07-11-2018 06:07 AM
Hi,
I just need a confirmation regarding this very simple use case for ISE. It's an SP that only requires TACACS+ functionality for device administration for 500 nodes with HA.
I added a single Device Administration license with 500 Base license and positioning the small version of the virtual appliance or physical appliance.
Now, for HA, do I simply double the licenses and appliances? Is there a HA purchasing option for ISE? No reference to this in the ordering guide.
Thanks!
Solved! Go to Solution.
07-11-2018 09:32 AM
The configuration databases are sync on all ISE nodes in the same deployment. The sizing depends more on the rate of authentications. The minimal would be 2 all-in-one ISE nodes. Please review this Cisco Live session for details:
Designing ISE for Scale & High Availability - BRKSEC-3699
Craig Hyps, Prinicipal Technical Marketing Engineer , Cisco Systems
07-11-2018 06:53 AM
For HA you need minimum 2 admin nodes and 1 secondary node .For device administration you need device admin license wich is not count and it is permanent
Device Admin | Uncounted | Permanent |
That you need for tacacs+ and instaled on admin primary node .
07-11-2018 07:02 AM
Hi,
Thanks for the response. I'm just trying to translate this into a valid BoM that I could provide the client. From what you say, I understand it as 3 nodes for HA. Am I correct?
Historically with ACS, we needed two devices and the DB would sync between them. Can't I replicate this with ISE?
07-11-2018 09:32 AM
The configuration databases are sync on all ISE nodes in the same deployment. The sizing depends more on the rate of authentications. The minimal would be 2 all-in-one ISE nodes. Please review this Cisco Live session for details:
Designing ISE for Scale & High Availability - BRKSEC-3699
Craig Hyps, Prinicipal Technical Marketing Engineer , Cisco Systems
05-25-2020 03:29 AM
Hi,
For ISE HA failover in Small Deployment (only two ISE node setups, one in DC & other DR);
05-25-2020 06:25 AM
@manvik wrote:Hi,
For ISE HA failover in Small Deployment (only two ISE node setups, one in DC & other DR);
- Is it true Secondary node need to be promoted manually when Primary node is down - That’s correct. You would need a third node to perform the health checks for automatic failover.
- In the case of device authentication, will NAD automatically authenticate to secondary when primary goes down. - Thats also correct, it will be based on radius/tacacs timeouts. You can set up a test authentication at regular intervals to test for any failure on the devices AAA server
05-25-2020 11:08 PM
Thank you @Aileron88
1. If NAD can authenticate to secondary after a failure, what's the purpose of failover
2. For automatic failover, a third monitoring node with base license is enough?
05-26-2020 03:14 AM
@manvik wrote:Thank you @Aileron88
1. If NAD can authenticate to secondary after a failure, what's the purpose of failover - The failover is not for the PSN services such as RADIUS and TACACS authc/authz. The failover is for the administration services - whilst these services are down you won't be able to perform functions such as new guest authentication or posture.
2. For automatic failover, a third monitoring node with base license is enough? - The monitoring node can be a PSN, monitoring or pxgrid node (or a combination). Base licenses are consumed for features such as network access, guest access etc - all you'd need to do for the automatic failover is make sure you have the appropriate VM level licenses. One thing to note, if the administration nodes are in different DC's, the recommended design is to have a monitoring node for each admin node. Just to confirm too - when I say monitoring node, I don't mean it has to be a node running the monitoring persona (you can only have two of these), it's just a node that monitors the administration node(s).
05-27-2020 02:09 AM
Thank you @Aileron88
Your answers are helping now understand few things. Can you help with below too;
In DC-DR HA, when a NAD authenticates to DR ISE IP will it get authenticated.
05-27-2020 02:35 AM
@manvik wrote:Thank you @Aileron88
Your answers are helping now understand few things. Can you help with below too;
In DC-DR HA, when a NAD authenticates to DR ISE IP will it get authenticated.
No problem, you're welcome. It will if it's running the PSN service.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide