This chapter covers the following topics:
Configuring ISE nodes in a distributed environment
Understanding the HA options available
Using load balancers
IOS load balancing
Maintaining ISE deployments
Chapter 5, “Making Sense of the ISE Deployment Design Options,” discussed the many options within ISE design. At this point, you should have an idea of which type of deployment will be the best fit for your environment, based on the number of concurrent endpoints and the number of Policy Service Nodes (PSN) that will be used in the deployment. This chapter focuses on the configuration steps required to deploy ISE in a distributed design. It also covers the basics of using a load balancer and includes a special bonus section on a very cool high-availability (HA) configuration that uses Anycast routing, and covers patching distributed ISE deployments.
Configuring ISE Nodes in a Distributed Environment
All ISE nodes are installed in a standalone mode by default. When in a standalone mode, the ISE node is configured to run all personas by default. That means that the standalone node runs Administration, Monitoring, and Policy Service personas. Also, all ISE standalone nodes are configured as their own root certificate authority (CA).
It is up to you, the ISE administrator, to promote the first node to be a primary administration node and then join the additional nodes to this new deployment. At the time of joining, you also determine which services will run on which nodes; in other words, you determine which persona the node will have.
You can join more than one ISE node together to create a multinode deployment, known commonly in the field as an ISE cube. It is important to understand that before any ISE nodes can be joined together, they must trust each other’s administrative certificate. Without that trust, you will receive a communication error stating that the “node was unreachable,” but the root cause is the lack of trust.
Similar to a scenario of trying to connect to a secure website that is not using a trusted certificate, you would see an SSL error in your web browser. This is just like that, only it is based on Transport Layer Security (TLS).
If you are still using the default self-signed certificates in ISE, you’ll be required to import the public certificate of each ISE node into each other ISE node’s Administration > System > Certificates > Trusted Certificates screen, because they are all self-signed (untrusted) certificates and each ISE node needs to trust the primary node, and the primary node needs to trust each of the other nodes.
Instead of dealing with all this public key import for these self-signed certificates, the best practice is to always use certificates issued from the same trusted source. In that case, only the root certificates need to be added to the Trusted Certificates list.
Make the Policy Administration Node a Primary Device
Because all ISE nodes are standalone by default, you must first promote the ISE node that will become the Primary Policy Administration Node (PAN) to be a primary device instead of a standalone.
From the ISE GUI, perform the following steps:
Step 1. Choose Administration > System > Deployment. Figure 18-1 shows an example of the Deployment screen.
)
Figure 18-1 Deployment Screen
Step 2. Select the ISE node (there should only be one at this point).
Step 3. Click the Make Primary button, as shown in Figure 18-2.
)
Figure 18-2 Make Primary Button
Step 4. At this point, the Monitoring and Policy Service check boxes on the left have become selectable. If the primary node will not also be providing any of these services, uncheck them now. (You can always return later and make changes.)
Step 5. Click Save.
After saving the changes, the ISE application restarts itself. This is a necessary process, as the sync services are started and the node prepares itself to handle all the responsibilities of the primary PAN persona. Once the application server has restarted, reconnect to the GUI, log in again, and proceed to the next section.
Example 18-1 show application status ise Command Output
atw-ise245/admin# show application status ise ISE PROCESS NAME STATE PROCESS ID -------------------------------------------------------------------- Database Listener running 5851 Database Server running 75 PROCESSES Application Server initializing Profiler Database running 6975 ISE Indexing Engine running 1821 AD Connector running 10338 M&T Session Database running 1373 M&T Log Collector running 2313 M&T Log Processor running 2219 Certificate Authority Service disabled EST Service disabled SXP Engine Service disabled TC-NAC Docker Service disabled TC-NAC MongoDB Container disabled TC-NAC RabbitMQ Container disabled TC-NAC Core Engine Container disabled VA Database disabled VA Service disabled pxGrid Infrastructure Service disabled pxGrid Publisher Subscriber Service disabled pxGrid Connection Manager disabled pxGrid Controller disabled PassiveID Service disabled DHCP Server (dhcpd) disabled DNS Server (named) disabled atw-ise245/admin#
Register an ISE Node to the Deployment
Now that there is a primary PAN, you can implement a multinode deployment. From the GUI on the primary PAN, you will register and assign personas to all ISE nodes.
From the ISE GUI on the primary PAN, perform the following steps:
Step 1. Choose Administration > System > Deployment.
Step 2. Choose Register > Register an ISE Node, as shown in Figure 18-3.
)
Figure 18-3 Choosing to Register an ISE Node
Step 3. In the Host FQDN field, enter the IP address or DNS name of the first ISE node you will be joining to the deployment, as shown in Figure 18-4.
)
Figure 18-4 Specifying Hostname and Credentials
Step 4. In the User Name and Password fields, enter the administrator name (admin by default) and password.
Step 5. Click Next.
Step 6. On the Configure Node screen, shown in Figure 18-5, you can pick the main persona of the ISE node, including enabling of profiling services. You cannot, however, configure which probes to enable yet. Choose the persona for this node. Figure 18-5 shows adding a secondary Administration and Monitoring node, while Figure 18-6 shows adding a Policy Service Node.
)
Figure 18-5 Configure Node Screen Secondary Admin and MnT Addition
)
Figure 18-6 Configure Node Screen Policy Service Node Addition
Step 7. Click Submit. At this point, the Policy Administration Node syncs the entire database to the newly joined ISE node, as you can see in Figure 18-7.
)
Figure 18-7 Sync Initiated
Step 8. Repeat these steps for all the ISE nodes that should be joined to the same deployment.
Ensure the Persona of All Nodes Is Accurate
Now that all of your ISE nodes are joined to the deployment, you can ensure that the correct personas are assigned to the appropriate ISE nodes. Table 18-1 shows the ISE nodes in the sample deployment and the associated persona(s) that will be assigned. Figure 18-8 shows the final Deployment screen, after the synchronization has completed for all nodes (a check mark in the Node Status column indicates a node that is healthy and in sync).
)
Figure 18-8 Final Personas and Roles
Table 18-1 ISE Nodes and Personas
| ISE Node | Persona |
| atw-ise244 | Administration, Monitoring |
| atw-ise245 | Administration, Monitoring |
| atw-ise246 | Policy Service |
| atw-ise247 | Policy Service |