Solved: Re: Modifying ISE deployment

virtualpedia · ‎09-11-2020

Hi All,

If you have a 2 node virtual ise deployment where ISE1 is Primary PAN, Primary PSN, Primary MnT and ISE2 is Secondary PAN, Primary PSN, Secondary MnT, but then for whatever reason decide you want dedicated PSN's, is that possible?

Could you simply deploy a new VM, register it on your primary PAN and only add the PSN role?

Colby LeMaire · ‎09-11-2020

Absolutely! Just add your additional nodes as PSN's. The Cisco recommendation would be to remove the PSN role from the PAN/MnT nodes once you start adding additional PSNs. It will work with the following but Cisco TAC may tell you it isn't a supported deployment type:

Node 1: PAN, MnT, PSN

Node 2: PAN, MnT, PSN

Node 3: PSN

Recommendation would be to do the following if you can:

Node 1: PAN, MnT

Node 2: PAN, MnT

Node 3: PSN

Node 4: PSN

View solution in original post

Colby LeMaire · ‎09-11-2020

Absolutely! Just add your additional nodes as PSN's. The Cisco recommendation would be to remove the PSN role from the PAN/MnT nodes once you start adding additional PSNs. It will work with the following but Cisco TAC may tell you it isn't a supported deployment type:

Node 1: PAN, MnT, PSN

Node 2: PAN, MnT, PSN

Node 3: PSN

Recommendation would be to do the following if you can:

Node 1: PAN, MnT

Node 2: PAN, MnT

Node 3: PSN

Node 4: PSN

virtualpedia · ‎09-11-2020

thanks @Colby LeMaire !

I also had a scenario I was thinking which is below, but as you said, it will probably work, but TAC may say not supported. I thought of this as it may be able to save on some costs but I'd want a 100% supported tac solution

Site A: (Primary)

Node 1: PAN, MnT, PSN

Site B: (Standby)

Node 2: PAN, MnT, PSN

Site C:

Node 3: PSN