Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

235
Views
0
Helpful
2
Replies
blandrum
Cisco Employee
Cisco Employee
‎09-16-2019 06:24 AM
‎09-16-2019 06:24 AM

Recommendation on PSN node groups

I have a customer who's wanting to build out a highly scalable, fully distributed ISE deployment and they've asked me if we have any recommendations on when to split out the PSNs into different node groups.  All ISE personas are connected across the same high-speed MAN, so latency isn't a concern.  The campus is spread into quadrants, so they were wondering if there were scaling / performance benefits to break the PSNs out into multiple node groups based on the user's location and likelihood of hitting certain PSNs.  For example, if the user is in the NE quadrant of the campus they could only possibly hit a single HA pair of PSNs (based on the RADIUS definitions in the NADs), so should they create a PSN group for just that pair of PSNs?

0 Helpful
2 REPLIES 2
Colby LeMaire
VIP Collaborator VIP Collaborator
VIP Collaborator
‎09-16-2019 07:21 AM
‎09-16-2019 07:21 AM

Node groups are ideal for PSNs that are in the same load balancing pool or same Radius server group in IOS.  Usually those PSNs would also be in the same physical location too.  So yes, if you typically will group PSNs together logically in your NAD Radius configurations based on location, then put those PSNs together in a node group.

0 Helpful
Damien Miller
VIP Advisor VIP Advisor
VIP Advisor
‎09-16-2019 11:58 AM
‎09-16-2019 11:58 AM

Just keep in mind that nodes in a node group should be in the same L2 domain. Most MAN connections I have seen are pseudo L2, and not true L2 service. Even if the nodes are not behind a LB, but endpoints/NAD have the chance of using any of the PSNs within the group of PSNs, then a node group would be beneficial.
0 Helpful
Latest Contents
Cisco and Radware - Securing your digital future
Created by Kelli Glass on 04-21-2021 05:16 PM
0
0
0
0
  Application Protection, Availability & Security Join our webinar May 6th to gain valuable industry insights into the most recent application cyber attacks and to understand the potential impact bot traffic is having on your business. Lear... view more
Cisco Wants your Feedback on the Secure Firewall Management ...
Created by caiharve on 04-21-2021 04:36 PM
0
0
0
0
Review the Cisco Secure Firewall Management Center (formally named "Firepower Management Center") on TrustRadius and receive a $25 gift card!     
ISE as RADIUS server for Password + Smart Card Authenticatio...
Created by deepuvarghese1 on 04-17-2021 06:22 AM
1
10
1
10
The purpose of this document is to demonstrate how ISE authenticate / authorize a user that uses a smart card (PIN + Certificate) and password mechanism to login their system. This document describes the components used for this setup, configuration of IS... view more
Email Security - QuoVadis Root Certificate Decommission Migh...
Created by dmccabej on 03-30-2021 09:32 AM
0
0
0
0
Problem Description For all versions of the Email Security Appliance (ESA) and Security Management Appliance (SMA), some Secure Sockets Link (SSL) certificates issued from the QuoVadis root certificate authority (CA) trust chain before 2021-03-31 cannot b... view more
ISE REST APIs Webinar: April 6/7, 2021
Created by thomas on 03-25-2021 07:57 PM
2
5
2
5
  Register Now Automation and programmability for networking and security are increasingly important topics. Every release since ISE 1.2 has included new REST API capabilities to better automate and integrate ISE with the rest of your network, appli... view more
Content for Community-Ad