The following terms are commonly used when discussing Cisco ISE deployment scenarios:

• Service—A service is a specific feature that a persona provides such as network access, profiler, posture, security group access, monitoring and troubleshooting, and so on.

• Node—A node is an individual instance that runs the Cisco ISE software. Cisco ISE is available as an appliance and also as a software that can be run on VMware. Each instance, appliance or VMware that runs the Cisco ISE software is called a node.

• Persona—The persona or personas of a node determine the services provided by a node. A Cisco ISE node can assume any of the following personas: Administration, Policy Service, Monitoring, and pxGrid. The menu options that are available through the Admin portal are dependent on the role and personas that an Cisco ISE node assumes.

• Deployment Model—Determines if your deployment is distributed, standalone, or high availability in standalone, which is a basic two-node deployment.

A Cisco ISE node can assume the Administration, Policy Service, or Monitoring personas.

A Cisco ISE node can provide various services based on the persona that it assumes. Each node in a deployment can assume the Administration, Policy Service, and Monitoring personas. In a distributed deployment, you can have the following combination of nodes on your network:

• Primary and secondary Administration nodes for high availability

• Primary and secondary MnT nodes for high-availability.

• A pair of health check nodes or a single health check node for Primary Administration Node (PAN) automatic failover

• One or more Policy Service Nodes (PSN) for session failover

A deployment that has more than one Cisco ISE node is called a distributed deployment. To support failover and to improve performance, you can set up your deployment with multiple Cisco ISE nodes in a distributed fashion. In Cisco ISE distributed deployment, administration and monitoring activities are centralized, and processing is distributed across the Policy Service nodes. Depending on your performance needs, you can scale your deployment. Each Cisco ISE node in a deployment can assume any of the following personas: Administration, Policy Service, and Monitoring.

A Cisco ISE node with the Administration persona allows you to perform all administrative operations on Cisco ISE. It handles all system-related configurations that are related to functionality such as authentication, authorization, auditing, and so on. In a distributed environment, you can have a maximum of two nodes running the administration persona. The administration persona can take on any one of the following roles: Standalone, Primary, or Secondary.

A Cisco ISE node with the Monitoring persona functions as the log collector and stores log messages from all the administration and Policy Service nodes in your network. This persona provides advanced monitoring and troubleshooting tools that you can use to effectively manage your network and resources. A node with this persona aggregates and correlates the data that it collects to provide you with meaningful information in the form of reports.

Cisco ISE allows you to have a maximum of two nodes with this persona that can take on primary or secondary roles for high availability. Both the primary and secondary Monitoring nodes collect log messages. If the primary monitoring node goes down, Primary PAN points to secondary node to gather monitoring data. But secondary node will not be promoted to primary automatically. This should be done by manually modifying the Monitoring and Troubleshooting (MnT) role.

At least one node in your distributed setup should assume the Monitoring persona. We recommend that you not have the Monitoring and Policy Service personas enabled on the same Cisco ISE node. We recommend that the node be dedicated solely to monitoring for optimum performance.

You can access the Monitoring menu from the PAN and the Primary Monitoring Node in your deployment.

You can use Cisco pxGrid to share the context-sensitive information from Cisco ISE session directory with other network systems such as ISE Eco system partner systems and other Cisco platforms. The pxGrid framework can also be used to exchange policy and configuration data between nodes like sharing tags and policy objects between Cisco ISE and third party vendors, and for other information exchanges. pxGrid also allows 3rd party systems to invoke adaptive network control actions (EPS) to quarantine users/devices in response to a network or security event. The TrustSec information like tag definition, value, and description can be passed from Cisco ISE via TrustSec topic to other networks. The endpoint profiles with Fully Qualified Names (FQNs) can be passed from Cisco ISE to other networks through a endpoint profile meta topic. Cisco pxGrid also supports bulk download of tags and endpoint profiles.

You can publish and subscribe to SXP bindings (IP-SGT mappings) through pxGrid. For more information about SXP bindings, see Security Group Tag Exchange Protocol.

In a high-availability configuration, Cisco pxGrid servers replicate information between the nodes through the PAN. When the PAN goes down, pxGrid server stops handling the client registration and subscription. You need to manually promote the PAN for the pxGrid server to become active.

On the Active pxGrid 1.0 node, these processes show as 'Running'. On the Standby pxGrid 1.0 node, they show as Disabled. If the Active pxGrid 1.0 node goes down, the standby pxGrid node detects this, and starts the four pxGrid processes. Within a few minutes, these processes show as 'Running', and the Standby node becomes the Active node. You can verify that pxGrid is in standby on that node by running the CLI command show logging application pxgrid or show logging application pxgrid.state.

For XMPP (Extensible Messaging and Presence Protocol) clients, pxGrid nodes work in Active or Standby high availability mode which means that the pxGrid Service is in "running" state on the active node and in "disabled" state on the standby node.

After the automatic failover to the secondary pxGrid node is initiated, if the original primary pxGrid node is brought back into the network, the original primary pxGrid node will continue to have the secondary role and will not be promoted back to the primary role unless the current primary node goes down.

Note	At times, the original primary pxGrid node might be automatically promoted back to the primary role.

In a high availability deployment, when the primary pxGrid node goes down, it might take around 3 to 5 minutes to switchover to the secondary pxGrid node. It is recommended that the client waits for the switchover to complete, before clearing the cache data in case of primary pxGrid node failure.

The following logs are available for pxGrid node:

• pxgrid.log—State change notifications.

• pxgrid-cm.log—Updates on publisher/subscriber and data exchange activity between client and server.

• pxgrid-controller.log—Displays the details of client capabilities, groups, and client authorization.

• pxgrid-jabberd.log—All logs related to system state and authentication.

• pxgrid-pubsub.log—Information related to publisher and subscriber events.

When you make any of the following changes to a node in a Cisco ISE ISE, that node restarts, which causes a delay:

• Register a node (Standalone to Secondary)

• Deregister a node (Secondary to Standalone)

• Change a primary node to Standalone (if no other nodes are registered with it; Primary to Standalone)

• Promote an Administration node (Secondary to Primary)

• Change the personas (when you assign or remove the Policy Service or Monitoring persona from a node)

• Modify the services in the Policy Service node (enable or disable the session and profiler services)

• Restore a backup on the primary and a sync up operation is triggered to replicate data from primary to secondary nodes