09-12-2018 01:39 PM
Hey team, I'm searching for a good reference document that shows scalability within distributed environment 2.4 (separate PAN/MnT/PSN) now adding TACACS+ and pxGrid functions. What I'm searching for - pro/cons/#s IF I add TACACS+ to existing PSNs that are used for wired/wireless and the same for pxGrid. VS. Building brand new pair of PSNs for pxGrid ONLY and brand new pair of PSNs for TACACS+ ONLY. I understand the security good/bad - BUT I'm looking for actual #s and any limitations. Thanks for feedback!
Solved! Go to Solution.
09-12-2018 02:08 PM
Please check out the ISE performance and scale community page that will give you idea about shared PSNs using PxGrid. This is under PxGrid scaling. The TACACS+ performance is based on dedicated appliance.
Apart of security, also think about service failure. Do you want device administration service impacted if there is a problem in PxGrid and node goes down?. Viceversa holds good as well.
My opinion is leave the TACACS+ seperate so that your device administration is smooth and network admins dont have a problem. However if your network is small and you have only a few administrators checking sporadically the status you can consider sharing. However remember that the purpose of using PxGrid is to share the context so that this is consumed by a Cisco or third party device for a specific reason. Think about the importance of that service and make the decision.
-Krishnan
09-12-2018 02:08 PM
Please check out the ISE performance and scale community page that will give you idea about shared PSNs using PxGrid. This is under PxGrid scaling. The TACACS+ performance is based on dedicated appliance.
Apart of security, also think about service failure. Do you want device administration service impacted if there is a problem in PxGrid and node goes down?. Viceversa holds good as well.
My opinion is leave the TACACS+ seperate so that your device administration is smooth and network admins dont have a problem. However if your network is small and you have only a few administrators checking sporadically the status you can consider sharing. However remember that the purpose of using PxGrid is to share the context so that this is consumed by a Cisco or third party device for a specific reason. Think about the importance of that service and make the decision.
-Krishnan
09-12-2018 09:02 PM
Thanks Krishnan for feedback.
Do you know IF adding pxGrid function on existing standalone PSN nodes(that are handling wire/wireless) could have effect on performance for existing radius/802.1x servers that they are already providing? Same with TACACS+.
The debate is:
NOW: (scaled down - there are actually more PSNs)
DC1: pan(a) mnt(a) (psn1)
DC2: pan(s) mnt(s) (psn2)
vs: (keeping it distributed all nodes separated)
DC1: pan(a) mnt(a) (psn1) (pxgrid) (tacacs+)
DC2: pan(s) mnt(s) (psn2) (pxgrid) (tacacs+)
vs:
DC1: pan(a) mnt(a) (psn1+pxgrid) (tacacs+)
DC2: pan(s) mnt(s) (psn2+pxgrid) (tacacs+)
vs:
DC1: pan(a) mnt(a) (psn1+pxgrid+tacacs+)
DC2: pan(s) mnt(s) (psn2+pxgrid+tacacs+)
vs:
DC1: pan(a) mnt(a) (psn1+tacacs+) (pxgrid)
DC2: pan(s) mnt(s) (psn2+tacacs+) (pxgrid)
09-12-2018 09:23 PM
I have colocated those services with PSNs in large deployment models in the past without issue, but every customer flows/patterns are different. My general recommendation (and those of our solution architects) are if you are large enough to build a large deployment model (separate PAN/M&T/PSNs) then build separate TACACS and pxGrid nodes.
Not sure if you will find specific data as in many (probably most) cases colocating will work just fine, but the best practice is to split them off.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide