cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
792
Views
5
Helpful
5
Replies
Highlighted
Participant

ISE Distributed Deployment

Hi All,

We have a primary and secondary HQ in the UK and then large branch offices in the US and Europe. Total users is ~ 2500

What we are looking to do is deploy a primary admin, monitoring and policy services node in HQ1, a secondary admin, monitoring and policy services node in HQ2 and then policy services node in the US and Europe. Is this deployment supported? I have read the documentation for distributed deployments and it suggests having seperate policy services nodes for all sites, however, I'm not sure if this is required in all scenarios such as ours.

Can anyone please assist

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Hi,

Hi,

Ideally setup should work in WAN link. Just ensure network settings and less latency in the environment.

Please rate as correct if it helps!!!

Regards

Gagan

5 REPLIES 5
Cisco Employee

Hi,

Hi,

We recommend that you make all PSNs in the same local network part of the same node group. PSNs need not be part of a load-balanced cluster to join the same node group. However, each local PSN in a load-balanced cluster should typically be part of the same node group.

For reference :

http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/admin_guide/b_ise_admin_guide_13/b_ise_admin_guide_sample_chapter_011.html#ID513

Regards

Gagan

PS: rate if it helps!!!!

Participant

Hi,

Hi,


Thanks for the reply. I'm only looking to deploy a single PSN in each location so I dont think I need to create node groups, correct?

I just need to confirm for the HQ sites if we can have single VMs running the Admin/Monitoring/PSN services (HQ1 primary and HQ2 secondary) and then just PSN nodes in the US and European regions?

Many thanks

Cisco Employee

Hi,

Hi,

Ideally setup should work in WAN link. Just ensure network settings and less latency in the environment.

Please rate as correct if it helps!!!

Regards

Gagan

Contributor

Hi,

Hi,

Officially, a distributed deployment with more than two PSNs (residing on the same servers as the primary and secondary PAN/MNT roles) is not a supported design. With only 2500 users, you likely do not need 4 PSNs anyway. I would recommend just having your two PAN/MNT servers, and deploying a VM PSN in the US and Europe as you intend today. The PSN roles on the PAN/MNTs are not necessary unless they are going to be at a location that may need a local PSN.

So, if you're only looking at needing 2 PSNs, I would have four total servers: 2xPAN/MNT, and 2xPSN (1 in US, 1 in Europe).

Take a look at BRKSEC-3699 on Cisco Live 365. It gives a great overview of the recommended designs. 

https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=90923&backBtn=true

HTH,

Ryan

Beginner

Hi Will, I like to do the

Hi Will, I like to do the same as you described. Have you already changed to this distributed deployment? Does it work?

Are there needed additional licenses?

BR Marcus