Sunday, February 7, 2021

PxGrid Part # 1 - Introduction to PxGrid in ISE

  • Prior to ISE 2.4 was PxGrid v 1
  • ISE 2.4+ uses PxGrid v2 and v1


Summary

  • From a PxGrid v1 perspective, 100% active/standby, and the PxGrid services will be down on the secondary node. They will be actived in the case of PxGrid controller failove
  • PxGrid v2 runs on port 8910, which is leveraged by webclients. Port 8910 with websockets is the way that pxgrid v2 operates, while port 5222 was the XMPP port pxgrid v1 used. The guide indicates that 5222 will only be open on the active node while 8910 will be                 open on all nodes.
    • "For XMPP (Extensible Messaging and Presence Protocol ) clients, pxGrid nodes work in Active/Standby high availability                         mode which means that the pxGrid Service is in "running" state on the active node and in "disabled" state on the standby node
  • In a high-availability configuration, Cisco pxGrid servers replicate information between the pxGrid nodes through the PAN.
  • When the PAN goes down, pxGrid server stops handling the client registration and subscription. You need to manually promote the PAN for the pxGrid server to become active.
    • Only registered and subscribed nodes can request information. Not new node
  • You can check the pxGrid Services page (Administration > pxGrid Services) to verify whether a pxGrid node is currently in active or standby state.
  • After the automatic failover to the secondary pxGrid node is initiated, if the original primary pxGrid node is brought back into the network, the original primary pxGrid node will continue to have the secondary role and will not be promoted back to the primary role              unless the current primary node goes down.

 

PxGrid Certs

 

Beginning in ISE version 2.2, all pxGrid communications between all nodes occur within the secure pxGrid channel using the pxGrid certificate of the ISE node. 

 

Beginning in ISE 2.2, each node’s pxGrid certificate will be signed automatically by the internal CA.

Truly, recommended practice dictates that you use the CA built into ISE for all pxGrid communications to keep things easy and working well. Also, use it to sign certificates for PxGrid clients

 

The steps are as follows:

 

Navigate to Administration > System > Certificates

 

 

Select the pxGrid certificate of one of the nodes, by selecting the checkbook on the left end of the row > Click view

Check that the root signer of the certificate is the primary PAN of the ISE cube (the root CA)


 

Tip # 1

If you lose locally generated certificates such as pxGrid, regenerate them as follow:

Administration > Certificates > Certificates Signing Requests > Generate CSR > ISE Root CA 

 

PxGrid Arch

 

Components of PxGrid System


  • PxGrid Controller (PxGrid Persona)
  • PxGrid Publisher (MnT and PAN)
  • PxGrid Subscriber (FMC, WSA, etc)

 

PAN Publisher Topics:


  • Controller AdmiN
  • TrustSec/SGT
  • Endpoint Profile

 

MnT Publisher Topics:


  • Session Directory
  • Identity Group
  • ANC (EPS)

PxGrid HA

 

PxGrid v1 Scenario

 


  • Clients connect to single active controller for given domain
  • If active pxGrid Controller fails, clients automatically attempt connection to standby controller.

 

PxGrid v2 Scenario

 


  • pxGrid clients can be configured with multiple servers for redundancy.
  • Clients connect to single active controller for given domain

 

Max nodes






 


No comments:

Post a Comment

DNS Performance Troubleshooting

When you are troubleshooting internet performance, there are different parts of the connection should be verified:   ·         DNS Pe...