Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2767
Views
5
Helpful
5
Replies

ISE PSN Placement

Go to solution
GRANT3779
Spotlight
Spotlight

‎02-28-2017 06:21 AM - edited ‎03-11-2019 12:30 AM

Hi All,

I am reading up on ISE and all the different deployment options. I am interested to know where people have placed their PSNs in a Network with many remote locations and is there any rule of thumb you follow?

Do you try to keep them in a centralised location as it does not seem feasible or cost effective to have a PSN at every site. From a remote location, at what latency to the centralised PSN would you start thinking about having a local Node?

If having a local node to a site - would you then configure different Radius Server group on this NADs? 

Interested to hear how others have placed PSNs when having multiple remote locations (some over very high latency links), e.g Satellite.

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎02-28-2017 09:59 AM

Hi

You have to respect some latency and bandwidth. Take a look here: https://communities.cisco.com/docs/DOC-64317

There is an excel sheet provided for your design.

From my personal experience, I've deployed some ISE cross Europe and Africa and I never installed any ISE locally (except 1 time where the line wasn't so reliable). All the time, based on customer design, there were in central points (Datacenters).

I'm talking about Africa because a lot of sites where with Satellite connectivity and it is working well. However, we were below or equal to the limitations.

As soon as you respect the limitations, you can deploy them as you want.

Anyway, as I guess you'll have a POC phase (test phase), you can start with a central point (to validate that everything is working as expected) and deploy new PSN locally for very high latency sites.

Thanks so much

PS: Please don't forget to rate and mark as correct answer if this answered your question.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎02-28-2017 09:59 AM

Hi

You have to respect some latency and bandwidth. Take a look here: https://communities.cisco.com/docs/DOC-64317

There is an excel sheet provided for your design.

From my personal experience, I've deployed some ISE cross Europe and Africa and I never installed any ISE locally (except 1 time where the line wasn't so reliable). All the time, based on customer design, there were in central points (Datacenters).

I'm talking about Africa because a lot of sites where with Satellite connectivity and it is working well. However, we were below or equal to the limitations.

As soon as you respect the limitations, you can deploy them as you want.

Anyway, as I guess you'll have a POC phase (test phase), you can start with a central point (to validate that everything is working as expected) and deploy new PSN locally for very high latency sites.

Thanks so much

PS: Please don't forget to rate and mark as correct answer if this answered your question.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

Go to solution
GRANT3779
Spotlight
Spotlight
In response to Francesco Molino

‎03-01-2017 01:29 AM

Morning Francesco (Or Afternoon / Evening wherever you are)

Thanks for that very useful reply, appreciated.

In addition to my initial query -

At the moment I have a "small deployment" with two Nodes, Primary / Secondary. Each running all the Personas. I have some WiFi related Radius config already live on these.

I will be looking to deploy x2 more Nodes and move the PSN Personas from my current Nodes to these new ones. Ideally I would like to readdress my new PSNs with the current addresses used by Admin Nodes. Reason being my WLCs are already pointing to these addresses for Radius.

Is there any serious deployment issues readdressing PANs in a deployment?

Am I safer just keeping as is and giving my new PSNs different IPs, and then change the WLC radius server addresses? Seems an easier way..

Thanks

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to GRANT3779

‎03-01-2017 05:45 AM

Hi

With ISE running ADM/MNT personas on the same machine allows you to have at least 5 PSN.

I would recommend to deploy your new PSN, then it will be synced with your actual ISE infrastructure.

After that, you can change/add your PSN IP in your WLC as tertiary radius server. It won't impact anything on the wireless side.

If PSN are in different locations, and if you don't have any load balancer, I would recommend to use anycast to provide high availability. that's allow to have 1 IP to configure and then play with the routing table/IP SLA.

This is something I'm using quite often and there is actually a good explanation on how it works. this blog has been done by Aaron Woland (Cisco Master ISE guy!): http://www.networkworld.com/article/3074954/security/how-to-use-anycast-to-provide-high-availability-to-a-radius-server.html

Thanks so much

PS: Please don't forget to rate and mark as correct answer if this answered your question.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
GRANT3779
Spotlight
Spotlight

‎03-07-2017 02:05 AM

Hi Francesco,

Just coming back to this - high latency sites.

You quoted below -

Anyway, as I guess you'll have a POC phase (test phase), you can start with a central point (to validate that everything is working as expected) and deploy new PSN locally for very high latency sites.

Now if I have a high latency site and decide to put a local PSN there, could this PSN still be part of my overall single deployment. Reason I am asking is that I have read any Node in a deployment needs to be max of 300ms apart.

If my remote site was say 700ms from my PANs and current PSNs, what affect would this have on any locally installed PSN at that site?

Thanks

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to GRANT3779

‎03-07-2017 08:49 AM

The bandwidth and latency between PSN and PAN is important because lot of things going on through them like DB replication, audit logging, profiling,...)

Take a look on Cisco Live slides: http://d2zmdbbm9feqrf.cloudfront.net/2016/usa/pdf/BRKSEC-3699.pdf

You can test it to see if everything works as expected even with 700ms latency.

If not working, you'll need to deploy a PAN/MnT locally

Thanks so much

PS: Please don't forget to rate and mark as correct answer if this answered your question.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents