08-30-2023 02:59 PM
We are implementing a multi-site ISE deployment across four locations, and our objective is to deploy two ISE PSNs at each site. It's important to note that these PSNs are site-specific, ensuring that users and devices authenticate with their respective local PSNs. Due to the critical nature of our operations and stringent design requirements, it is imperative for us to have a dedicated PSN at each site to eliminate any potential downtime and outages.
Deploy 2x PAN and 2x MNT at our main site to centralize administration and monitoring functions.
We do also plan for 2 x WLC at each site.
At each site, our Active Directory is configured as a child domain, with replication occurring with the parent domain located at our main site.
We have established VPN connections to interconnect all our sites with the main site.
My questions are:
1- Is this an ideal design for ISE deployment, and what are other potential options?
2- Can PSNs work as active/standby, and how do they work without a load balancer if redundancy and failover are required?
3- Is it possible for a combination of physical and virtual appliances to function together, such as having PSN node 1 as a physical appliance and PSN node 2 as a virtual appliance?
Solved! Go to Solution.
08-31-2023 04:34 AM
Hi @techno.it ,
1 - Sounds fine and that it covers to your system requirements and restrictions. You dow however need to make sure to open all relevant firewall policies and ensure sufficient bandwidth for nodes intercommunication.
2 - PAN nodes support Primary/Secondary roles that can also be redundant using PAN failover. PSN however don't have roles and they all serve as "Secondary" from the management perspective. You can use the Node Group function - "...in order to detect node failure and to reset sessions in pending state on the failed node, two or more Policy Service ISE nodes can be placed in the same node group. When a node that belongs to a node group goes down, another node in the same node group issues a CoA for pending sessions on the failed node". In addition, you can configure multiple PSN servers on the user switch and it will also be able to detect and failures and communicate with the rest of the PSNs.
3 - I am now aware of physical/virtual mixing limitation, but yo do need to make sure that they all run the same version and patch level in order to properly operate and sync.
08-31-2023 04:09 AM
08-31-2023 04:34 AM
Hi @techno.it ,
1 - Sounds fine and that it covers to your system requirements and restrictions. You dow however need to make sure to open all relevant firewall policies and ensure sufficient bandwidth for nodes intercommunication.
2 - PAN nodes support Primary/Secondary roles that can also be redundant using PAN failover. PSN however don't have roles and they all serve as "Secondary" from the management perspective. You can use the Node Group function - "...in order to detect node failure and to reset sessions in pending state on the failed node, two or more Policy Service ISE nodes can be placed in the same node group. When a node that belongs to a node group goes down, another node in the same node group issues a CoA for pending sessions on the failed node". In addition, you can configure multiple PSN servers on the user switch and it will also be able to detect and failures and communicate with the rest of the PSNs.
3 - I am now aware of physical/virtual mixing limitation, but yo do need to make sure that they all run the same version and patch level in order to properly operate and sync.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide