cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

179
Views
0
Helpful
4
Replies
Highlighted
Beginner

ISE Policy Node deployment

We are building a new site in a test lab in one of our current buildings.
The test lab is able to access most of the rest of the network (some remote sites are not accessible).

I want to configure an ISE policy node in this site I don't think this will cause an issue but I wanted to check first so...

1st question
If I join this unit to the ISE deployment  it will be able to see the admin and monitoring nodes but not some of the remote policy nodes- would this cause a problem for it?

2nd question
The bigger problem might be with the AD integration does the policy node talk to the DCs or is that all handled via the Admin nodes

Thanks

Giles Cooper

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Advocate

Yes, it will failover to

Yes, it will failover to another DC if it is not able to talk to its assigned one. I believe when you set up AD integration, it automatically assigns a DC from the domain based on the initial response, so the new PSN should talk to the DC it can reach (and closest to) only.

More info on that here:

http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/ise_active_directory_integration/b_ISE_AD_integration_20.pdf

View solution in original post

4 REPLIES 4
Highlighted
VIP Advocate

1) PSN's talk to each other

1) PSN's talk to each other when they are part of a node group. If they are not, they do not need to communicate with each other as far as I can remember.

2) PSN's do talk to the AD, so this communication needs to be there:

The entire port and communication reference for all nodes is available here:

http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/installation_guide/b_ise_InstallationGuide20/Cisco_SNS_3400_Series_Appliance_Ports_Reference.html

Highlighted
Beginner

Thanks for that.

Thanks for that.

So if a PSN can see all of the DCs apart from two if it doesn't get a response then will it try another one?

If it is a bit slower then I don't really mind as it will be a temporary fix.

Highlighted
VIP Advocate

Yes, it will failover to

Yes, it will failover to another DC if it is not able to talk to its assigned one. I believe when you set up AD integration, it automatically assigns a DC from the domain based on the initial response, so the new PSN should talk to the DC it can reach (and closest to) only.

More info on that here:

http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/ise_active_directory_integration/b_ISE_AD_integration_20.pdf

View solution in original post

Highlighted
Beginner

Thanks very much for your

Thanks very much for your help.

Giles