Cisco Community
English
Register
Would you like to learn more about how to determine if you need an RMA? - REGISTER TODAY!
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

943
Views
0
Helpful
5
Replies
h.dam
Beginner
Beginner
‎02-22-2017 02:00 PM
‎02-22-2017 02:00 PM

ISE HA mode prerequisites

Hi,

I'm a newbee on ISE. I'd like to know what are the prerequisites if I install two ISE vm in HA mode.

Is DNS server one of the prerequisites? If yes, can I use the ISE vm to be a DNS server?

Thanks in advance.

Labels:
0 Helpful
1 ACCEPTED SOLUTION

Accepted Solutions
Rahul Govindan
Advocate
Advocate
‎02-22-2017 05:02 PM
‎02-22-2017 05:02 PM

These are the guidelines to set up 2 ISE nodes in distributed deployment:

http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_010.html#ID209

DNS is a requirement and the Nodes should be able to resolve the DNS name of the peer. ISE cannot act as a DNS server.

View solution in original post

0 Helpful
5 REPLIES 5
Rahul Govindan
Advocate
Advocate
‎02-22-2017 05:02 PM
‎02-22-2017 05:02 PM

These are the guidelines to set up 2 ISE nodes in distributed deployment:

http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/admin_guide/b_ise_admin_guide_21/b_ise_admin_guide_20_chapter_010.html#ID209

DNS is a requirement and the Nodes should be able to resolve the DNS name of the peer. ISE cannot act as a DNS server.

View solution in original post

0 Helpful
Marvin Rhoads
VIP Community Legend VIP Community Legend
VIP Community Legend
‎02-22-2017 11:37 PM
‎02-22-2017 11:37 PM

In addition to what Rahul correctly stated, you also need a working external ntp server and your default gateway need to be reachable.

ISE checks all of these during the initial cli setup and, if any are not working, setup will not allow you to proceed with product initialization.

0 Helpful
h.dam
Beginner
Beginner
‎02-23-2017 02:02 PM
‎02-23-2017 02:02 PM

Hi,

In fact, we use cisco UCS. The ISE is installed as a VM.

As you said, ISE cannot be a DNS server, I'll try to create another VM with  DNS service activated. The reason I don't make use of the corporate DNS server because this ISE network is an separated one.

If the above methode won't work, then I'll try to use corporate DNS crossing the wan links.

0 Helpful
Rahul Govindan
Advocate
Advocate
In response to h.dam
‎02-23-2017 02:19 PM
‎02-23-2017 02:19 PM

Sure, you can have a Windows Server on the UCS acting as DNS and NTP server if you want to keep it separate from the Corp network.

0 Helpful
Venkatesh Attuluri
Cisco Employee
Cisco Employee
‎03-13-2017 08:10 AM
‎03-13-2017 08:10 AM

just to add to this conversation here If you have two Administration nodes deployed in a high-availability pair, you must ensurethat each of them have the same license capabilities. Generate licenses with both UDIs and then add the licenses while each node is in a standalone or primary state.

0 Helpful
Latest Contents
Azure AD SSO with multiple ISE Portals
Created by Greg Gibbs on 05-11-2021 04:11 PM
0
5
0
5
Introduction With the enhancements in ISE 3.0 for integrating with Azure AD via SAML IdP, it is now possible to leverage Microsoft Single Sign-On for multiple ISE Portals (for example Sponsor and Guest/BYOD Portals). At the time of this writing, ISE cann... view more
ISE BYOD Flow Using Azure AD
Created by Greg Gibbs on 05-10-2021 10:02 PM
0
10
0
10
IntroductionPrerequisitesConfiguration Introduction With the enhancements in ISE 3.0 for integrating with Azure AD via SAML IdP, it is now possible to create a BYOD Flow to provide Wireless network access using an employee’s Azure AD credentials. The use... view more
Cisco + Splunk Integrations Add-on List
Created by Sar on 05-07-2021 12:27 AM
0
5
0
5
The table below shows the whole Cisco Security solutions + Splunk integrations add-ons. Kindly let me know if I have missed some add-ons or if there are any new updates. Thank you!   Hope this will be helpful for everyone who is looking for Splunk in... view more
FMC API | ACP - Delete disabled rules and generate report.
Created by Anupam Pavithran on 05-06-2021 06:48 AM
0
5
0
5
A python based script to generate report if there are disabled rules under an Access Control Policy and an option to delete those rules in bulk.   Preparation Step 1 Download the script on PCStep 2 Make sure python3 is installed on PC and have reach... view more
FMC API | ACP Double logging detection and mitigation script
Created by Anupam Pavithran on 05-06-2021 06:09 AM
0
5
0
5
A python based script to generate report if there are double logging on FMC ACP (logging at beginning and end), having rule action "Allow" or "Trust". (Option1 ) Also, the logging at the begging will be disabled if logging is detected for both beginning ... view more
Content for Community-Ad