cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1733
Views
2
Helpful
3
Replies

pxGrid Implementation

andrew333
Level 4
Level 4

When enabling pxGrid in a new ISE 2.0 deployment, should the distributed deployment be built out before enabling pxGrid on the desired nodes, or is it ok to enable it on the first node before joining the other nodes to the deployment and assigning roles?

Many thanks,

Andrew

1 Accepted Solution

Accepted Solutions

Aaron Woland
Cisco Employee
Cisco Employee

You can really do it in any order..

Basically, keep in mind, for pxGrid there are three roles:

  1. Controller
  2. Publisher
  3. Subscriber

So what makes the most sense from an order of operations perspective would be to build out your entire ISE cube (deployment).  Once all the nodes are joined & assigned their normal persona (aka: role); then you can do the pxGrid certificates for each of the nodes that will participate.  Once they're ready, enable the services on the respective nodes.

From a certificate perspective, it is usually best to use all pxGrid certificates from the same CA Root.  It could be a company specific CA (like the one from MS) or even public roots.  That way all pxGrid components (publishers, subscribers & controller) are using certs that are signed & trusted as part of the same PKI hierarchy. 

This will also be part of my Cisco Live - Berlin session next week.

Aaron

View solution in original post

3 Replies 3

Aaron Woland
Cisco Employee
Cisco Employee

You can really do it in any order..

Basically, keep in mind, for pxGrid there are three roles:

  1. Controller
  2. Publisher
  3. Subscriber

So what makes the most sense from an order of operations perspective would be to build out your entire ISE cube (deployment).  Once all the nodes are joined & assigned their normal persona (aka: role); then you can do the pxGrid certificates for each of the nodes that will participate.  Once they're ready, enable the services on the respective nodes.

From a certificate perspective, it is usually best to use all pxGrid certificates from the same CA Root.  It could be a company specific CA (like the one from MS) or even public roots.  That way all pxGrid components (publishers, subscribers & controller) are using certs that are signed & trusted as part of the same PKI hierarchy. 

This will also be part of my Cisco Live - Berlin session next week.

Aaron

Aaron,

Thanks for the quick response. My deployment will be three nodes for a geographically dispersed cube:

Node 1: PAN/Primary MnT/PSN/Primary pxGrid

Node 2: Secondary Admin & MnT/PSN/Secondary pxGrid

Node 3: PSN.

Nodes 2 & 3 are still in their boxes so I was wondering if it would be best to bring them up before enabling pxGrid. There is a strong desire for immediate StealthWatch integration. Thanks for your guidance.

I look forward to your Live Session (presuming it's available on ciscolive.com).

Regards,

Andrew

Please be advised that pxgrid requires its own psn to run by itself on

Make sure you use deployment size of medium to support up to 5 standalone PSNs

Small deployment doesn't support splitting out psn

http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/installation_guide/b_ise_InstallationGuide20/Network_Deployments_in_Cisco_ISE.html

There are docs here about pxgrid

http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-implementation-design-guides-list.html