cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1758
Views
50
Helpful
2
Replies

ISE split deployment question

Hassaan
Level 1
Level 1

Hi,

I have two ISE VMs and am thinking of deploying them as a "split deployment".  Which as per my understanding places the two nodes in an Active/Active HA pair. So basically I want PAN, PSN and MnT personas to be running on both nodes and should one of them go down then all AAA requests will automatically failover to the one that's still up.

 

I'm not entirely clear how I can achieve this?

 

I can see the option to configure PAN failover in the interface but it says I would still need a third "secondary" node to be able to enable this. I guess I could do this but I'm not sure how that would affect licencing as we only purchased for two VMs. Besides, this page suggests it's possible to do it without a 3rd node. https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_00.html#ID-1413-000000a7

 

Can anyone help advise please?

 

Thanks

2 Accepted Solutions

Accepted Solutions

UdupiKrishna
Cisco Employee
Cisco Employee

PSN is by design active/active in nature. Meaning your NAD (switch, WLC) can always authenticate using any of the two PSN deployed.

The request to PSN does depend on the RADIUS server priority configured on NAD.

 

Now speaking about automatic PAN failover, you definitely need a 3rd health check node. If your concern is about disruption of services during a PAN outage, refer to the list of services that would and wouldn't work in such a scenario - https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20/b_ise_admin_guide_20_chapter_010.html#ID90 (section High Availability for the Administrative Node)

 

If you aren't necessarily using services that are affected during such an outage, 2 node deployment should be good.

 

View solution in original post

Hi @Hassaan ,

 beyond what @UdupiKrishna said ... please take a look at Performance and Scalability Guide for Cisco ISE, search for Different Types of Cisco ISE Deployment and ISE Secure Wired Access Prescriptive Deployment Guide, search for ISE Deployment Considerations.

 

Hope this helps !!!

View solution in original post

2 Replies 2

UdupiKrishna
Cisco Employee
Cisco Employee

PSN is by design active/active in nature. Meaning your NAD (switch, WLC) can always authenticate using any of the two PSN deployed.

The request to PSN does depend on the RADIUS server priority configured on NAD.

 

Now speaking about automatic PAN failover, you definitely need a 3rd health check node. If your concern is about disruption of services during a PAN outage, refer to the list of services that would and wouldn't work in such a scenario - https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/admin_guide/b_ise_admin_guide_20/b_ise_admin_guide_20_chapter_010.html#ID90 (section High Availability for the Administrative Node)

 

If you aren't necessarily using services that are affected during such an outage, 2 node deployment should be good.

 

Hi @Hassaan ,

 beyond what @UdupiKrishna said ... please take a look at Performance and Scalability Guide for Cisco ISE, search for Different Types of Cisco ISE Deployment and ISE Secure Wired Access Prescriptive Deployment Guide, search for ISE Deployment Considerations.

 

Hope this helps !!!