Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1731
Views
2
Helpful
3
Replies

pxGrid Implementation

Go to solution
andrew333
Level 4
Level 4

‎02-09-2016 10:33 AM

When enabling pxGrid in a new ISE 2.0 deployment, should the distributed deployment be built out before enabling pxGrid on the desired nodes, or is it ok to enable it on the first node before joining the other nodes to the deployment and assigning roles?

Many thanks,

Andrew

1 Accepted Solution

Accepted Solutions

Go to solution
Aaron Woland
Cisco Employee
Cisco Employee

‎02-09-2016 11:20 AM

You can really do it in any order..

Basically, keep in mind, for pxGrid there are three roles:

  1. Controller
  2. Publisher
  3. Subscriber

So what makes the most sense from an order of operations perspective would be to build out your entire ISE cube (deployment).  Once all the nodes are joined & assigned their normal persona (aka: role); then you can do the pxGrid certificates for each of the nodes that will participate.  Once they're ready, enable the services on the respective nodes.

From a certificate perspective, it is usually best to use all pxGrid certificates from the same CA Root.  It could be a company specific CA (like the one from MS) or even public roots.  That way all pxGrid components (publishers, subscribers & controller) are using certs that are signed & trusted as part of the same PKI hierarchy. 

This will also be part of my Cisco Live - Berlin session next week.

Aaron

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Aaron Woland
Cisco Employee
Cisco Employee

‎02-09-2016 11:20 AM

You can really do it in any order..

Basically, keep in mind, for pxGrid there are three roles:

  1. Controller
  2. Publisher
  3. Subscriber

So what makes the most sense from an order of operations perspective would be to build out your entire ISE cube (deployment).  Once all the nodes are joined & assigned their normal persona (aka: role); then you can do the pxGrid certificates for each of the nodes that will participate.  Once they're ready, enable the services on the respective nodes.

From a certificate perspective, it is usually best to use all pxGrid certificates from the same CA Root.  It could be a company specific CA (like the one from MS) or even public roots.  That way all pxGrid components (publishers, subscribers & controller) are using certs that are signed & trusted as part of the same PKI hierarchy. 

This will also be part of my Cisco Live - Berlin session next week.

Aaron

0 Helpful

Go to solution
andrew333
Level 4
Level 4
In response to Aaron Woland

‎02-09-2016 11:40 AM

Aaron,

Thanks for the quick response. My deployment will be three nodes for a geographically dispersed cube:

Node 1: PAN/Primary MnT/PSN/Primary pxGrid

Node 2: Secondary Admin & MnT/PSN/Secondary pxGrid

Node 3: PSN.

Nodes 2 & 3 are still in their boxes so I was wondering if it would be best to bring them up before enabling pxGrid. There is a strong desire for immediate StealthWatch integration. Thanks for your guidance.

I look forward to your Live Session (presuming it's available on ciscolive.com).

Regards,

Andrew

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to andrew333

‎02-09-2016 12:41 PM

Please be advised that pxgrid requires its own psn to run by itself on

Make sure you use deployment size of medium to support up to 5 standalone PSNs

Small deployment doesn't support splitting out psn

http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/installation_guide/b_ise_InstallationGuide20/Network_Deployments_in_Cisco_ISE.html

There are docs here about pxgrid

http://www.cisco.com/c/en/us/support/security/identity-services-engine/products-implementation-design-guides-list.html

Customers Also Viewed These Support Documents