cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
651
Views
5
Helpful
2
Replies

SXP on ISE distributed deployment

Antonio Macia
Participant
Participant

Hi,

 

I'm looking for advice on a distributed PSN deployment with SXP services enabled.

 

When enabling the SXP service on two PSNs,  I understand that I have to duplicate the SXP connections on each network device pointing to each PSN IP address, correct? Both SXP connections will be in ON state and exchanging the same IP-SGT mappings, right? 

In case of failure of any of the PSN nodes, the IP-SGT mapping should remain intact and once the PSN node is recovered it will not affect either the mapping.

 

Is there anything I should take care of?

 

Regards.

1 Accepted Solution

Accepted Solutions

Rob Ingram
VIP Expert VIP Expert
VIP Expert

@Antonio Macia you correct, each NAD (switch) would peer with both PSN SXP nodes. The switch would have 2 IP-SGT bindings, one for each ISE SXP peer.

 

Check the TrustSec matrix to determine the number of SXP bindings your model access layer switch can support.

https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/software-platform-capability-matrix.pdf

 

View solution in original post

2 Replies 2

Rob Ingram
VIP Expert VIP Expert
VIP Expert

@Antonio Macia you correct, each NAD (switch) would peer with both PSN SXP nodes. The switch would have 2 IP-SGT bindings, one for each ISE SXP peer.

 

Check the TrustSec matrix to determine the number of SXP bindings your model access layer switch can support.

https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/trustsec/software-platform-capability-matrix.pdf

 

Hi Rob,

 

Thanks in advance for your assistance.

Since this thread is somehow related to the situation I'm facing, kindly clarify if the following is correct.

 

In a distributed deployment, in case of hardware refresh:

Replacing the nodes with from 34xx (old) to 36xx (new) with same IP address and hostnames (FQDNs)

1. Configure first the 36xx in an offline environment with the same IP addresses as the nodes to be replaced.

2. Generate the CSRs of the 36xx and have them sign those certificates.

3. Bind the signed certificate to the CSRs of the 36xx.

4. De-register 34xx secondary node, then take it out of the network.

5. Register the configured 36xx as the secondary node (PAN, MNT, PSN).

6. Have your AD admin join the node to the Active Directory domain.

7. Promote the 36xx secondary node as the new Primary Node.

8. De-register the 34xx primary node, then take it out of the network.

9. Register the other prepared 36xx as the secondary node (PSN).

10. Have your AD admin join the node to the Active Directory domain.

 

Regarding TACACS+ network device administration:

a. There are 2 TACACS+ servers configured on IOS devices (router, switch etc...).

b. Each TACACS+ server has different key hash on running-config on IOS.

 

Is all information is propagated from PRI -> SEC ISE node, including both TACACS+ keys for network device administration?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers