Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1183
Views
1
Helpful
5
Replies

Wireless & ISE Design

Go to solution
ymadheka
Level 4
Level 4

‎06-29-2017 03:45 AM

Hi Team,

We are working on an ISE design for a wireless environment. The customer has two locations namely location1 and location2. The client requires the below points to be considered in the design. Can we comply to the points in the design as well as implementation?

  • VPN connectivity between Location 1 and Location 2 location with redundant ISPs.
  • One Wireless Controller will be placed at  Location 1 location. It will be the primary controller for the Location 1 Access Points. Second Wireless Controller will be placed at  Location 2 location. It will be the primary controller for Location 2 Access points.
  • Location 1 Wireless Controller will be act as a secondary controller for Location 2 access points. If Location 2 controller fails then the AP/client will get hooked to Location 1 controller. Location 2 Wireless Controller will be act as a secondary controller for Location 1 access points. If Location 1 controller fails then the AP/client should get hooked to Location 2 controller.
  • One DHCP server will be placed at Location 1 and second will be placed at Location 2. Location 1 DHCP server will serve Location 1 clients and Location 2 DHCP Server will serve Location 2 clients. The MAC binding for the clients will be done on the DHCP Server and it will be managed by the clients.
  • One AAA server will be placed at Location 1. It will act as primary AAA server for Location 1 users and will act as a secondary for Location 2 users in case Location 1 AAA Server fails. Second AAA Server will be placed at Location 2. It will act as primary AAA server for Location 2 users and will act as secondary for Location 1 users in case Location 2 AAA server fails.

Attached is the network diagram for the same.

Kindly advise for the ISE to work in Active-Active mode while each of them acting as a secondary for other location.

Network-Diagram-Updated.pptx
Preview file
36 KB
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to ymadheka

‎06-29-2017 05:21 AM

You have to keep in mind that only persona that have active and standby are the Admin and monitoring Therefore there can be only one active pan and mnt

The psn functionality is always active

With this in mind this is a common deployment model

Keep in mind the nodes can't have more than 300ms between them

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎06-29-2017 04:58 AM

Not sure of the concern here? PSNs are always active and that's what terminates radius for the wireless NADs

A poor mans load balanced is to point some sites or NADs at PSN1 with PSN2 as backup and others at PSN2 and PSN1 as backup

This is common setup

Can't see PowerPoint easily best to save as an image that opens in the page

0 Helpful

Go to solution
ymadheka
Level 4
Level 4
In response to Jason Kunst

‎06-29-2017 05:06 AM

Thanks for the response. Here is the diagram.

The number of endpoints here are not more than 500 hence we have a single primary server with all personas in one location and secondary one at other location. The requirement is to have the ISE server as primary for location 1 and same to be secondary for location 2 only in case ISE server at location 2 fails. As per the deployment guide primary remains active and only in case it goes down the secondary comes up for the functions, here they want both to be active and act as failover for other location.

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to ymadheka

‎06-29-2017 05:21 AM

You have to keep in mind that only persona that have active and standby are the Admin and monitoring Therefore there can be only one active pan and mnt

The psn functionality is always active

With this in mind this is a common deployment model

Keep in mind the nodes can't have more than 300ms between them

0 Helpful

Go to solution
ymadheka
Level 4
Level 4
In response to Jason Kunst

‎06-29-2017 05:28 AM

Thanks for the quick response.

So we would be having the primary PAN / MNT with a PSN at one location and secondary PAN / MNT at other location with PSN's configured in the controller for providing the AAA functionality for these locations.

Hope my understanding is correct.

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to ymadheka

‎06-29-2017 06:06 AM

You would have a standalone node at each site configured for high-availability

I'll boxes would run all personas

This is explained in our design guides also part of high-level design

0 Helpful
Top