Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
963
Views
0
Helpful
5
Replies

How to design 3 Nodes ISE?

ccie14007
Level 1
Level 1

‎03-18-2018 05:17 AM - edited ‎02-21-2020 10:49 AM

We have 3 ISE nodes license, Want to use 2 in Primary DC, with HA. and then use the 3rd one in the DR.

 

IN Primary DC,  1 is Primary for Admin, Policy and Monitor.

                         2 is Secondary for Admin, Policy and Monitor

 

Then how to do with the 3rd one in DR?

 

thanks

Labels:
0 Helpful
5 Replies 5

Rob Ingram
VIP
VIP

‎03-18-2018 09:53 AM

Hi,
How many users/devices will it be supporting? What services - wired, wireless 802.1x? Guest portals? BYOD?.

3 is an awkward number. How about this:

1 - Primary PAN and MNT
2 - Secondary PAN and MNT + PSN
3 - PSN

this leaves the first ISE node dedicated mgmt and provides redundancy for all personas.

HTH
0 Helpful

marce1000
VIP
VIP

‎03-18-2018 10:19 AM

 

 -  By not using such a model , use standard deploymens; 2 admin + monitor , +2 PSN = 4!

M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

ajc
Level 7
Level 7
In response to marce1000

‎03-19-2018 01:32 PM

My 2 cents.

 

-The ISE radius or tacacs servers for authentication are the ones running PSN persona not PAN/MNT (admin nodes).

-You should NOT combine multiple personas into the same appliance or VM. But if you have resources constrains then, you should ONLY have 1 primary PAN/MNT, 1 Secondary PAN/MNT and 1 PSN. But still, 1 PSN is not enough because you need redundancy for authentication.

-Running 3495 servers + 2 personas is NOT a good combination, I have seen performance issues so it is much better to run at least 3595.

-At the end, you need minimum 4 appliances or VM's.

0 Helpful

Michael Bartholomæussen
Level 1
Level 1
In response to ajc

‎03-22-2018 12:14 AM

I've made this topology of our new ISE deployment. I'll be happy to receive any comments or suggestions for better planning, since I've properly missed something. The PSN in the top is deployed, IF the redundant links towards the DC's i disconnected.

Preview file
115 KB
0 Helpful

paul46
Level 1
Level 1
In response to Michael Bartholomæussen

‎03-25-2018 05:18 PM

Primary PAN+MnT and Secondary PAN+MnT with 3 x PSNs looks good

 

I would put all three PSNs in a nodegroup to provide redudancy

 

happy to receive feedback on my thoughts

0 Helpful
Customers Also Viewed These Support Documents