Solved: Re: PAN node and PSN node in Distributed Deployment

SaintEvn · ‎11-28-2020

Hi,

I'm new to ISE distributed Deployment and I would like to confirm my understanding on below statements from Cisco document.

"Administration (PAN) – Administration Node is a single point of ISE deployment configuration. This persona provides full access to administration GUI."
Policy Service (PSN) – Policy Service Node is a node that handles traffic between network devices and ISE (its IP is used as Radius for devices)."

Does it mean, in distributed deployment, configuration for all nodes ( PAN, PSN, MnT) are pushed from PAN node like centralized management for all types of node?

So, in distributed deployment ,PSN is only for handling client traffic and we don't need to manage separately for PSN . Is it correct?

Thank you so much all for always helping me.

balaji.bandi · ‎11-28-2020

ISE has 3 major componnets :

Administration (PAN) – Administration Node is a single point of ISE deployment configuration. This persona provides full access to administration GUI
Policy Service (PSN) – Policy Service Node is a node that handles traffic between network devices and ISE (its IP is used as Radius for devices). To achieve radius traffic sharing you can scale the PSNs up.
Monitoring (MnT) – monitoring node is responsible for logs aggregation across deployment.

depends on the requirement you mix the nodes (standalone all on one)

Distributed - you can have PAN and MNT in one, PSN Separated.

Some big deployment - PAN - MNT - PSN nodes - 3 tier kind you can deploy.

PAN is the central point for admin.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

Aref Alsouqi · ‎11-28-2020

Any configuration you apply on ISE deployment is always done through the primary PAN. The primary PAN is your management console for everything, and it is responsible to push the configuration to the other nodes in the deployment. For example, when you create the access policies on the primary PAN, the PAN will synchronize those changes with the secondary PAN if available, and all the PSNs.

Having a secondary PAN is not mandatory, however, it is highly recommended for PAN redundancy, and on an ISE deployment you can have up to two PAN nodes. Similar to MnT nodes which are responsible to collect logs from all ISE nodes, reporting, pxGrid data parsing and more, you can have up to two MnT nodes on ISE deployment.

One thing to keep in mind when it comes to PAN failover is that with a two ISE nodes deployment, there is no way to perform auto-failover, which means if the primary PAN goes down, you need to connect to the secondary PAN, and promote it to be the new primary PAN manually. Similar with preemption, no preemption with ISE, so when the old primary PAN comes back online, and you want it to be the new primary, you have to connect to it and promote it to be the new primary. When the PAN goes down, the clients authentication and authorization traffic will not be affected, as the NADs will be pointing to the PSNs IP addresses as their RADIUS or TACACS servers. The PSNs do more than this, they provide BYOD flows, guest services, device profiling, posturing and more.

View solution in original post

balaji.bandi · ‎11-28-2020

ISE has 3 major componnets :

Administration (PAN) – Administration Node is a single point of ISE deployment configuration. This persona provides full access to administration GUI
Policy Service (PSN) – Policy Service Node is a node that handles traffic between network devices and ISE (its IP is used as Radius for devices). To achieve radius traffic sharing you can scale the PSNs up.
Monitoring (MnT) – monitoring node is responsible for logs aggregation across deployment.

depends on the requirement you mix the nodes (standalone all on one)

Distributed - you can have PAN and MNT in one, PSN Separated.

Some big deployment - PAN - MNT - PSN nodes - 3 tier kind you can deploy.

PAN is the central point for admin.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Aref Alsouqi · ‎11-28-2020

Any configuration you apply on ISE deployment is always done through the primary PAN. The primary PAN is your management console for everything, and it is responsible to push the configuration to the other nodes in the deployment. For example, when you create the access policies on the primary PAN, the PAN will synchronize those changes with the secondary PAN if available, and all the PSNs.

Having a secondary PAN is not mandatory, however, it is highly recommended for PAN redundancy, and on an ISE deployment you can have up to two PAN nodes. Similar to MnT nodes which are responsible to collect logs from all ISE nodes, reporting, pxGrid data parsing and more, you can have up to two MnT nodes on ISE deployment.

One thing to keep in mind when it comes to PAN failover is that with a two ISE nodes deployment, there is no way to perform auto-failover, which means if the primary PAN goes down, you need to connect to the secondary PAN, and promote it to be the new primary PAN manually. Similar with preemption, no preemption with ISE, so when the old primary PAN comes back online, and you want it to be the new primary, you have to connect to it and promote it to be the new primary. When the PAN goes down, the clients authentication and authorization traffic will not be affected, as the NADs will be pointing to the PSNs IP addresses as their RADIUS or TACACS servers. The PSNs do more than this, they provide BYOD flows, guest services, device profiling, posturing and more.

PAN node and PSN node in Distributed Deployment

2 Node Virtual ISE Deployment

SDA border nodes deployment

Cisco ise in distributed deployment and check health check all nodes

Cisco ise PSN deployed as distributed deployment

ISE Node deregistration issue