Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1125
Views
8
Helpful
8
Replies

ISE PSN Positioning

Go to solution
fatalXerror
Level 5
Level 5

‎07-07-2023 05:11 AM

Hi Guys,

My AD, DNS, CA, and PAN/SAN are in my DC. Should I position my PSNs locally at my offices or should I deploy it in the DC also closer to the PAN, AD, DNS, etc.? Which is best?

Thank you

1 Accepted Solution

Accepted Solutions

Go to solution
Aref Alsouqi
VIP
VIP
In response to fatalXerror

‎07-10-2023 01:12 AM

It doesn't really matter much if you deploy the PSN in the office or in the DC from that perspective. However, what does matter would be the guest traffic flow design. Personally I always try to dedicate an interface on the PSN to serve the guest traffic, and obviously that traffic would need to be segregated at L2 as well as denying any traffic from the guest network to your RFC1918 with the exception for ISE guest portal, and maybe the DHCP traffic.

In that case when a guest tries to connect to the guest network they will be redirected to the PSN portal which is poiting to the PSN dedicated interface, and ISE will reply back to the guests out of that interface. This way the guests won't be able to see ISE management private IP at all and they won't be able to hit the management console all the way.

View solution in original post

8 Replies 8

Go to solution
M02@rt37
VIP
VIP

‎07-07-2023 05:19 AM

Hello @fatalXerror,

If network latency is a concern, deploying the PSNs closer to these components can reduce the latency and improve performance.

Also, evaluate your security requirements and the sensitivity of the traffic between the PSNs and other components. If the communication between PSNs and the PAN, AD, DNS, etc., involves sensitive data, it might be preferable to keep the PSNs within the controlled environment of the data center.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

Go to solution
fatalXerror
Level 5
Level 5
In response to M02@rt37

‎07-07-2023 05:56 AM

Hi M02@rt37 , thank you for your reply but what if I will associate also my guest access, will it be okay if my PSN in the DC rather than deployed locally in the office site? Thank you

Go to solution
Aref Alsouqi
VIP
VIP
In response to fatalXerror

‎07-07-2023 07:11 AM

That is absolutely fine. Usually we don't deploy ISE nodes in the offices, usually we deploy them on cloud or in the DCs, depending on the deployment, you might want to redistribute them across multiple region, and the latency between ISE nodes shouldn't be higher than 300 ms.

Go to solution
M02@rt37
VIP
VIP
In response to fatalXerror

‎07-08-2023 01:14 AM - edited ‎07-08-2023 01:15 AM

Hello @fatalXerror,

By deploying ISE nodes in data centers, you can leverage the scalability and flexibility offered by these environments. Additionally, centralized management simplifies administration tasks and allows for consistent policies and configurations across the network.

Overall, deploying ISE nodes in data centers aligns with industry best practices and can provide a robust and efficient identity and access management solution for your organization.

 

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
0 Helpful

Go to solution
fatalXerror
Level 5
Level 5
In response to M02@rt37

‎07-09-2023 08:27 PM

Hi M02@rt37 / @Aref Alsouqi , in the security standpoint, is it advisable to deploy PSN with guest services in offices in DMZ zone so that guest auth will no go through all the way to DC?

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to fatalXerror

‎07-10-2023 01:12 AM

It doesn't really matter much if you deploy the PSN in the office or in the DC from that perspective. However, what does matter would be the guest traffic flow design. Personally I always try to dedicate an interface on the PSN to serve the guest traffic, and obviously that traffic would need to be segregated at L2 as well as denying any traffic from the guest network to your RFC1918 with the exception for ISE guest portal, and maybe the DHCP traffic.

In that case when a guest tries to connect to the guest network they will be redirected to the PSN portal which is poiting to the PSN dedicated interface, and ISE will reply back to the guests out of that interface. This way the guests won't be able to see ISE management private IP at all and they won't be able to hit the management console all the way.

Go to solution
MHM Cisco World
VIP
VIP
In response to fatalXerror

‎07-10-2023 01:18 AM

Yes cisco recommend to put PSN in DMZ.
but be sure that there connect between PSN and PPAN/SPAN
Screenshot (54).png

Customers Also Viewed These Support Documents