Solved: Re: PAN and MNT Placement

disoares · ‎09-25-2019

Hi Team,

I have a Customer that is going to a Hybrid deployment with 2x 3695 (PAN and MNT) + 4x 3655 (PSN).

What is the recommendation in terms of A/S placement for PAN and MNT.

Is it recommended to do Primary PAN + Secondary MNT in one server and Secondary PAN + Primary MNT on the second server

or

Primary PAN + Primary MNT in one server and Secondary PAN + Secondary MNT on the second server?est,

Diego

Damien Miller · ‎09-25-2019

As long as the nodes in the deployment are within 300 ms of the primary admin node, you are typically OK. I have seen some issues in deployments coming close to this number, but It's had to pin point it as the only cause. It's still being looked at. I like to split the primary PAN and primary MNT, but if your deployment is sized right, and healthy, it shouldn't matter much.

Putting the primary MNT role with the Secondary PAN can potentially balance the load a bit better since the secondary PAN does very little. The primary MNT and the secondary MNT do very similar roles in that they process all the same logs from the PSNs, but are not identical.

The primary MNT will be the provider of live logs, dashboards, and any reports that are exported.
The secondary MNT provides the PXgrid nodes their session data, but not much else.

It could be worthwhile testing performance from a latency/dashboard perspoecitive hosting the primary PAN and primary MNT on the same server. I've never noticed a difference.

View solution in original post

Damien Miller · ‎09-25-2019

As long as the nodes in the deployment are within 300 ms of the primary admin node, you are typically OK. I have seen some issues in deployments coming close to this number, but It's had to pin point it as the only cause. It's still being looked at. I like to split the primary PAN and primary MNT, but if your deployment is sized right, and healthy, it shouldn't matter much.

Putting the primary MNT role with the Secondary PAN can potentially balance the load a bit better since the secondary PAN does very little. The primary MNT and the secondary MNT do very similar roles in that they process all the same logs from the PSNs, but are not identical.

The primary MNT will be the provider of live logs, dashboards, and any reports that are exported.
The secondary MNT provides the PXgrid nodes their session data, but not much else.

It could be worthwhile testing performance from a latency/dashboard perspoecitive hosting the primary PAN and primary MNT on the same server. I've never noticed a difference.

disoares · ‎09-25-2019

Thanks for the reply.

I understand your points and also understand that it will work both ways. I am still struggling to find an official guidance from Cisco.

The only thing I was able to find was Craig response - https://community.cisco.com/t5/identity-services-engine-ise/design-clarification-for-ise-pan-mnt-personas/m-p/3574288

His Cisco Live presentation is clear that both PAN and MNT should go on the same server. https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2018/pdf/BRKSEC-3699-reference.pdf (page 35)

But I would not consider a CISCO Live presentation an official guidance. Would like to here from someone within the BU an official answer.

Jason Kunst · ‎09-26-2019

@disoares wrote:

Thanks for the reply.

I understand your points and also understand that it will work both ways. I am still struggling to find an official guidance from Cisco.

The only thing I was able to find was Craig response - https://community.cisco.com/t5/identity-services-engine-ise/design-clarification-for-ise-pan-mnt-personas/m-p/3574288

His Cisco Live presentation is clear that both PAN and MNT should go on the same server. https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2018/pdf/BRKSEC-3699-reference.pdf (page 35)

But I would not consider a CISCO Live presentation an official guidance. Would like to here from someone within the BU an official answer.

Craig's answer is from the BU. Also what Damien says is correct.

https://community.cisco.com/t5/security-documents/ise-performance-amp-scale/ta-p/3642148