PSN and Admin S + Monitor P + PSN

We can separate roles by having two nodes run as admin + monitor then we can add up to 5 PSNs

In case we have 3 nodes can run as the following ?

Admin P + Monitor S + PSN

Admin S + Monitor P + PSN

PSN

balaji.bandi · ‎01-31-2021

You can mix nodes, but what kind of deployment is this and also need to consider the size of deployment.

some notes for reference :

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_00.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Damien Miller · ‎01-31-2021

The usual reason someone want's to run a three node deployment like this is so they can enable the automatic admin node failover. You have to be very careful when doing this, ensuring that every network device has the three nodes configured. When the PAN failover activates, the remaining admin node will also reload leaving just the third PSN online.

While there is no official support for a three node deployment, it sits between a standalone (1-2 node) and Hybrid (4+ node), it does in fact work. Nothing will prevent you from doing this, but you do so knowing that "officially" it's not tested or supported. TAC will still provide support, but if you get in to troubleshooting performance or other odd issues, they might ask you to disable the third node as a troubleshooting step.

engahmedsaied · ‎02-01-2021

Yeah for automatic admin node failover instead of manual method but this a different scenario here

What is the required, 3 nodes run as

Admin P + Monitor S + PSN

Admin S + Monitor P + PSN

PSN

I did not see this in Cisco documentation all about two nodes deployment or two nodes run as admin + monitor without PSN then you can add up to 5 PSNs

but in this way

Admin P + Monitor S + PSN

Admin S + Monitor P + PSN

PSN

Will there any issues ? performance, support tickets, ...

Marcelo Morais · ‎02-01-2021

Hi @engahmedsaied

take a look at the following post: ISE Performance & Scale. Check the ISE Architecture and Terminology (Hybrid Deployment).

Note: every ISE deployment must have one Primary PAN, one Primary MnT and at least one PSN.

Hope this helps !!!

engahmedsaied · ‎02-01-2021

yes this is a nice document but what I am asking about is not listed there

can this be done and supported ? or there issue will be related to this

In case we have 3 nodes can run as the following ?

Admin P + Monitor S + PSN

Admin S + Monitor P + PSN

PSN

as I always use Standalone / Dedicated Deployment , Hybrid / Medium Deployment or Fully distributed / Dedicated deployment

Marcelo Morais · ‎02-01-2021

Hi @engahmedsaied

although it's possible to have 3x Nodes just like this:

Admin P + Monitor S + PSN 
Admin S + Monitor P + PSN 
PSN

the problem is ... how you will calculate the PSN - Maximum Concurrent Sessions?

If you take a look at: ISE Performance & Scale - ISE PSN Performance topic, there is a difference between a Standalone vs Hybrid deployment (in terms of Maximum Concurrent Sessions) ... on the 3x Nodes case, you have a PSN with a different load than the others that have Admin & Monitor service enabled.

Hope this helps !!!