Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
860
Views
0
Helpful
3
Replies

Cisco ISE PSN multicast

ranjithkumarp
Level 1
Level 1

‎05-27-2014 11:11 AM - edited ‎03-10-2019 09:45 PM

Hi

Need to get information regarding Cisco ISE PSN deployment,

  • How PSN will be synchronizing using a multicast IP address? lets take an scenario, where i have 4 PSN and connected to Cisco switch 3560. what configuration changes are required in Cisco switch?
  • Lets take another scenario that we have 2 nexus switches in 2 separate DC like SW-1 in DC-1 and SW-2 in DC-2. SW-1 and SW-2 are in VSS mode. 2 PSN connecting in SW-1 and 2 PSN connecting in SW-2. can we maintain a single node group?

 

with regards,

RK

 

Labels:
0 Helpful
3 Replies 3

nspasov
Cisco Employee
Cisco Employee

‎05-27-2014 11:27 AM

The node group is used by PSNs to synchronize the sessions' states only. This becomes useful when a PSN fails and an endpoint and/or user was in the middle of an authentication session. The other node(s) in the group would detect the PSN failure and reset any pending sessions.

Configuration/database synchronization is completely different and is done between the Admin node to the PSNs and it has nothing to do with the PSN node groups. 

For your last question: The PSNs must be layer 2 adjacent before they can be placed in a node group. On the other hand, the NADs (Switches, routers, ASAs) can be in different l2/l3 domains. 

I hope this answers your questions. 

 

Thank you for rating helpful posts!

0 Helpful

ranjithkumarp
Level 1
Level 1
In response to nspasov

‎05-27-2014 01:40 PM

Hi There,

 

I think the word replication has triggered a different angle to the question. i understand the theory of node group but in the requirement of multicast, they have just mentioned that it should be L2 adjacent (i.e) in same vlan and same switch.

if multicast traffic should pass through the switch then we need to perform some configuration in switch. By default multicast is enabled in Cisco switches, but no multicast router will be configured. if the application doesn't depend on external multicast router to pass this multicast traffic then default setting is enough. if the application is depends on external multicast router then this should be configured.

if you are seeing the first question, it queries about the configuration requirement in switches to enable multicast between the PSN's in single node group which are connected to same switch and same vlan.

second question queries, in case of Nexus switch in VSS mode, switch behaves as same switch and same vlan will be available. whether single node group in same vlan can be spread across two different nexes switch in VSS mode?

 

hope the queries are crystal clear. please let me know the answers.

 

thanks for the time and effort.

 

with regards,

RK

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to ranjithkumarp

‎05-27-2014 02:14 PM

No special multicast configurations are needed on the switch/switches where the PSNs connect. The key here is the layer 2 adjacency. If the devices are in the same l2 domain then all broadcast and multicast traffic would flow/flood the domain. So no special multicast configurations needed.

For question number 2: Nexus switches do not support VSS but that is a different topic :) Nonetheless, if you are using vPC (Nexus) or VSS (Catalyst) then the same rules would apply. As long as the PSN nodes are l2 adjacent the multicast traffic would flow/flood without a problem within the L2 domain. 

Hope this clarifies things a bit

 

Thank you for rating helpful posts!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents