07-07-2023 05:11 AM
Hi Guys,
My AD, DNS, CA, and PAN/SAN are in my DC. Should I position my PSNs locally at my offices or should I deploy it in the DC also closer to the PAN, AD, DNS, etc.? Which is best?
Thank you
Solved! Go to Solution.
07-10-2023 01:12 AM
It doesn't really matter much if you deploy the PSN in the office or in the DC from that perspective. However, what does matter would be the guest traffic flow design. Personally I always try to dedicate an interface on the PSN to serve the guest traffic, and obviously that traffic would need to be segregated at L2 as well as denying any traffic from the guest network to your RFC1918 with the exception for ISE guest portal, and maybe the DHCP traffic.
In that case when a guest tries to connect to the guest network they will be redirected to the PSN portal which is poiting to the PSN dedicated interface, and ISE will reply back to the guests out of that interface. This way the guests won't be able to see ISE management private IP at all and they won't be able to hit the management console all the way.
07-07-2023 05:19 AM
Hello @fatalXerror,
If network latency is a concern, deploying the PSNs closer to these components can reduce the latency and improve performance.
Also, evaluate your security requirements and the sensitivity of the traffic between the PSNs and other components. If the communication between PSNs and the PAN, AD, DNS, etc., involves sensitive data, it might be preferable to keep the PSNs within the controlled environment of the data center.
07-07-2023 05:56 AM
Hi M02@rt37 , thank you for your reply but what if I will associate also my guest access, will it be okay if my PSN in the DC rather than deployed locally in the office site? Thank you
07-07-2023 07:11 AM
That is absolutely fine. Usually we don't deploy ISE nodes in the offices, usually we deploy them on cloud or in the DCs, depending on the deployment, you might want to redistribute them across multiple region, and the latency between ISE nodes shouldn't be higher than 300 ms.
07-08-2023 01:14 AM - edited 07-08-2023 01:15 AM
Hello @fatalXerror,
By deploying ISE nodes in data centers, you can leverage the scalability and flexibility offered by these environments. Additionally, centralized management simplifies administration tasks and allows for consistent policies and configurations across the network.
Overall, deploying ISE nodes in data centers aligns with industry best practices and can provide a robust and efficient identity and access management solution for your organization.
07-09-2023 08:27 PM
Hi M02@rt37 / @Aref Alsouqi , in the security standpoint, is it advisable to deploy PSN with guest services in offices in DMZ zone so that guest auth will no go through all the way to DC?
07-10-2023 01:12 AM
It doesn't really matter much if you deploy the PSN in the office or in the DC from that perspective. However, what does matter would be the guest traffic flow design. Personally I always try to dedicate an interface on the PSN to serve the guest traffic, and obviously that traffic would need to be segregated at L2 as well as denying any traffic from the guest network to your RFC1918 with the exception for ISE guest portal, and maybe the DHCP traffic.
In that case when a guest tries to connect to the guest network they will be redirected to the PSN portal which is poiting to the PSN dedicated interface, and ISE will reply back to the guests out of that interface. This way the guests won't be able to see ISE management private IP at all and they won't be able to hit the management console all the way.
07-10-2023 01:18 AM
Yes cisco recommend to put PSN in DMZ.
but be sure that there connect between PSN and PPAN/SPAN
07-08-2023 12:49 AM
check this link which confirm you add PST locally and add PPAN/SPAN in DC
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide