Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1621
Views
5
Helpful
7
Replies

PSN in a different country

Go to solution
Madura Malwatte
Level 4
Level 4

‎11-25-2019 11:33 PM - edited ‎11-26-2019 02:23 AM

Is this a valid design for ISE 2.6? I don't see any issues as long as the latency between the PSN in country Y and nodes in country X is less than 300ms?

Main site is in Country X with two nodes as admin/monitoring/psn personas. Country Y has an office, and connected back to main site via mpls. Instead of having authentications coming back to main site, its fine putting a psn in country Y?

 

Screen Shot 2019-11-26 at 5.31.07 pm.jpg

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Charlie Moreton
Cisco Employee
Cisco Employee

‎11-26-2019 05:10 AM

Having a Small ISE Deployment (Admin/MnT/PSN shared on two nodes) with an additional PSN is not an officially supported deployment scenario.
Having said that, what you are proposing works. There are customers who have a separate PSN in other countries with no issues, they use either the Medium or Large Network Deployments for this. See the link below for the supported deployment types.

There are other factors, too. Do you have an authentication server in the other country (Active Directory Domain Controller, for example) in case the link goes down?

https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/install_guide/b_ise_InstallationGuide_26/b_ise_InstallationGuide_26_chapter_00.html

View solution in original post

7 Replies 7

Go to solution
Charlie Moreton
Cisco Employee
Cisco Employee

‎11-26-2019 05:10 AM

Having a Small ISE Deployment (Admin/MnT/PSN shared on two nodes) with an additional PSN is not an officially supported deployment scenario.
Having said that, what you are proposing works. There are customers who have a separate PSN in other countries with no issues, they use either the Medium or Large Network Deployments for this. See the link below for the supported deployment types.

There are other factors, too. Do you have an authentication server in the other country (Active Directory Domain Controller, for example) in case the link goes down?

https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/install_guide/b_ise_InstallationGuide_26/b_ise_InstallationGuide_26_chapter_00.html

Go to solution
Madura Malwatte
Level 4
Level 4
In response to Charlie Moreton

‎11-26-2019 05:27 AM - edited ‎11-26-2019 05:28 AM

Hi Charlie, thanks for the response. I want to stay with an officially supported deployment. If I want to keep the small deployment (Admin/MnT/PSN shared on two nodes), do you see any issues by not having a PSN in country Y and instead having all the radius traffic coming back to the nodes in country X? The latency is not too bad over the mpls ~120-140ms. 

Or the other option would be to go for the hybrid deployment. Two nodes for Admin/MnT and a dedicated PSN in country X and another dedicated PSN in country Y.

Also not sure if local DC is there in the other country.

0 Helpful

Go to solution
Alex Pfeil
Level 7
Level 7
In response to Charlie Moreton

‎11-26-2019 05:30 AM

I agree with Charlie. We have a medium/large deployment and have successfully deployed to multiple international locations with latency up to 250 ms. 300 ms is the same time we used when planning. We have ran 2 upgrades and multiple patches and they have all worked even over relatively low bandwidth (10 Mbps). You can also use Cisco Live slide decks for planning purposes.

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Charlie Moreton

‎11-26-2019 08:17 AM

@Charlie Moreton wrote:

Having a Small ISE Deployment (Admin/MnT/PSN shared on two nodes) with an additional PSN is not an officially supported deployment scenario.
Having said that, what you are proposing works. There are customers who have a separate PSN in other countries with no issues, they use either the Medium or Large Network Deployments for this. See the link below for the supported deployment types.

There are other factors, too. Do you have an authentication server in the other country (Active Directory Domain Controller, for example) in case the link goes down?

https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/install_guide/b_ise_InstallationGuide_26/b_ise_InstallationGuide_26_chapter_00.html

agree with the guys here @Alex Pfeil @Madura Malwatte 

also check out BRKSEC-3432 https://cs.co/ise-training

0 Helpful

Go to solution
Madura Malwatte
Level 4
Level 4
In response to Jason Kunst

‎11-26-2019 03:28 PM

Hi All, thanks for the replies. 

So it comes down to two options. Do you see any issues going with option 1? Country Y have only have an office with 50-80 users.

Screen Shot 2019-11-27 at 10.26.33 am.jpg

0 Helpful

Go to solution
Madura Malwatte
Level 4
Level 4
In response to Madura Malwatte

‎11-27-2019 04:26 PM

Hi @Jason Kunst @Charlie Moreton any comments regarding the two options?

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to Madura Malwatte

‎11-27-2019 06:47 PM

I would go with option 1, 150 ms RTT latency is not an issue for radius authentication. This is how we build most ISE deployments since the number of sites far outweighs the number of allowable PSNs.

Unless there is a specific reason a PSN is required at a remote site, I would avoid it. You are better working on high availability from a WAN/DC perspective.
0 Helpful
Customers Also Viewed These Support Documents