cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
908
Views
25
Helpful
9
Replies
Redash6174183
Beginner

ISE cluster implementation with different hardware model

Dears ,

we have existing ISE cluster runnning on SNS-3415-K9 and have purchased new model and need to add it to the cluster

is it possible for ISE personas to be clustered with is different haredware model ?

any document is available for step by step implementation ?

2 ACCEPTED SOLUTIONS

Accepted Solutions
balaji.bandi
VIP Master

is it possible for ISE personas to be clustered with is different haredware model ?

 

- yes possible, and you need understand the side effect of that, take example Primary hardware support more capacity, secondary node has less capacity if failover takes place, do you get the same results? No - you have degraded of service. Cluster always to be same capacity for best optimal results as per my understanding the deployment most cases

 

any document is available for step by step implementation ?

 

- there is a good presentaion from cisco Live - this will give you more information how you can deploy :

https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2020/pdf/DGTL-BRKSEC-3432-reference.pdf

 

some reference :

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/InstallGuide27/b_ise_InstallationGuide27/b_ise_InstallationGuide27_chapter_00.html

 

BB

***** Rate All Helpful Responses *****

How to Ask The Community for Help

View solution in original post

@Redash6174183 well cisco documents recommends using Primary PAN/MnT on 1 node and Secondary PAN/MnT on another. With dedicated PSNs.

 

Capture.PNG

View solution in original post

9 REPLIES 9
balaji.bandi
VIP Master

is it possible for ISE personas to be clustered with is different haredware model ?

 

- yes possible, and you need understand the side effect of that, take example Primary hardware support more capacity, secondary node has less capacity if failover takes place, do you get the same results? No - you have degraded of service. Cluster always to be same capacity for best optimal results as per my understanding the deployment most cases

 

any document is available for step by step implementation ?

 

- there is a good presentaion from cisco Live - this will give you more information how you can deploy :

https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2020/pdf/DGTL-BRKSEC-3432-reference.pdf

 

some reference :

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/InstallGuide27/b_ise_InstallationGuide27/b_ise_InstallationGuide27_chapter_00.html

 

BB

***** Rate All Helpful Responses *****

How to Ask The Community for Help

Thanks a lot for your response 

so if I have two servers in each data center then I will divide the personas among them like below

site1- server1 (Admin pri, mon sec)

site1- server2 (psn)

site2- server1 (Admin sec, mon pri)

site2- server2 (psn)

 

is that the recommended setup ?

yes that is possible, Look at the presentation shared. page 29 onwards.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Community for Help

Rob Ingram
VIP Mentor

@Redash6174183

The 3415 hardware only supports up to ISE version 2.3, where as if you purchase the latest 3600 series hardware the oldest version supported is ISE 2.4. You need to be running the same version in order to build a cluster, so you cannot add the newer hardware to the existing cluster.

 

The 3600 hardware is of higher spec than the 3415 and can support more concurrent sessions, do you need to build a cluster of 4?

 

 

 

Thanks for good note

actually we agreed to decommission the old appliances and uses only the new 4 servers SNS-3615-K9 two server in each Data Center 

so the best practice is to have like below ?

site1- server1 (Admin pri, mon sec)

site1- server2 (psn)

site2- server1 (Admin sec, mon pri)

site2- server2 (psn)

what about having all personas in each server ? as I know we can have only two PAM one primary and other is secondry however PSN will be all active.

 

 

 

The old admin installed all personas in one server (attached SS) and did nothing else

so what is the best order to correct that and achieve the standard implementation

 

@Redash6174183 well cisco documents recommends using Primary PAN/MnT on 1 node and Secondary PAN/MnT on another. With dedicated PSNs.

 

Capture.PNG

Thanks 

I have two questions regards the provided setup recommendation

- accordingly one node(sec admin sec mon) will set without doing anything

what is the point behind making one node primary for both admin and monitor?

- why the setup shows both admin nodes installed in site A . instead isn’t better to distribute both of them in siteA and site B ?

 

I have addressed your question in the previous post, have you got a chance to look at the PDF page 29 ?

 

ISE has different deployments,  One need to choose what is best for their environment. the picture showing in @Rob Ingram  was one of the use case where people Look redundancy Locally and also DR kind of setup for very high availability, that is still valid use case for some organisation based on the requirement.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Community for Help

Create
Recognize Your Peers
Content for Community-Ad