Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2151
Views
5
Helpful
8
Replies

ISE in two different countries

Go to solution
marine253
Level 1
Level 1

‎08-22-2018 06:00 AM - edited ‎03-11-2019 01:48 AM

Hello,

 

Got a request from a customer.

 

They have a data center in Europe and 1 in Australia. The link between them is an MPLS. They would like  to have 1 ISE in Europe (primary) and 1 in Australia (Secondary)

 

They have about 300 routers and switches and they would like to have below setup:

  1. All equipment points to the Primary ISE for TACACS in Europe for AAA
  2. Should the Europe ISE be unreachable , all authentication sessions should be sent to the Australian ISE(Secondary).

 

The requirement here is that the ISE should be in some kind of cluster , meaning every changes performed on the primary ISE should be replicated to the secondary ISE. Be it password update , new device etc..

 

Is this feasible?

 

Thanks

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to marine253

‎08-28-2018 01:36 AM

@marine253 You can use partner helpdesk for official vetting of presales configurations. Opinions I offer here are my own and not official from either Cisco or my employers.

 

The two scenarios you mentioned are correct as stated.

 

Re your other questions,

 

1. Yes.

 

2. Yes. 

 

3. Yes. Each network devices should have the TACACS server (PSN) closest to it first in its aaa server-group. something like this:

 

aaa group server tacacs+ ise-tacacs
 server name <name of local tacacs server>
 server name <name of remote tacacs server>

4. A PSN can operate and enforce configured policies whether or not the PAN (or MnT) node is accessible.

 

5. I believe some very limited messages may be queued on the PSN if there is a momentary loss of connectivity to the MnT nodes but, in general, you will lose accounting logs if the MnT is not reachable for any extended period of time. 

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎08-22-2018 08:14 AM

If you’re talking about synchronization of 2 different ISE deployments then no there is no such option
0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-22-2018 08:36 AM

It would have to be a single deployment.

 

Ideally it would be 4 nodes so that the PAN/MnT Primary and Secondary personae are on two hosts in Europe. Then put one each PSN in Europe and Australia.

 

 

If you made it only two nodes you would be pushing the limits for replication over that much latency (probably around 300+ ms).

 

See also this tool for ISE bandwidth considerations:

 

https://community.cisco.com/t5/security-documents/ise-latency-and-bandwidth-calculators/ta-p/3641112

0 Helpful

Go to solution
marine253
Level 1
Level 1
In response to Marvin Rhoads

‎08-22-2018 09:08 AM

Thanks.

Ideally it would be 4 nodes so that the PAN/MnT Primary and Secondary personae are on two hosts in Europe. Then put one each PSN in Europe and Australia.

Are you talking about 4 physical boxes with 1 persona per box?
Meaning 3 boxes in europe and 1 box in australia? Won't it break the 300ms rule you mentioned?

If you made it only two nodes you would be pushing the limits for replication over that much latency (probably around 300+ ms).
Meaning 1 box with all 3 personas in europe and another box with all 3 personas in Australia? The actual latency is not that bad. 60 ms.
0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to marine253

‎08-22-2018 09:20 AM

Latency between Europe and Australia is typically a bit over 300 ms. Design guidance is that we shouldn't exceed that so you'd be pushing the limit.

 

Take a look at BRKSEC-3699 on ciscolive.com for ideas/constraints on ISE deployments.

 

As was noted earlier two separate deployments have no knowledge of each other.

 

A 4 node deployment has:

 

a. Node 1 = Primary PAN / Secondary MnT

b. Node 2 = Secondary PAN / Primary MnT

c. Nodes 3 and 4 = PSNs.

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Marvin Rhoads

‎08-22-2018 12:19 PM

Right so if 2 deployments then latency between nodes doesn’t matter as they are colocated together
0 Helpful

Go to solution
marine253
Level 1
Level 1
In response to Marvin Rhoads

‎08-22-2018 09:30 PM

Hello Marvin,

 

Thank you for the detailed explanation.

 

I've only deployed ISE for very small deployment. Please bear with me. :)

 

So to sum up, i am going to propose below options to the customer:
Scenario 1:
We do 2 independent ISE deployments , that is 1 ISE in each country. Each ISE will have 1 IP and all routers/switches should be configured with dual TACACS servers. Each ISE will be managed seperately and no sync of policies will happen.

 

Scenario 2:
A 4 node deployment (as proposed above):
a. Node 1 = Primary PAN / Secondary MnT
b. Node 2 = Secondary PAN / Primary MnT
c. Nodes 3 and 4 = PSNs.
QU1) That is 3 nodes in Europe and 1 node in Australia. Correct?
QU2)They will all sync together and policies/configuration will be performed on Node 1 only (Primary PAN). Correct?
QU3)All routers/switches should be configured with dual TACACS servers (as we have two PSNs). correct?
QU4)What will happen if the Europe DC is unreachable. Will a manual intervention be required on the PSN in Australia to make it functional?

QU5) All the MnT personas will be in Europe. If Europe is unreachable , this mean that no logging will happen when the Australian PSN will be servicing requests?

Thanks a lot in advance :)

0 Helpful

Go to solution
marine253
Level 1
Level 1
In response to marine253

‎08-27-2018 11:17 PM

Hi Marvin,

 

sorry to pester you. Could you please vet the above setup? :). I really need to know if the above is correct.

 

Thanks

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to marine253

‎08-28-2018 01:36 AM

@marine253 You can use partner helpdesk for official vetting of presales configurations. Opinions I offer here are my own and not official from either Cisco or my employers.

 

The two scenarios you mentioned are correct as stated.

 

Re your other questions,

 

1. Yes.

 

2. Yes. 

 

3. Yes. Each network devices should have the TACACS server (PSN) closest to it first in its aaa server-group. something like this:

 

aaa group server tacacs+ ise-tacacs
 server name <name of local tacacs server>
 server name <name of remote tacacs server>

4. A PSN can operate and enforce configured policies whether or not the PAN (or MnT) node is accessible.

 

5. I believe some very limited messages may be queued on the PSN if there is a momentary loss of connectivity to the MnT nodes but, in general, you will lose accounting logs if the MnT is not reachable for any extended period of time. 

0 Helpful
Customers Also Viewed These Support Documents