Solved: Re: Need suggestion for ISE distributed deployment model in data centers with autonomy requirement

maettu · ‎02-14-2018

Hi,

I'm looking for a suggestion for an ISE deployment model for our three data centers. These three data centers have autonomy requirements each. This means that every data center must fully deliver all the services in case of the lost of two data centers. If I place PAN and MnT centrally and PSNs in all the three data centers I will not be able to manage the ISE infrastructure in case I lost the central data center. If I spread the PAN and MnT over two of the three data centers that needs autonomy and PSNs in all the three data centers I will not be able to manage the ISE infrastructure in case I lost the two data centers where the PAN and MnT personas are.

Of course there are more data centers in our infrastructure but with no such autonomy requirements. There I think i'm fine with placing PSNs?

What can I do? What do I miss?

Thanks a lot!

Rob Ingram · ‎02-15-2018

Hi,

What is the estimated deployment size? More than 20K endpoints?

You could have a 1 x PAN and 1 x MnT in one of these 3 DCs and a Secondary PAN/MnT in another DC (not one of the original 3 DCs). This way if one of those 3 DCs goes down you'd still have connectivity to a PAN/MnT.

In the event of a failure of both DCs where the PAN/MnT are located, the PSN can still authenticate existing AD connections. Features such as Guest registration, Profiling, CWA, BYOD onboarding, Pxgrid would NOT be unavailable. Checkout the table in the High Availability for the Administrative Node section for a list.

As far as the PSN's are concerned have 1 x PSN per DC, ensure the other PSNs are listed as backups and you should have connectivity in the event of failure.

View solution in original post

ajc · ‎02-15-2018

My 2 cents,

-You cannot have more than 1 Primary PAN + MNT and 1 Secondary PAN + MNT for the whole deployment.

-Running multiple personas on the same node reduces significantly the number of sessions x node. I mean, if you have for example a 3495 PSN running as well PAN and MNT then you will not get the 25K sessions for that node. I would post later the table showing what happens with the specific appliance/VM when running different personas. SO at the end, the best way to go is separate PSN from Admin Nodes.

-PSN's can run no matter if PRIMARY PAN and SECONDARY PAN are both down but no live logs/troubleshooting options available. The only problem is that you would have to rebuild the whole deployment if one of them is not recovered. If Primary / Secondary MNT are down but PAN's are up, the authentication would still work but no live logs/reports.

-Do not use ISE 2.2, wait for 2.4 which is expected to be more stable. However, 2.3 does the work.

-Only option, place Primary PAN/MNT on DC1 + PSN's, Secondary PAN/MNT + PSN's on DC2 and DC3 just for PSN's. If you have resources, RUN each persona on independent appliances or VM's. DO NOT combine multiple personas on 1 appliance as I mentioned before. I have seen that running multiple personas on 3495 does not work properly. Poor performance and multiple issues.

-Deploy 3595 VM's or appliances. By far more powerful and not end of life product.

View solution in original post

Rob Ingram · ‎02-15-2018

Hi,

What is the estimated deployment size? More than 20K endpoints?

You could have a 1 x PAN and 1 x MnT in one of these 3 DCs and a Secondary PAN/MnT in another DC (not one of the original 3 DCs). This way if one of those 3 DCs goes down you'd still have connectivity to a PAN/MnT.

In the event of a failure of both DCs where the PAN/MnT are located, the PSN can still authenticate existing AD connections. Features such as Guest registration, Profiling, CWA, BYOD onboarding, Pxgrid would NOT be unavailable. Checkout the table in the High Availability for the Administrative Node section for a list.

As far as the PSN's are concerned have 1 x PSN per DC, ensure the other PSNs are listed as backups and you should have connectivity in the event of failure.

jasond · ‎02-15-2018

Does this help?

Number of sites? 8
Number of users? ~1,000 staff, ~5,500 students
Number of endpoints? ~ 10,000
Virtual or Physical Hardware? ~Virtual (they have VMWare)
Do you require High Availability? Yes
Will there be integration with any MDM? They have Jam Pro MDM
802.1X wired authentication? NO
MAC address mapping/authentication? NO
Wireless authentication? YES
Guest provisioning? YES
Device registration/and provisioning for BYOD? YES
Device profiling? NO
TACACS for managing network infrastructure equipment? YES
Context sharing pxGrid? NO
Posture assessment: NO

ajc · ‎02-15-2018

My 2 cents,

-You cannot have more than 1 Primary PAN + MNT and 1 Secondary PAN + MNT for the whole deployment.

-Running multiple personas on the same node reduces significantly the number of sessions x node. I mean, if you have for example a 3495 PSN running as well PAN and MNT then you will not get the 25K sessions for that node. I would post later the table showing what happens with the specific appliance/VM when running different personas. SO at the end, the best way to go is separate PSN from Admin Nodes.

-PSN's can run no matter if PRIMARY PAN and SECONDARY PAN are both down but no live logs/troubleshooting options available. The only problem is that you would have to rebuild the whole deployment if one of them is not recovered. If Primary / Secondary MNT are down but PAN's are up, the authentication would still work but no live logs/reports.

-Do not use ISE 2.2, wait for 2.4 which is expected to be more stable. However, 2.3 does the work.

-Only option, place Primary PAN/MNT on DC1 + PSN's, Secondary PAN/MNT + PSN's on DC2 and DC3 just for PSN's. If you have resources, RUN each persona on independent appliances or VM's. DO NOT combine multiple personas on 1 appliance as I mentioned before. I have seen that running multiple personas on 3495 does not work properly. Poor performance and multiple issues.

-Deploy 3595 VM's or appliances. By far more powerful and not end of life product.