Solved: Re: PAN/Mnt/PXGrid and PSN virtual deployment

ibrahimbadr4669 · ‎08-30-2023

Dears,

I have two nodes (PAN/Mnt/PXGrid and PSN ), I have to choose which one will be on appliance 3615 and which one will be on virtual deployment?

1- PSN virtual and PAN/Mnt/PXGrid on the appliance

2- PSN on appliance and PAN/Mnt/PXGrid virtual

Thanks and BR;

hslai · ‎09-01-2023

@ibrahimbadr4669 If your access to both virtual and hardware appliances are the same and the both types have the same performance characteristics, then it does not matter how you assign the personas. You may always swap the personas around later.

View solution in original post

balaji.bandi · ‎08-30-2023

i go with the below :

2- PSN on appliance and PAN/Mnt/PXGrid virtual

also make sure you choose right VM compute resources.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ibrahimbadr4669 · ‎08-30-2023

Thanks alot Balaji for your kind support, is there cisco document discuss this subject

balaji.bandi · ‎09-01-2023

some of the things not documented always it was experience we suggest.

to be honest if you do not do compute properly on Virtual environment ISE struggle lot - compare to appliance which was tuned for ISE to run as expected.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Greg Gibbs · ‎08-30-2023

Duplicate post. See https://community.cisco.com/t5/network-access-control/pan-mnt-pxgrid-and-psn-virtual-deployment/td-p/4914630

ibrahimbadr4669 · ‎08-30-2023

ibrahimbadr4669 · ‎08-31-2023

if we use virtual for PSN, if the it's fail. I Think it's easier to recover it . Is the virtual has performance issue so HW is preferred as PSN do the main function of ISE. Is that Right ?

hslai · ‎09-02-2023

Virtual should be more flexible and, with properly reservation, have similar performance characteristics to that of HW. You might want to opt for HW due to coordination complexity with virtual infrastructure teams, and due to security.

hslai · ‎08-31-2023

@ibrahimbadr4669 If you have two ISE nodes, it's better to have both to run everything for redundancy. Virtual appliances could perform better or poorer than hardware appliances depending on the underlying hardware and resource allocations.

ibrahimbadr4669 · ‎09-01-2023

@hslai thanks for your reply, we will do the medium deployment and the redundancy is considered, however due to the appliance numbers limitation we have , we will mix virtual and appliance. So my question if I have to choose between PSN and PAN/Mnt/PXGrid which one should be virtual ? And if there is any document that discuss the pros and cons , it will be wonderful

hslai · ‎09-01-2023

@ibrahimbadr4669 If your access to both virtual and hardware appliances are the same and the both types have the same performance characteristics, then it does not matter how you assign the personas. You may always swap the personas around later.

ibrahimbadr4669 · ‎09-03-2023

thanks you all a lot for your kind information and support