08-31-2023 01:55 AM
I'm new to the distributed deployment of ISE, and I'd like to verify my understanding.
Our plan for ISE deployment is outlined below:
At the Main Site:
2 Primary Administration Nodes (PAN)
2 Monitoring Nodes (MNT)
2 Policy Services Nodes (PSN)
At Remote Geographical Locations
2 Policy Services Nodes (PSN)
I have a couple of questions regarding this setup:
How can I ensure that when I push a configuration from the PAN to Site 1, it doesn't propagate or share any information with the PSNs at other sites?
In the event that the PSN1 node at Site 1 goes down, how can I prevent it from sending Change of Authorization (COA) requests to the PSNs at the other sites?
I'm also curious about the bandwidth requirements for sending logs from the PSNs to the Monitoring Nodes. We have 20,000 users at the Main Site and 10,000 users at each of the remote sites.
Lastly, in case of a WAN failure, does the PSN store any logs locally?
08-31-2023 04:05 AM
08-31-2023 04:48 AM - edited 08-31-2023 04:53 AM
@ahollifield wrote:
- It does. The config database is the same across all PSNs in the deployment.
Can't we put PSN at each site in their own node group based on their respective locations? We want the database on each PSN is only available for its corresponding site. Additionally, each site has its own AD server functioning as a child domain. PSNs node in site 1 will never serve other remote sites and vice versa.
Is there a need for PSNs in site 1 to synchronize with PSNs in remote sites or establish any form of connectivity?
08-31-2023 04:58 AM
08-31-2023 06:39 AM
1- Only PAN sync and push the configuration database to all PSNs. How frequently it is done? What is approximate size of the database
2- That means the policies which exist on PSN1 in Site 1 would also appear on PSN in Site 2
2- Is there a need for PSNs in site 1 to synchronize with PSNs in remote sites or establish any form of connectivity?
08-31-2023 06:49 AM
08-31-2023 07:12 AM
@ahollifield wrote:
- Yes, but all policies are managed by the PAN. Why are there individual policies per site? Why wouldn't you use the same policy for all sites?
Because each site has their own AD server for authenticating users.
08-31-2023 07:27 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide