Using Multiple DNACs with a Single ISE Deployment - Limited Availability
For customers who need to scale SDA deployments beyond a single DNAC cluster, with DNAC 126.96.36.199 onwards we have a Limited Availability capability to enable up to 4 DNAC clusters (or 4 single DNAC appliances) to work with a single ISE deployment, which must be using ISE 2.4 patch 11, 2.6 patch 3 or 2.7 patch 1 onwards.
The approach uses ISE to share SGTs, VNs and SGT-based policies across DNAC appliances/clusters so they are considered global and are managed from one designated DNAC cluster, known as the policy author.
Static SGT & VN mappings and IP pools are managed locally, meaning on each DNAC cluster. Caveats apply to modifying or deleting SGTs and VNs, as they may be used in static assignments not known to ISE or the policy author.
Caveats also apply to certain objects which are not stored in ISE and therefore cannot be shared across DNAC clusters:
Contract definitions using application definitions (as opposed to the usual Advanced format)
Marking a VN as a Guest VN
Slides are attached that I normally use to explain the capabilities and the limitations to customers.
This is Limited Availability for a variety of reasons, such as failover of the policy author being manual, specific scale limitations and the caveats mentioned. These will be addressed in the general availability version.
Hi, I'm trying to get an IPsec tunnel working, but it seems phase 2 isn't coming up. Their subnet is a /27 public IP and mine is a private IP subnet. I've attached the crypto debug output. I've also attached the config of the other en...
So I'm trying to think of a way to do this and have been messing around in gns3 a bit but I figured I'd post here for ideas while I putz around. 2 internet routers that connect to 2 different ISP's. They share the BGP tables. ...
Hello Community, I'm working on the setup of a Cisco CSR. I have a route 10.0.0.0/24 learned by a BGP session on tunnel 200 and 201 (MPLS and failover), I also have a static route 10.0.0.0/29 (smaller than the previous one) to a tunnel 202.&nbs...
Hello Dear Community, i have crated a small test topology where i have a main DHCP Server connected to a Switch(WS-C2960-24TT), on the same Switch there are 4 devices connected and are set to ask DHCP for IP address.what i am trying to reach:1- i wou...
Normally I would give the a device that always needs to be on a static IP address through its web interface or command line. However I ran into a different device. Its a security panel that's always on and there is no way to log into it, no web inter...