Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1654
Views
70
Helpful
5
Replies

Why split Pri MnT and Pri PAN in design

Go to solution
bobcat
Level 1
Level 1

‎03-08-2022 07:22 AM

Hi Everyone,

 

I often find the following node design in documents or some discussion threads:

 

Node A: Pri MnT and Sec PAN

Node B: Sec MnT and Pri PAN

 

This appears in the Cisco Document but without explanation:
(https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/install_guide/b_ise_InstallationGuide31/b_ise_InstallationGuide31_chapter_1.html)

 

Screenshot_1.png

 

Please help explain why this is used? I can't come up with any benefits in terms of workload distribution or replication or HA.

 

Thank you in advance.

 

 

1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎03-08-2022 07:59 AM - edited ‎03-08-2022 08:03 AM

I actually don't agree with the diagram. I think having the primary share the same node or same DC in larger deployments is optimal. I've been using primary PAN/MnT on the same node/DC for a few years now. Craig explained why this would be optimal. 

 

https://community.cisco.com/t5/network-access-control/ise-2-node-deployment-monitoring-role-question/m-p/3547947/highlight/true#M509137

 

"Technically, there is no mandate set as to which nodes are primary in a standalone or hybrid deployment model. The reason why I recommend the consolidation of Primary PAN, MNT and optionally pxGrid on same node is the fact that the MnT node is always processing the same logs whether primary or secondary.  Furthermore, the operational data and reports displayed by PAN are fetched from Active MnT, which when collocated, are local to PAN.  And finally, the Active PAN and MNT publish to the active pxGrid controller, which again would also be local. 

 

In many cases, the redundant PAN+MNT nodes may be in different locations.  Especially for these cases, you would want to avoid the delay between nodes.  It also makes the HA design a bit more intuitive to have all services active on same node.

 

So although at a high level it may seem like a good idea to split active role for PAN, MNT and PXG across personas, I have yet to come across sufficient justification to do so, and actually came across an escalation where customer had issues until they consolidated active PAN and MNT on same node in a dual datacenter setup."

View solution in original post

5 Replies 5

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎03-08-2022 07:45 AM - edited ‎03-08-2022 07:47 AM

Same Document explain little bit of split deployment.

 

If you Make Primary MNT and Pan both same appliance, there is no work load balance here, so for better utilisation of compute syustem above design give you flexliblity to split the load different nodes, and failover for high availability.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
bobcat
Level 1
Level 1
In response to balaji.bandi

‎03-08-2022 08:03 AM

Thanks for the explanation. I see, if for splitting the computing workload between primary MnT and PAN, that's one reason. But I think there should not be any differences in terms of HA, right?

 

The PSN will send operational data to both primary and secondary MnT, the Primary Mnt will replicate data to Secondary MnT, and the Primary PAN can retrieve data from the secondary MnT immediately.

 

So, there should not be any data loss even you put Pri PAN and Pri MnT in one node.

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to bobcat

‎03-08-2022 08:31 AM

Sure agreed with @Damien Miller  post.ahead of my reply much appriciated input.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎03-08-2022 07:59 AM - edited ‎03-08-2022 08:03 AM

I actually don't agree with the diagram. I think having the primary share the same node or same DC in larger deployments is optimal. I've been using primary PAN/MnT on the same node/DC for a few years now. Craig explained why this would be optimal. 

 

https://community.cisco.com/t5/network-access-control/ise-2-node-deployment-monitoring-role-question/m-p/3547947/highlight/true#M509137

 

"Technically, there is no mandate set as to which nodes are primary in a standalone or hybrid deployment model. The reason why I recommend the consolidation of Primary PAN, MNT and optionally pxGrid on same node is the fact that the MnT node is always processing the same logs whether primary or secondary.  Furthermore, the operational data and reports displayed by PAN are fetched from Active MnT, which when collocated, are local to PAN.  And finally, the Active PAN and MNT publish to the active pxGrid controller, which again would also be local. 

 

In many cases, the redundant PAN+MNT nodes may be in different locations.  Especially for these cases, you would want to avoid the delay between nodes.  It also makes the HA design a bit more intuitive to have all services active on same node.

 

So although at a high level it may seem like a good idea to split active role for PAN, MNT and PXG across personas, I have yet to come across sufficient justification to do so, and actually came across an escalation where customer had issues until they consolidated active PAN and MNT on same node in a dual datacenter setup."

Go to solution
bobcat
Level 1
Level 1
In response to Damien Miller

‎03-08-2022 08:10 AM

Thanks Damien. Yes, Craig's explanation makes sense esp. the secondary nodes often put on a DR site.

 

Thanks for the quote and the reply!

 

Customers Also Viewed These Support Documents