Ihirangi huna
1 CISCO ISE Pūmanawa
2 Ka mutuview o te whakangaonga Pokapū Catalyst Maha
3 Kahui Node Kaituhi
4 Te whakahaere kaupapa here a te Pokapū Catalyst Maha
5 Whakapai ake i nga taunakitanga mo te Pokapū Catalyst Maha
6 He maha nga whakaurunga o te Pokapū Catalyst
7 Whakahohehia te Pokapū Catalyst Maha
8 Tuhinga / Rauemi
8.1 Tohutoro

CISCO-logo

CISCO ISE Pūmanawa

CISCO-ISE-Software-PRODUCT

Ka mutuview o te whakangaonga Pokapū Catalyst Maha

When you integrate more than one Catalyst Center cluster with a single Cisco ISE system, each Catalyst Center cluster is independent. No information is shared from any one cluster to any other. In this scenario, when Cisco Software-Defined Access (SD-Access) is deployed on Catalyst Center, the set of virtual networks (VNs) and all other SD-Access is local to each cluster.
Catalyst Center provides a mechanism to coordinate SD-Access and Group-Based Policy (GBP) elements across multiple Catalyst Center clusters integrated with a single Cisco ISE system. In order to allow global administration of SD-Access across multiple Catalyst Center clusters with a consistent set of VNs, the Multiple Catalyst Center feature leverages the existing secure connection with Cisco ISE to propagate VNs, security group tags (SGTs), Access Contracts, and Group-Based Access Control (GBAC) Policy from one cluster to another cluster. Cisco ISE takes the information learned from one cluster (known as the Author Node) and propagates it to the other clusters (known as the Reader Nodes).
The Multiple Catalyst Center feature is available when integrated with Cisco ISE Release 3.2 or later.

CISCO-ISE-Software (2)

Tuhipoka

  • The Multiple Catalyst Center operation is disabled by default. To use this feature, select the Enable Multiple Catalyst Center operation (under Advanced Settings) when integrating Catalyst Center with Cisco ISE. You can enable this feature at the initial configuration or at a later time (after Cisco ISE is already integrated). After this functionality is enabled, only deleting the Cisco ISE integration can disable the functionality.
  • If you are using earlier releases of Cisco ISE, you must contact your account team to submit a request to the Cisco SDA Design Council for inclusion in the Limited Availability program. A Multiple Catalyst Center Limited Availability package will be made available to provided to allow access to the limited availability (LA) version of this functionality. See the Multiple Cisco DNA Center to Single Cisco ISE Prescriptive Deployment Guide for more information.

The Multiple Catalyst Center feature has specific role designations for the clusters:

  • Kahui Node Kaituhi
  • Rōpū Node Panui

Kahui Node Kaituhi

  • Ko te mahi Node Kaituhi kua tautapa ki te tautau tuatahi (me te kowhiringa Multiple Catalyst Center kua whakahohea) e hono ana ki te tukunga Cisco ISE, te roopu tuatahi ranei e taea ai te kōwhiringa Multiple Catalyst Center. Ko te kohinga Node Kaituhi te waahi whakahaere mo te Kaupapa Kaupapa-a-Rōpū (GBP) me nga raraunga o te ao Cisco SD-Access. Ko te roopu Node Kaituhi e whakahaere ana i nga VN, SGTs, Whakaaetanga Whakaaetanga, me te Kaupapahere GBAC. Ko te hanga, te whakarereke, te whakakore ranei i nga waahanga VN me te GBP ka taea anake te mahi i runga i te roopu Node Kaituhi.
  • Ko te roopu Kaituhi Node ka pana nga korero VN me te GBP ki Cisco ISE ma te ERS (REST) API mo Cisco ISE ki te whakamahi i enei korero me te whakaputa ki etahi atu Cisco Catalyst Center Clusters i roto i te mahi Reader Node ma Cisco ISE pxGrid.
  • Kotahi anake te tautau ka taea te tohu hei Node Kaituhi. Koinei anake te node e taea ai te whakahaere i te GBP me nga raraunga SDA o te ao kua tautuhia e te kaiwhakamahi (penei i nga VN, kaupapa here taapiri ranei).
  • Mena kei te mahi nga SGT me nga VN i runga i te Node Kaituhi, kaore e taea te whakakore i nga SGT me nga VN.

Rōpū Node Panui

  • Ko etahi atu tautau Pokapū Catalyst katoa e whakaahei ana i te ahua o te Multiple Catalyst Center kua tautapahia te mahi a te kahui Panui Node. He panui-anake nga kahui Node Panui view o nga VN me nga SGT.
  • Ahakoa ka pau, ka mau tonu hoki e nga kahui Panui Node nga VN, SGT, Whakaaetanga Uru, me nga Kaupapa here GBAC kua tautuhia ki te roopu Node Kaituhi, kaore he kahui Panui Panui e whakaatu i nga kirimana Uru me nga kaupapa here.
    VNs can only be created on the Author Node cluster. After created they are propagated to the Reader Node clusters, where they may be used in fabric provisioning operations. The Reader Node clusters configure the associated network attributes such as Virtual Network Identifies (VNID), Route Targets (RT), and Route
  • Distinguishers (RD) which are local to that cluster.
    Hāunga ngā āhuatanga VN me te GBP, ko ia kāhui Reader Node he kāhui motuhake e whakahaere ana i āna ake hanganga whatunga.
  • Ko te waahanga Multiple Catalyst Center ka taea te whakahaere kaupapa here mo te ao puta noa i te maha o nga tautau Cisco Catalyst Center kua whakauruhia ki te Cisco ISE kotahi. Kaore tenei kaha e whakarereke i nga here o te whakahaere i nga whatunga mariko me nga papanga i runga i te maha o nga tautau Cisco Catalyst Center. He rite tonu te ingoa o tetahi VN puta noa i te maha o nga tautau Cisco Catalyst Center, e taea ai e ia te tautoko i nga hononga haumaru-a-roopu-VN puta noa i nga tautau maha. Engari i te taumata tautau takitahi, ko nga huanga o te whatunga tuuturu ki te hono atu ki te VN (VRF, te whainga huarahi, te wehewehe huarahi, me era atu) kaore i te rite ki nga tautau. He rite tonu tenei ki te wa e whakahaere ana i nga roopu Catalyst Center motuhake.
  • Up to four Catalyst Center clusters can be added as Reader Node clusters. Before adding a Catalyst Center node as a Reader, you must remove all admin-created Cisco SD-Access global data on the Reader Node cluster for Catalyst Center to integrate with Cisco ISE. This includes nondefault VNs (any VNs other than
    “DEFAULT_VN” and “INFRA_VN”, Extranet Policy, and so on). In the event there’s any nondefault GBP data (SGTs, Access Contracts, GBP), the user has the option to automatically clean up (delete) all nondefault GBP data, or to merge any GBP data not already present in Cisco ISE.

Tuhipoka

  • Only five Catalyst Center clusters can be integrated with a single Cisco ISE deployment. This means one Author Node cluster and up to four Reader Node clusters.
  • It’s possible to delete SGTs or VNs on the Author Node even when they are in use on Reader Nodes. In that event, the stale SGTs or VNs must be deleted manually on the Reader Nodes (after removing any references).

Te whakahaere kaupapa here a te Pokapū Catalyst Maha

I muri i te whakauru i te Catalyst Center me Cisco ISE me te mahi i te tukutahi GBP, ka tukuna nga korero kaupapa here i waenga i te Catalyst Center me Cisco ISE. Kei roto i Catalyst nga mana tuhi kaupapa here

Pokapū. Ko nga matapihi Cisco ISE mo te whakahaere i nga SGT, nga ACL Roopu Haumarutanga (SGACLs), me te Kaupapahere Putanga ka panui noa.
Ka taea e koe te whakahaere kaupapa here-a-rōpū (Nga Roopu Haumaru, Nga Whakaaetanga Whakaaetanga, me te Kaupapahere GBAC) i roto i te Cisco ISE hei utu i roto i te Catalyst Center.
I roto i te Catalyst Center GUI, pawhiria te tohu tahua ka kowhiri i te Kaupapahere> Mana Whakaaetanga Roopu-a-Roopu> Kaupapahere> Whakaritenga GBAC> Whakahaerehia te Mana Uru-a-Rōpū i Cisco ISE.

Whakapai ake i nga taunakitanga mo te Pokapū Catalyst Maha

I roto i te taiao Pokapū Catalyst Maha, e tūtohu ana kia whakahaere i te putanga rorohiko o Catalyst Center puta noa i nga tautau Kaituhi me te Kaipanui Node, engari i te wa o te mahi whakamohoatanga tautau. Ka taea e koe te whakahou ake i nga tautau Panui Node i te tuatahi, katahi ka whakahou ake i te roopu Node Kaituhi kia kore ai e rereke nga ahuatanga me te hototahitanga o nga ahuatanga puta noa i nga putanga rorohiko. A ape i te whakatairanga i te kahui Node Panui ki te mahi Node Kaituhi i waenganui o te huringa whakamohoatanga. Me whakahou ake nga tautau Pokapū Catalyst katoa me te whakahaere i te putanga rorohiko rite tonu i mua i te whakatairanga i te kahui Panui Node.
Whakaahua 1: Whakapai ake i nga taunakitanga mo te Pokapū Catalyst Maha

CISCO-ISE-Software (3)The basic functionality of the Multiple Catalyst Center feature doesn’t require the same software version in all the participating Author and Reader Node clusters. However, using mismatched code versions may result in a difference in fixes, capabilities, and features between the clusters. The same Catalyst Center software version is recommended across all Author and Reader Node clusters.

He maha nga whakaurunga o te Pokapū Catalyst

E rua nga whiringa whakatakotoranga Pokapū Catalyst Maha.

A new deployment of multiple Catalyst Center clusters that aren’t currently integrated with Cisco ISE.
An existing Catalyst Center cluster that is integrated with Cisco ISE and new additional Catalyst Center clusters without Cisco ISE Integration.

Whakahohehia te Pokapū Catalyst Maha

Kua monoa te taumahinga kapopu Multiple Catalyst Center na te taunoa. Ka taea te whakahohe i te wa, i muri ranei i te whakauru ki a Cisco ISE. I muri i te whakahohenga o te Multiple Catalyst Center, ka taea e koe te whakakore ma te tango katoa i te whakauru Cisco ISE.
The Multiple Catalyst Center operation requires pxGrid functionality. You can’t disable pxGrid after enabling Multiple Catalyst Center.

Tikanga

  1. Step 1 In the Catalyst Center GUI, click the menu icon and choose System > Settings > Authentication and Policy Servers.
  2. Step 2 Add Cisco ISE.
  3. Step 3 Enter the required Cisco ISE information. For information, see Catalyst Center and Cisco ISE integration.
  4. Step 4 Choose System > Settings > Authentication and Policy Servers > Add > ISE > Advanced Settings.
    Ko te whakakā Tautuhinga Arā Atu Anō e whakaatu ana i ngā momo kōwhiringa matatau, tae atu ki te whakakā kia taea ai te whakahaeretanga o te Pokapū Catalyst Maha.
  5. Step 5 Enable the Multiple Catalyst Center Operation option.
  6. Step 6 (Optional) If you are editing an existing Cisco ISE integration, re-enter the Cisco ISE admin password.
  7. Hipanga 7 Pāwhiritia Tāpiri.

Te whakauru i te Pokapū Catalyst Maha me te Cisco ISE kotahi
He whakaritenga mo te whakauru i te Catalyst Center me Cisco ISE mo te wa tuatahi. Mo nga korero, tirohia te Catalyst Center me te whakauru Cisco ISE.

I mua i to tiimata
When Catalyst Center is already integrated with Cisco ISE, complete the following steps to reintegrate Catalyst
Center and Cisco ISE after enabling the Multiple Catalyst Center operation. This allows Catalyst Center to negotiate the Author or Reader Node cluster role based on whether it’s a first node or subsequent node joining Cisco ISE with the Multiple Catalyst Center feature enabled.

Tikanga

  1. Step 1 In the Catalyst Center GUI, click the menu icon and choose System > Settings > Authentication and Policy Servers.
  2. Step 2 In the Actions column, hover your cursor over the ellipsis icon ( ) and choose Edit.
  3. Step 3 Choose System > Settings > Authentication and Policy Servers > Add > ISE > Advanced Settings.
  4. Step 4 Enable the Multiple Catalyst Center Operation option.
  5. Step 5 Enter the Cisco ISE Admin password again.
  6. Step 6 Click Add. Catalyst Center negotiates the Author Node role with Cisco ISE.
    • If the status of the configured Cisco ISE server displays “FAILED” because of a password change, click Retry, and update the password to resynchronize the Cisco ISE connectivity.
    • The status of the integration can be seen in the slide-in pane. Ensure that the integration Status displays as Active in the Authentication and Policy Server window.
  7. Step 7 To verify the negotiated role of the cluster as the Author Node, choose System > Settings > System Configuration > Multiple Catalyst Center Settings.

Ko te whakauru i etahi atu kohinga Catalyst Center me Cisco ISE hei Panui Panui

Hei whakauru i nga tautau o muri mai o Catalyst Center me te Cisco ISE ano kua whakahohea te Multiple Catalyst Center, me kaua e mau i te roopu Catalyst Center etahi VN kore taunoa (tetahi VN atu i te "DEFAULT_VN" me "INFRA_VN").

I mua i to tiimata
Verify that the cluster that you want to integrate includes only the default VNs under Policy > Virtual Network.

Tikanga

  1. Step 1 In the Catalyst Center GUI, click the menu icon and choose System > Settings > Authentication and Policy Servers.
  2. Step 2 Click Add and choose ISE.
  3. Step 3 Enter the required Cisco ISE information. See Catalyst Center and Cisco ISE integration.
  4. Step 4 Choose System > Settings > Authentication and Policy Servers > Add > ISE > Advanced Settings.
  5. Step 5 Enable the Multiple Catalyst Center Operation option.
  6. Hipanga 6 Pāwhiritia Tāpiri.
  7. Step 7 (Optional) When integrating the cluster with Cisco ISE for the first time, click Accept in the slide-in pane for Catalyst Center to accept the certificate pushed by Cisco ISE. Close the slide-in pane.
  8. Step 8 In the Authentication and Policy Server window, verify that the status of the integration displays as Active.

Te whakakore i te whatunga mariko

Kāore te kāhui Node Kaituhi i te mōhio ki te whakamahi Whatunga Mariko (VN) ki te kāhui Node Reader. Me tango e koe nga tohutoro katoa ki tetahi VN i runga i nga tautau Kohanga Panui katoa i mua i te ngana ki te muku i taua VN i te roopu Node Kaituhi. Mena ka mukua e koe he VN i runga i te kahui Node Kaituhi, ka mukua te VN i runga i te Node Kaituhi me nga tautau Node Reader karekau he tohutoro ki a ia. Engari mena kei te whakamahi tetahi o nga Kaipupuri Panui i taua VN, ka whakaatu te mana o taua VN hei Kore o te tukutahi me te Kaituhi. Me tango e koe nga tohutoro katoa (hei tauiraample, Ko te taapiri VN i te Wāhanga Whakataki Kaihautū, te taunga tauranga pateko ranei) o te VN i runga i te kahui Panui Node katahi ka haere ki te muku i taua VN i runga i te kahui Panui Node.

Te whakakore i tetahi roopu haumaru

Kāore te kāhui Node Kaituhi i te mōhio ki te whakamahi rōpū haumarutanga i runga i te kāhui Node Panui. Me tango e koe nga tohutoro katoa ki te roopu haumarutanga i runga i nga tautau Puka Panui katoa i mua i te ngana ki te muku i taua roopu haumaru i te roopu Node Kaituhi. Mena ka mukua e koe he roopu haumarutanga i runga i te kahui Node Kaituhi, ka mukua taua roopu haumarutanga ki te roopu Node Kaituhi, Cisco ISE, me te roopu Panui Node mena karekau he tohutoro. Mēnā kei te whakamahi tētahi o ngā kāhui Kōpuku Panui i taua roopu haumarutanga, ka whakaatu te mana o taua roopu haumarutanga hei Kore o te tukutahi me te Kaituhi. Me tango e koe nga tohutoro katoa o te roopu haumaru i runga i te kahui Panui Node katahi ka haere tonu ki te muku i taua roopu haumarutanga i te roopu Panui Node.

Te Whakatairanga i nga Kohanga Kaipanui ki te Turanga Kaituhi
He maha nga tautau o te Pokapū Catalyst maha o te hoahoanga otinga Catalyst Center, a, kotahi anake te tautau hei Kaituhi kaupapa here. He wa ano ka hiahia te Kaiwhakahaere ki te whakatairanga i tetahi roopu Kohanga Panui hei tango i te mana o te roopu Node Kaituhi. Me mahi tenei whakatairanga ina:

You are taking the Author Node cluster out of service or making it unavailable for an extended period of time.
The Author Node cluster is permanently unavailable or unresponsive for an extended period of time and policy changes are required during that time.

This promotion of a Reader Node to an Author Node can be done in two ways:

  1. Graceful Promotion of a Reader Node to the Author role.
  2. Force Promotion of a Reader Node to the Author role.

Te whakatairanga ataahua o te Node Panui ki te Kaituhi Turanga
Ka taea e koe te whakatairanga-a-ringa i te kapopu Pokapū Kaitohu Panui ki te Turanga Kaituhi mena e tika ana i roto i te whakatakotoranga Pokapū Catalyst Maha. He paatene Whakatairanga ki te Kaituhi nga kapopu Panui Panui katoa. Ka taea e koe te whakatairanga

he kahui Node Kaituhi ki tetahi Node Kaituhi i te wa e mahi tonu ana to roopu Node Kaituhi. Heoi, kaua e timata i te mahi whakatairanga i te wa kei waenganui te kahui Node Kaituhi o naianei o te mahi tuhi kaupapa here a-rōpū (mo muaample, i te wa e tukutahi ana i nga kaupapa here me Cisco ISE). Mena kei te pukumahi te roopu Node Kaituhi, ko te mahi whakatairanga he stagkia oti ra ano te Node Kaituhi i tana tukatuka o naianei.

Tuhipoka

  • Upon graceful promotion of a Reader Node cluster to the Author Role, the Reader Node cluster initiates a request to Cisco ISE for a role change (Reader to Author).
  • When Cisco ISE receives the role change request, it requests the current Author Node to release the role of policy Author. The current Author node then releases the role of policy Author (if no sync in progress) and takes over the role of the Reader Node cluster.
  • The current Reader Node that selected for promotion assumes the role of the Author Node. Upon the Author and Reader Role change, Cisco ISE updates the other Reader Node clusters about the new Author Node through a configuration update.

CISCO-ISE-Software (4)Tikanga

  1. Step 1 On the Reader Node cluster, choose System > Settings > > System Configuration > Multiple Cisco Catalyst Center Settings and verify the Author and Reader Nodes.
  2. Step 2 Click the Promote to Author button.
  3. Step 3 Click Continue to promote the node to the Author Role.

He meneti torutoru pea te tukanga whakawhiti.

Whakatairanga kaha i tetahi Node Kaipanui ki te Turanga Kaituhi
Ko te whakatairanga kaha he momo whakatairanga-a-ringa, he mea tika ki te whakatairanga i te kahui Node Panui o naianei ki te mahi Node Kaituhi i enei ahuatanga:

  • The current Author Node cluster is out of service.
  • The current Author Node cluster is nonresponsive.
  • The graceful promotion of a Reader Node to the Author Role is taking more than 5 minutes.

Whakaahua 3: Whakanuia te whakatairanga i tetahi Node Kaipanui ki te Turanga Kaituhi

CISCO-ISE-Software (1)

Do not use the force promotion option while the existing Author Node cluster is in service with a GBP authoring activity, as this may result in data loss and the Author Node cluster going out of sync with Cisco ISE. Therefore, force promotion is only recommended if you must restore service immediately and you are willing to risk losing data. After the forced promotion, the promoted Reader Node cluster will become the new Author Node cluster for the deployment. When the former Author Node cluster becomes available, it will transition to a reader role and download the latest configuration data from Cisco ISE.
Upon initiating the promotion of a Reader Node cluster, the Reader Node cluster initiates a request to Cisco ISE for a Role change (in other words, Reader to Author). When Cisco ISE receives the role change request, it requests the current Author Node to release the role of policy Author.

If the current Author Node is unresponsive and if the administrator selects Force Promotion, the Reader Node cluster ACA initiates a request to force the change of the Reader Node cluster to the Author Role and vice versa immediately in Cisco ISE. This configuration update message is sent to all the nodes.
The steps to force promote a Reader Node cluster to Author Node cluster are exactly the same as exlained in the graceful promotion of a Reader Node to the Author Role section. There is an additional step at the end to initiate the Force Promotion function.

Tuhinga / Rauemi

CISCO ISE Pūmanawa [pdf] Aratohu Kaiwhakamahi
Pūmanawa ISE, Pūmanawa

Tohutoro

Waiho he korero

Ka kore e whakaputaina to wahitau imeera. Kua tohua nga mara e hiahiatia ana *