Buy or Renew
Buy or Renew
Register Here! - Join us 11/13 for the "Navigating DHCP Processes in SD-Access Network" Community Live event
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1446
Views
5
Helpful
2
Replies

Multiple DNA Centers with a distributed ISE or not

Go to solution
rusbaker
Level 1
Level 1

‎01-28-2020 02:06 AM

All,

 

I'm looking at a deployment of SD-Access in three countries so will need 2 to 3 DNA Centres due to the distances involved, is it possible to have them all talking to a distributed ISE solution for consistency on polices etc.. or will I have to look at regional ISE deployments instead? 

 

 

Thanks Russ 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Dan Rowe
Cisco Employee
Cisco Employee

‎01-29-2020 12:49 PM

We aim to have multi-DNAC to single ISE capability in release codenamed Wolverine which will be DNAC version 1.5. Once available, we expect to be able to support up to 4 separate DNA clusters by 1 ISE server. Please reach out to your account team if you would like to get involved in the canary / EFT program for DNAC version 1.5.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni

‎01-28-2020 06:40 AM

You should definitely get with your reps so that they can assist you with the design. A few things you will want to consider/know based on my experiences:
-For a DNAC cluster you must run 3 nodes
-The latency RTT (round-trip-time) between Cisco DNA Center and the network devices it manages must be taken into consideration. The optimal RTT should be less than 100 milliseconds to achieve optimal performance. Latency RTT of up to 200ms is support.
-As far as an ISE solution, this will definitely depend on what you plan to accomplish from a feature perspective & how many NADs/endpoints you will manage across your locations. For ISE info, this link is usually updated and should answer many concerns: https://community.cisco.com/t5/security-documents/ise-performance-amp-scale/ta-p/3642148#toc-hId-1185499862
-You will probably want to have your ISE PANs near the DNAC cluster, with however many PSNs you require to support your numbers at the remote locations.
-Since it sounds like you will span across WANs you are going to need to determine how you intend on extending your SDA. Options include: IP transit (heavy on manual bgp peering config etc); VXLAN extension (based on what I know not recommended unless you own the dedicated links); SD-WAN (which has several components itself; benefit is you can use a variety of transport means)
-If needing to split management, you would consider multiple fabrics, instead of one fabric with multiple sites.

Go to solution
Dan Rowe
Cisco Employee
Cisco Employee

‎01-29-2020 12:49 PM

We aim to have multi-DNAC to single ISE capability in release codenamed Wolverine which will be DNAC version 1.5. Once available, we expect to be able to support up to 4 separate DNA clusters by 1 ISE server. Please reach out to your account team if you would like to get involved in the canary / EFT program for DNAC version 1.5.
0 Helpful
Customers Also Viewed These Support Documents