Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
829
Views
0
Helpful
2
Replies

Utilizing PSN node groups in multiple datacenters

Go to solution
amohammed01
Level 1
Level 1

‎09-17-2015 10:23 AM - edited ‎03-10-2019 11:04 PM

Hi

I was looking for some information, I am setting up a Distributed Deployment of ISE.   We have two data center each will have its own PSN Node group (load balanced), I need a strategy where we can make sure that all NADs are not pointing to one PSN node group.  In the switch config I only see the option of listing the radius server where the first one listed is referenced and secondary IP is only used if the primary Radius server is not available.  We have many branch sites that we would like deploy ISE, we would like to distribute the Radius AuthC/AuthZ evenly between the two DC.

 

Thanks

-Amin 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jan.nielsen
Level 7
Level 7

‎09-18-2015 09:46 AM

Just so we are clear, ISE node groups does not do load-balancing, you need an external load-balancer for this. If you are in fact using a load-balancer for each DC, then you could just manually have half of your switches use one vip for primary and one for secondary, and the other half reversed. Also, if you use aaa server groups in your switch, you can also do local switch "load-balancing", based on how many active session are on each radius server in the group.

 

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_rad/configuration/15-sy/sec-usr-rad-15-sy-book/sec-rad-load-bal.html#GUID-EAADC56D-9634-49B9-A3DF-06932A3DCA1E

View solution in original post

0 Helpful
2 Replies 2

Go to solution
jan.nielsen
Level 7
Level 7

‎09-18-2015 09:46 AM

Just so we are clear, ISE node groups does not do load-balancing, you need an external load-balancer for this. If you are in fact using a load-balancer for each DC, then you could just manually have half of your switches use one vip for primary and one for secondary, and the other half reversed. Also, if you use aaa server groups in your switch, you can also do local switch "load-balancing", based on how many active session are on each radius server in the group.

 

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_rad/configuration/15-sy/sec-usr-rad-15-sy-book/sec-rad-load-bal.html#GUID-EAADC56D-9634-49B9-A3DF-06932A3DCA1E

0 Helpful

Go to solution
aasaadsavola
Level 1
Level 1
In response to jan.nielsen

‎01-27-2020 02:25 AM

For Correction the statment :

if you use aaa server groups in your switch, you can also do local switch "load-balancing", based on how many active session are on each radius server in the group.

 

 

 aaa server groups in your switch,  it does  not do a function of Load balancer- the function is that all the session will hit first PSN   and Second PSN will work as Backup for  radius Requests

 

 

0 Helpful
Customers Also Viewed These Support Documents