Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
618
Views
0
Helpful
3
Replies

ISE node group behind load balancer

huangedmc
Level 3
Level 3

‎03-19-2013 11:51 AM - edited ‎03-10-2019 08:13 PM

I'm trying to gather info on distributed deployment w/ multiple PSN nodes.

Having read through some documents, it looks like you can put multiple PSN's in a node group, and then place the node group behind a load balancer.

Q1:

Node group config requires multicast.

Cisco ACE LB doesn't support multicast, except in brige mode.

How do people support distributed deployment in node group behind Ciso ACE?

Q2:

User guide says: "We recommend that you have two, three, or a maximum of four nodes in a node group."

http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_dis_deploy.html#wp1134272

What if we need more than 4 PSN nodes to support our network & user base?

Q3:

Has anyone been able to implement distributed deployment between two datacenters behind GSS?

If GSS isn't possible, we'll be happy to just have it in working state behind ACE LB.

thx!

Labels:
0 Helpful
3 Replies 3

nspasov
Cisco Employee
Cisco Employee

‎03-20-2013 10:58 AM

I have had close to zero experience with LBs so my answers will be limited:

Q1: I don't think the multicast plays any role with the LB. The multicast address is needed for the ISE nodes for replication

Q2: You will have to create a new node group with a new multicast address

Q3: No help here

Couple of other things to remember:

1. The nodes must be layer 2 adjacent

2. You must use routed mode...no NAT/SNAT. Each node must be reachable directly from the end clients

3. You must perform sticky

4. The Load balancers must be listed as NADs in ISE

Hope this provides some help to you.

Thank you for rating!

0 Helpful

huangedmc
Level 3
Level 3
In response to nspasov

‎03-20-2013 11:20 AM

Thanks Neno.

Follow-up question:

Where do people usually place their ISE nodes? Internal or DMZ?

I heard they're typically put in the internal networks...

Why it's a good idea to keep ISE in the internal networks, instead of DMZ?

If guests can interface directly w/ the ISE, wouldn't it be safer to place it in the DMZ?

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to huangedmc

‎03-20-2013 11:27 AM

You can place them in either. The trouble becomes with having to deal with all of the ACL rules that you have to manage. There are a lot of ports and protocols used by ISE. Also, it is not not uncommon for some of those ports to change with new releases

Thank you for rating!

0 Helpful
Customers Also Viewed These Support Documents