Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1676
Views
25
Helpful
9
Replies

ISE cluster implementation with different hardware model

Go to solution
Redash6174183
Level 1
Level 1

‎10-17-2021 05:12 AM

Dears ,

we have existing ISE cluster runnning on SNS-3415-K9 and have purchased new model and need to add it to the cluster

is it possible for ISE personas to be clustered with is different haredware model ?

any document is available for step by step implementation ?

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎10-17-2021 05:37 AM

is it possible for ISE personas to be clustered with is different haredware model ?

 

- yes possible, and you need understand the side effect of that, take example Primary hardware support more capacity, secondary node has less capacity if failover takes place, do you get the same results? No - you have degraded of service. Cluster always to be same capacity for best optimal results as per my understanding the deployment most cases

 

any document is available for step by step implementation ?

 

- there is a good presentaion from cisco Live - this will give you more information how you can deploy :

https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2020/pdf/DGTL-BRKSEC-3432-reference.pdf

 

some reference :

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/InstallGuide27/b_ise_InstallationGuide27/b_ise_InstallationGuide27_chapter_00.html

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

Go to solution
Rob Ingram
VIP
VIP
In response to Redash6174183

‎10-17-2021 11:50 AM

@Redash6174183 well cisco documents recommends using Primary PAN/MnT on 1 node and Secondary PAN/MnT on another. With dedicated PSNs.

 

Capture.PNG

View solution in original post

9 Replies 9

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎10-17-2021 05:37 AM

is it possible for ISE personas to be clustered with is different haredware model ?

 

- yes possible, and you need understand the side effect of that, take example Primary hardware support more capacity, secondary node has less capacity if failover takes place, do you get the same results? No - you have degraded of service. Cluster always to be same capacity for best optimal results as per my understanding the deployment most cases

 

any document is available for step by step implementation ?

 

- there is a good presentaion from cisco Live - this will give you more information how you can deploy :

https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2020/pdf/DGTL-BRKSEC-3432-reference.pdf

 

some reference :

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/InstallGuide27/b_ise_InstallationGuide27/b_ise_InstallationGuide27_chapter_00.html

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
Redash6174183
Level 1
Level 1
In response to balaji.bandi

‎10-17-2021 06:48 AM

Thanks a lot for your response 

so if I have two servers in each data center then I will divide the personas among them like below

site1- server1 (Admin pri, mon sec)

site1- server2 (psn)

site2- server1 (Admin sec, mon pri)

site2- server2 (psn)

 

is that the recommended setup ?

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to Redash6174183

‎10-17-2021 06:58 AM

yes that is possible, Look at the presentation shared. page 29 onwards.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
Rob Ingram
VIP
VIP

‎10-17-2021 07:21 AM

@Redash6174183

The 3415 hardware only supports up to ISE version 2.3, where as if you purchase the latest 3600 series hardware the oldest version supported is ISE 2.4. You need to be running the same version in order to build a cluster, so you cannot add the newer hardware to the existing cluster.

 

The 3600 hardware is of higher spec than the 3415 and can support more concurrent sessions, do you need to build a cluster of 4?

 

 

 

Go to solution
Redash6174183
Level 1
Level 1
In response to Rob Ingram

‎10-17-2021 11:43 AM

Thanks for good note

actually we agreed to decommission the old appliances and uses only the new 4 servers SNS-3615-K9 two server in each Data Center 

so the best practice is to have like below ?

site1- server1 (Admin pri, mon sec)

site1- server2 (psn)

site2- server1 (Admin sec, mon pri)

site2- server2 (psn)

what about having all personas in each server ? as I know we can have only two PAM one primary and other is secondry however PSN will be all active.

 

 

 

0 Helpful

Go to solution
Redash6174183
Level 1
Level 1
In response to Redash6174183

‎10-17-2021 11:48 AM

The old admin installed all personas in one server (attached SS) and did nothing else

so what is the best order to correct that and achieve the standard implementation

 

Preview file
18 KB
0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Redash6174183

‎10-17-2021 11:50 AM

@Redash6174183 well cisco documents recommends using Primary PAN/MnT on 1 node and Secondary PAN/MnT on another. With dedicated PSNs.

 

Capture.PNG

Go to solution
Redash6174183
Level 1
Level 1
In response to Rob Ingram

‎10-17-2021 03:05 PM

Thanks 

I have two questions regards the provided setup recommendation

- accordingly one node(sec admin sec mon) will set without doing anything

what is the point behind making one node primary for both admin and monitor?

- why the setup shows both admin nodes installed in site A . instead isn’t better to distribute both of them in siteA and site B ?

 

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to Redash6174183

‎10-18-2021 01:18 AM

I have addressed your question in the previous post, have you got a chance to look at the PDF page 29 ?

 

ISE has different deployments,  One need to choose what is best for their environment. the picture showing in @Rob Ingram  was one of the use case where people Look redundancy Locally and also DR kind of setup for very high availability, that is still valid use case for some organisation based on the requirement.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Customers Also Viewed These Support Documents