Re: Key Config Questions and Considerations for Distributed ISE Deploy

techno.it · ‎08-31-2023

I'm new to the distributed deployment of ISE, and I'd like to verify my understanding.

Our plan for ISE deployment is outlined below:

At the Main Site:

2 Primary Administration Nodes (PAN)
2 Monitoring Nodes (MNT)
2 Policy Services Nodes (PSN)

At Remote Geographical Locations

2 Policy Services Nodes (PSN)

I have a couple of questions regarding this setup:

How can I ensure that when I push a configuration from the PAN to Site 1, it doesn't propagate or share any information with the PSNs at other sites?

In the event that the PSN1 node at Site 1 goes down, how can I prevent it from sending Change of Authorization (COA) requests to the PSNs at the other sites?

I'm also curious about the bandwidth requirements for sending logs from the PSNs to the Monitoring Nodes. We have 20,000 users at the Main Site and 10,000 users at each of the remote sites.

Lastly, in case of a WAN failure, does the PSN store any logs locally?

ahollifield · ‎08-31-2023

It does. The config database is the same across all PSNs in the deployment.
If the PSN is down it won't be able to send CoA
What is your site bandwidth? The ISE bandwidth is usually negligible with modern circuit sizes. The exception here would be for things like upgrades and patches.
Yes, up until its log buffer fills. Once the connection to the MnT is restored, the logs are copied.

techno.it · ‎08-31-2023

@ahollifield wrote:
It does. The config database is the same across all PSNs in the deployment.

Can't we put PSN at each site in their own node group based on their respective locations? We want the database on each PSN is only available for its corresponding site. Additionally, each site has its own AD server functioning as a child domain. PSNs node in site 1 will never serve other remote sites and vice versa.

Is there a need for PSNs in site 1 to synchronize with PSNs in remote sites or establish any form of connectivity?

ahollifield · ‎08-31-2023

Yes but that node group feature isn’t for configuration database. It’s only for captive portal session failover and optimizes operational data replication between nodes

techno.it · ‎08-31-2023

1- Only PAN sync and push the configuration database to all PSNs. How frequently it is done? What is approximate size of the database

2- That means the policies which exist on PSN1 in Site 1 would also appear on PSN in Site 2

2- Is there a need for PSNs in site 1 to synchronize with PSNs in remote sites or establish any form of connectivity?

ahollifield · ‎08-31-2023

As soon as anything in the database changes. Impossible to say, depends on the number of endpoints, configuration, etc.
Yes, but all policies are managed by the PAN. Why are there individual policies per site? Why wouldn't you use the same policy for all sites?
https://www.cisco.com/c/en/us/td/docs/security/ise/3-2/install_guide/b_ise_installationGuide32/b_ise_InstallationGuide32_chapter_7.html

techno.it · ‎08-31-2023

@ahollifield wrote:
Yes, but all policies are managed by the PAN. Why are there individual policies per site? Why wouldn't you use the same policy for all sites?

Because each site has their own AD server for authenticating users.

ahollifield · ‎08-31-2023

So? A properly configured AD Sites and Services should take care of this automatically

Key Config Questions and Considerations for Distributed ISE Deployment