Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
342
Views
0
Helpful
3
Replies

installing 2 x Virtual ISE in redundancy

Go to solution
hashimwajid1
Level 3
Level 3

‎04-09-2019 05:09 AM

Hi 

 

can we achieve ISE redundancy with 2 Virtual ISE installing on VMware. even if one goes down then other should become active ?

 

Thanks

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎04-09-2019 06:22 AM

Yes, you can certainly do this and it's probably the most common way to deploy ISE.  The same HA is done if you are using SNS hardware appliances or virtual machines.  If you deploy two nodes, those two nodes will both host the admin, monitoring, and policy service personas.  Both VM's will service radius requests in an active/active fashion where if the NADs are configured for both IP's as radius servers then even if one is down they will process requests.

 

I recommend reading these two sections of the ISE admin guide.

Introduction:
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24.html

Set up ISE in a Distributed Environment:
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_011.html

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎04-09-2019 06:22 AM

Yes, you can certainly do this and it's probably the most common way to deploy ISE.  The same HA is done if you are using SNS hardware appliances or virtual machines.  If you deploy two nodes, those two nodes will both host the admin, monitoring, and policy service personas.  Both VM's will service radius requests in an active/active fashion where if the NADs are configured for both IP's as radius servers then even if one is down they will process requests.

 

I recommend reading these two sections of the ISE admin guide.

Introduction:
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24.html

Set up ISE in a Distributed Environment:
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_011.html

0 Helpful

Go to solution
Nadav
Level 7
Level 7

‎04-09-2019 08:58 AM

Just to be clear, redundancy can exist:

 

1) Between two admin personas (either cold standy, or hot standby via automatic PAN failover)

2) Two MNT personas (hot standby, if the primary one fails after a few minutes the PAN works directly with the secondary MNT)

3) Multiple PSNs are always active-active

 

 

 

 

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Nadav

‎04-09-2019 10:11 AM

Would recommend looking at the cisco lives for ISE performance scale https://community.cisco.com/t5/security-documents/ise-performance-amp-scale/ta-p/3642148#toc-hId-1049457416

0 Helpful
Customers Also Viewed These Support Documents