Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
736
Views
3
Helpful
5
Replies

Regarding ISE HA deployment design

Go to solution
vnfmaqpfl1103
Level 1
Level 1

‎12-07-2023 09:02 PM

JinHyeokPark_3-1702011664458.png

We plan to operate two nodes.
I have one concern regarding design. If ISE HA is not implemented and two NODEs with PAN/MNT/PSN persona roles are operated as ACTIVE/ACTIVE as shown in the configuration diagram, will there be any problems?

From a service perspective, when HQ collapses, we plan to implement DR so that the service can be restored to normal.

 

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎12-07-2023 09:56 PM

The two node design in your diagram is a classic 2 node design and it's perfectly acceptable. You can suffer an outage of one of the ISE nodes, and the RADIUS/TACACS+ services will still run on the other node. If you get unlucky and the Primary Admin Node fails, then you won't see any Live Logs. You can promote the Standby PAN to be Primary, and then you will have Live Logs again.

RADIUS and TACACS+ HA is implemented in the Network Devices and not in ISE. The "Services" are enabled on both nodes and each node has the same programming. 

View solution in original post

Go to solution
Arne Bier
VIP
VIP
In response to vnfmaqpfl1103

‎12-08-2023 03:49 AM

That type of setup would mean that the ISE nodes are not related to each other. Each one is a PAN and therefore is the authority on the database. You have to configure each ISE node separately. Not much fun.

Being PAN is not the most important achievement in the life of an ISE node. You benefit more by joining the nodes and having them sync the config from Primary to Secondary. if the PAN fails then you promote the standby. It’s a very rare event.

View solution in original post

5 Replies 5

Go to solution
Arne Bier
VIP
VIP

‎12-07-2023 09:56 PM

The two node design in your diagram is a classic 2 node design and it's perfectly acceptable. You can suffer an outage of one of the ISE nodes, and the RADIUS/TACACS+ services will still run on the other node. If you get unlucky and the Primary Admin Node fails, then you won't see any Live Logs. You can promote the Standby PAN to be Primary, and then you will have Live Logs again.

RADIUS and TACACS+ HA is implemented in the Network Devices and not in ISE. The "Services" are enabled on both nodes and each node has the same programming. 

Go to solution
vnfmaqpfl1103
Level 1
Level 1
In response to Arne Bier

‎12-08-2023 12:19 AM

Thanks for your response.

One additional question: Would it be okay if two nodes operate as primary for the Admin node?

In other words, it is assumed that when the HQ Primary PAN fails, the DR PAN status is also operating as Primary, not Standby. (In the case of DR PAN, it is not Standby, so there is no need to promote it)

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to vnfmaqpfl1103

‎12-08-2023 03:49 AM

That type of setup would mean that the ISE nodes are not related to each other. Each one is a PAN and therefore is the authority on the database. You have to configure each ISE node separately. Not much fun.

Being PAN is not the most important achievement in the life of an ISE node. You benefit more by joining the nodes and having them sync the config from Primary to Secondary. if the PAN fails then you promote the standby. It’s a very rare event.

Go to solution
vnfmaqpfl1103
Level 1
Level 1
In response to Arne Bier

‎12-10-2023 05:43 PM

Thanks to you, my curiosity has been somewhat resolved.

I agree with you saying it's not fun. I think we need to re-establish our goal in the direction of forming HA.

0 Helpful

Go to solution
Scott Fella
Hall of Fame
Hall of Fame
In response to vnfmaqpfl1103

‎12-10-2023 07:58 PM

I agree with @Arne Bier, even though it's possible to run two seperate instances, I don't see the benefit since you would have to manually keep everything in sync between the two.  With the normal deployment of a two node cube, you can promote the secondary which is easy.  You also have an option with configuring PAN failover which will do that automatically , but not really recommended. Keep in mind that the PSN is active on both and your network devices would have entries for both.

-Scott
*** Please rate helpful posts ***
Customers Also Viewed These Support Documents