cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
891
Views
10
Helpful
7
Replies

PX-GRID Deployment

raymondmf
Level 1
Level 1

Looking at deploying PX-GRID. Would like to know if anyone has deployed PX-GRID combined with other persona in 2.4.

2 Accepted Solutions

Accepted Solutions

Damien Miller
VIP Alumni
VIP Alumni
It is highly dependent on the scale and load of the deployment and if you want to run a tested solution. Jason provided some very good information where tested deployment model scale and best practices are covered in the ISE performance and scale guide and the Cisco live Presentations.

I have some smaller two node standalone deployments running all services including pxgrid on those nodes. The scale for pxgrid connections in this deployment model is very limited, 20 connections with pxgrid v2, 2 connections with pxgrid v1. In some environments this works fine.

There is no deployment model where you should have just three nodes in my opinion, a standalone deployment can be one node, but should be two for HA. A hybrid deployment (PAN/MNT on two nodes), should really be a minimum of four nodes for HA, 2x pan/mnt and 2x PSN. The problem with this is pxgrid scaling hasn't been tested with shared hybrid nodes hosting pxgrid. It would be best to add dedicated pxgrid nodes so that you now have 2x pan/mnt, 2x psn, and 2x pxgrid. Chances are it will work fine, but hosting pxgrid in a pan/mnt/pxg or psn/pxg doesn't have published numbers.


So the answer depends on if you have a standalone 1 or 2 node deployment. If yes, then you are travelling in safe waters with testing done by the BU and scale number published. I wouldn't recommend sharing other nodes with pxgrid even though it technically works.

View solution in original post

If you have a tac case please provide it. The information we’re giving you hear it coming directly from the engineers that designed the system. Also Damien has great experience as well

What you’re running there is a distributed deployment and in no such circumstance should anything but administration team run on the PAN (unless small distributed with MNT)

View solution in original post

7 Replies 7

Mike.Cifelli
VIP Alumni
VIP Alumni
You can deploy up to two nodes with PxGrid enabled. In my experience I typically enable PxGrid on my PAN and secondary PAN, and have dedicated PSN nodes that strictly service/handle requests etc. If running a cluster you can enable PAN failover with unique timers that would trigger a failover. For the two PxGrid nodes there is a heartbeat between the two that will allow support of failover as well. Your post is rather vague so I hope my comments help. Good luck!

I don't recommend running PXGRID on the PAN/MNT boxes. per design its best to run on your PSN or a dedicated node depending on scale. Please do look at your cisco live at http://cs.co/ise-training BRKSEC-3432 and BRKSEC-3699

Also look at our community page - https://community.cisco.com/t5/security-documents/ise-performance-amp-scale/ta-p/3642148

Damien Miller
VIP Alumni
VIP Alumni
It is highly dependent on the scale and load of the deployment and if you want to run a tested solution. Jason provided some very good information where tested deployment model scale and best practices are covered in the ISE performance and scale guide and the Cisco live Presentations.

I have some smaller two node standalone deployments running all services including pxgrid on those nodes. The scale for pxgrid connections in this deployment model is very limited, 20 connections with pxgrid v2, 2 connections with pxgrid v1. In some environments this works fine.

There is no deployment model where you should have just three nodes in my opinion, a standalone deployment can be one node, but should be two for HA. A hybrid deployment (PAN/MNT on two nodes), should really be a minimum of four nodes for HA, 2x pan/mnt and 2x PSN. The problem with this is pxgrid scaling hasn't been tested with shared hybrid nodes hosting pxgrid. It would be best to add dedicated pxgrid nodes so that you now have 2x pan/mnt, 2x psn, and 2x pxgrid. Chances are it will work fine, but hosting pxgrid in a pan/mnt/pxg or psn/pxg doesn't have published numbers.


So the answer depends on if you have a standalone 1 or 2 node deployment. If yes, then you are travelling in safe waters with testing done by the BU and scale number published. I wouldn't recommend sharing other nodes with pxgrid even though it technically works.

Thank you for the feedback. Currently have 6 nodes where PAN, MNT, and PSN are all separate. Looking at adding PX-GRID to PAN. Cost of adding a another node is a factor.

As i stated before, PXGrid doesn't run on the PAN. not supported. we provided the documentation and recommendations. Please understand if you have issues TAC won't support. it sounds like you made your choice. moving on right?

I have not made a choice as I try to due more due diligence on this. I am getting different opinions from TAC and from other Cisco folks about the deployment and what node I can add it to. Interesting enough PAN is something that they see as a node I can run this on.

If you have a tac case please provide it. The information we’re giving you hear it coming directly from the engineers that designed the system. Also Damien has great experience as well

What you’re running there is a distributed deployment and in no such circumstance should anything but administration team run on the PAN (unless small distributed with MNT)
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: