Solved: ISE3.2 | primary PAN and secondary PAN on different sites

Alex Wu · ‎04-12-2024

Hi Team,

I am a starter to ISE. I have some thoughts, don't know if the deployment below works:

1) ISE1 on SiteA, managing devices on SiteA

2) ISE2 on SiteB, managing devices on SiteB

3) VPN Tunnle between SiteA and SiteB, ISE1 and ISE2 can communicate each other.

Questions:

Can I enable ISE1 for primary PAN (ISE1 still manage devices on SiteA), and ISE2 for secondary PAN? (ISE2 still manage devices on SiteB)

Thanks.

balaji.bandi · ‎04-12-2024

I take managing device end devices right ?

if you have 2 node deployment, you have have PSN in the same appliance which manages the device.

yes you can configure the device to connect to local PSN respected PSN of the site.

but to PAN you can only have 1 to manage both the PSN for Policies.

you need to check the Latency requirement between PAN to work as expected.

300 ms of RTT is the maximum acceptable latency between the PSN and the PAN/MnT nodes for a distributed environment.

check the below guide :

https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2020/pdf/DGTL-BRKSEC-3432-reference.pdf

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

balaji.bandi · ‎04-12-2024

I take managing device end devices right ?

if you have 2 node deployment, you have have PSN in the same appliance which manages the device.

yes you can configure the device to connect to local PSN respected PSN of the site.

but to PAN you can only have 1 to manage both the PSN for Policies.

you need to check the Latency requirement between PAN to work as expected.

300 ms of RTT is the maximum acceptable latency between the PSN and the PAN/MnT nodes for a distributed environment.

check the below guide :

https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2020/pdf/DGTL-BRKSEC-3432-reference.pdf

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Alex Wu · ‎04-13-2024

device management is one of the goals.

I want to make full use of ISE's features.

Rob Ingram · ‎04-13-2024

@Alex Wu in an ISE cluster you can only use the Primary PAN for administration, the secondary PAN can be promoted if the Primary PAN fails. If both nodes run the PSN role, they can both authenticate sessions.

If you want independant administration, run two clusters or standalone ISE nodes.

thomas · ‎04-15-2024

As an ISE newbie, you will benefit from our ISE Webinars which are archived on the CiscoISE YouTube channel.

Your question and many other topics is covered in our ISE Webinar

▷ ISE Deployment Architectures: Nodes, Services and Scale 2022-01-13

01:46 ISE Provides Zero Trust for the Workplace
04:19 ISE Nodes: Appliances, VMs, Cloud
07:50 Free, 90-day ISE Evaluation Licenses with every installation
08:56 ISE Personas: PAN, MNT, PSN, PXG
14:06 ISE Personas Example Flow
16:44 ISE Deployment: Standalone ISE Node
17:59 ISE Deployment: Small
19:01 ISE Deployment: Small 3 Node
20:33 ISE Deployment: Medium and Multiple Regions
22:43 ISE Deployment: Medium to Large
23:40 ISE Deployment: Large
25:30 Centralized or Distributed Deployments
28:00 Primay PAN Operations
29:31 Personas & Services
31:00 PSN Profiling Probes
38:00 ISE Inter-Node Communications
38:36 ISE Platforms: Appliances & VMs
39:58 ISE Platforms: AWS EC2 Instance Types
41:10 Zero Touch Provisioning
42:46 Appliance vs VM vs Cloud
49:50 ISE Performance and Scale
51:28 Maximum Concurrent Active Endpoints
53:07 Steady State vs Peak Demand
55:55 Multiple ISE Deployments
59:19 Other Scaling Considerations
1:00:21 Deployment Automation
1:00:58 ISE Policy & Lifecycle APIs