Stiùireadh Cleachdaiche Bathar-bog CISCO ISE

Bathar-bog CISCO ISE

Thairisview de chleachdadh Ionad Catalyst Iomadach

When you integrate more than one Catalyst Center cluster with a single Cisco ISE system, each Catalyst Center cluster is independent. No information is shared from any one cluster to any other. In this scenario, when Cisco Software-Defined Access (SD-Access) is deployed on Catalyst Center, the set of virtual networks (VNs) and all other SD-Access is local to each cluster.
Catalyst Center provides a mechanism to coordinate SD-Access and Group-Based Policy (GBP) elements across multiple Catalyst Center clusters integrated with a single Cisco ISE system. In order to allow global administration of SD-Access across multiple Catalyst Center clusters with a consistent set of VNs, the Multiple Catalyst Center feature leverages the existing secure connection with Cisco ISE to propagate VNs, security group tags (SGTs), Access Contracts, and Group-Based Access Control (GBAC) Policy from one cluster to another cluster. Cisco ISE takes the information learned from one cluster (known as the Author Node) and propagates it to the other clusters (known as the Reader Nodes).
The Multiple Catalyst Center feature is available when integrated with Cisco ISE Release 3.2 or later.

Thoir an aire

• The Multiple Catalyst Center operation is disabled by default. To use this feature, select the Enable Multiple Catalyst Center operation (under Advanced Settings) when integrating Catalyst Center with Cisco ISE. You can enable this feature at the initial configuration or at a later time (after Cisco ISE is already integrated). After this functionality is enabled, only deleting the Cisco ISE integration can disable the functionality.
• If you are using earlier releases of Cisco ISE, you must contact your account team to submit a request to the Cisco SDA Design Council for inclusion in the Limited Availability program. A Multiple Catalyst Center Limited Availability package will be made available to provided to allow access to the limited availability (LA) version of this functionality. See the Multiple Cisco DNA Center to Single Cisco ISE Prescriptive Deployment Guide for more information.

The Multiple Catalyst Center feature has specific role designations for the clusters:

• Cruinneachadh Node an Ùghdair
• Cruinneachadh Nòd Leughadair

Cruinneachadh Node an Ùghdair

• Tha dreuchd an Nòd Ùghdarrais air a shònrachadh don chiad chruinneachadh (leis an roghainn Ionad Ioma-Chatalaiche air a chomasachadh) a bhios ag amalachadh le cleachdadh Cisco ISE, no a’ chiad chruinneachadh a chuireas an roghainn Ionad Ioma-Chatalaiche an comas. ’S e cruinneachadh an Nòd Ùghdarrais am puing rianachd airson Poileasaidh Stèidhichte air Buidhnean (GBP) agus airson dàta cruinneil Cisco SD-Access. Bidh cruinneachadh an Nòd Ùghdarrais a’ riaghladh VNan, SGTan, Cùmhnantan Ruigsinneachd, agus Poileasaidh GBAC. Chan urrainnear cruthachadh, atharrachadh no cuir às do cho-phàirtean VNan agus GBP a dhèanamh ach air cruinneachadh an Nòd Ùghdarrais.
• Bidh cruinneachadh an Node Ùghdarrais a’ putadh fiosrachadh VN agus GBP gu Cisco ISE tro APIan ERS (REST) ​​airson Cisco ISE an fhiosrachadh seo a chleachdadh agus fhoillseachadh do na Clustran Ionad Catalyst Cisco eile uile ann an dreuchd an Node Leughadair tro Cisco ISE pxGrid.
• Chan urrainnear ach aon chruinneachadh ainmeachadh mar an Nòd Ùghdair. ’S e seo an aon nód far am faodar dàta GBP agus dàta SDA cruinneil a mhìnich an neach-cleachdaidh (leithid VNan no poileasaidh extranet) a riaghladh.
• Mura h-eil SGTan no VNan ag obair air an Nod Ùghdair, chan urrainnear na SGTan no na VNan a dhubhadh às.

Cruinneachadh Nòd Leughadair

• Tha dreuchd cruinneachadh Nòd Leughadair air a shònrachadh do gach cruinneachadh Ionad Catalyst eile aig a bheil am feart Ionad Catalyst Iomadach air a chomasachadh. Tha dreuchd leughaidh a-mhàin aig cruinneachaidhean Nòd Leughadair. view de VNan agus SGTan.
• Ged a bhios cruinneachaidhean Nod Leughadair ag ithe agus a’ cumail suas na h-aon VNan, SGTan, Cùmhnantan Ruigsinneachd, agus Poileasaidhean GBAC a tha air am mìneachadh air cruinneachadh Nod Ùghdarrais, chan eil cruinneachadh Nod Leughadair a’ taisbeanadh Chùmhnantan no phoileasaidhean Ruigsinneachd.
  VNs can only be created on the Author Node cluster. After created they are propagated to the Reader Node clusters, where they may be used in fabric provisioning operations. The Reader Node clusters configure the associated network attributes such as Virtual Network Identifies (VNID), Route Targets (RT), and Route
• Distinguishers (RD) which are local to that cluster.
  A bharrachd air na feartan VN agus GBP, tha gach cruinneachadh de Reader Node na chruinneachadh neo-eisimeileach a bhios a’ riaghladh a bhun-structar lìonra fhèin.
• Leigidh am feart Multiple Catalyst Center le rianachd phoileasaidh cruinneil thar iomadh cruinneachadh Cisco Catalyst Center a tha air an amalachadh ri aon Cisco ISE. Chan eil an comas seo ag atharrachadh nan crìochan bunaiteach a tha an lùib a bhith a’ riaghladh lìonraidhean agus aodach brìgheil air iomadh cruinneachadh Cisco Catalyst Center. Is dòcha gu bheil an aon ainm aig VN thar iomadh cruinneachadh Cisco Catalyst Center, a leigeas leis taic a thoirt do cheanglaichean buidhne-VN tèarainteachd cunbhalach thar iomadh cruinneachadh. Ach aig ìre a’ chruinneachaidh fa leth, chan eil na feartan lìonra fhèin a tha ceangailte ri VN (VRF, targaid slighe, eadar-dhealachadh slighe, agus mar sin air adhart) co-ionann thar chruinneachaidhean. Tha seo an aon rud ri nuair a bhios cruinneachaidhean neo-eisimeileach de Ionad Catalyst ag obrachadh.
• Up to four Catalyst Center clusters can be added as Reader Node clusters. Before adding a Catalyst Center node as a Reader, you must remove all admin-created Cisco SD-Access global data on the Reader Node cluster for Catalyst Center to integrate with Cisco ISE. This includes nondefault VNs (any VNs other than
  “DEFAULT_VN” and “INFRA_VN”, Extranet Policy, and so on). In the event there’s any nondefault GBP data (SGTs, Access Contracts, GBP), the user has the option to automatically clean up (delete) all nondefault GBP data, or to merge any GBP data not already present in Cisco ISE.

Thoir an aire

• Only five Catalyst Center clusters can be integrated with a single Cisco ISE deployment. This means one Author Node cluster and up to four Reader Node clusters.
• It’s possible to delete SGTs or VNs on the Author Node even when they are in use on Reader Nodes. In that event, the stale SGTs or VNs must be deleted manually on the Reader Nodes (after removing any references).

Riaghladh poileasaidh Ionad Catalyst Iomadach

Às dèidh Ionad Catalyst a thoirt còmhla ri Cisco ISE agus sioncronachadh GBP a dhèanamh, thèid fiosrachadh poileasaidh a shioncronachadh eadar Ionad Catalyst agus Cisco ISE. Tha na còraichean ùghdarrachaidh poileasaidh taobh a-staigh Catalyst.

Ionad. Bidh uinneagan Cisco ISE airson riaghladh SGTan, ACLan Buidheann Tèarainteachd (SGACLan), agus Poileasaidh Egress a’ fàs ri leughadh a-mhàin.
’S urrainn dhut poileasaidh stèidhichte air buidhnean (Buidhnean Tèarainteachd, Cùmhnantan Ruigsinneachd, agus Poileasaidh GBAC) a riaghladh ann an Cisco ISE an àite ann an Catalyst Center.
Anns an eadar-aghaidh cleachdaiche grafaigeach Catalyst Center, briog air ìomhaigh a’ chlàir-taice agus tagh Poileasaidh > Smachd Ruigsinneachd Stèidhichte air Buidhnean > Poileasaidhean > Rèiteachadh GBAC > Stiùirich Smachd Ruigsinneachd Stèidhichte air Buidhnean ann an Cisco ISE.

Molaidhean ùrachaidh airson Ionad Ioma-Chatalaiche

Ann an àrainneachd ioma-Ionad Catalyst, thathar a’ moladh an aon dreach bathar-bog de Ionad Catalyst a ruith thar gach cruinneachadh Ùghdar is Nod Leughadair, ach a-mhàin rè pròiseas ùrachaidhean cruinneachadh. Faodaidh tu gach cruinneachadh Nod Leughadair ùrachadh an toiseach, agus an uairsin cruinneachadh an Nod Ùghdar ùrachadh gus eadar-dhealachadh feartan agus neo-fhreagarrachd feartan a sheachnadh thar dreachan bathar-bog. Seachain àrdachadh cruinneachadh Nod Leughadair gu dreuchd Nod Ùghdar ann am meadhan cearcall ùrachaidh. Bu chòir gach cruinneachadh Ionad Catalyst ùrachadh agus an aon dreach bathar-bog a ruith mus tèid cruinneachadh Nod Leughadair adhartachadh.
Figear 1: Molaidhean ùrachaidh airson Ionad Ioma-Chatalaiche

The basic functionality of the Multiple Catalyst Center feature doesn’t require the same software version in all the participating Author and Reader Node clusters. However, using mismatched code versions may result in a difference in fixes, capabilities, and features between the clusters. The same Catalyst Center software version is recommended across all Author and Reader Node clusters.

Iomadh cleachdadh Ionad Catalyst

Tha dà roghainn cleachdaidh ann airson Ionad Catalyst Iomadach.

A new deployment of multiple Catalyst Center clusters that aren’t currently integrated with Cisco ISE.
An existing Catalyst Center cluster that is integrated with Cisco ISE and new additional Catalyst Center clusters without Cisco ISE Integration.

A’ comasachadh Ionad Catalyst Iomadach

Tha comas-gnìomh cruinneachadh Ionad Ioma-Chatalaiche air a dhì-chomasachadh gu bunaiteach. Faodar a chomasachadh rè no às dèidh amalachadh le Cisco ISE. Às dèidh dhut comas-gnìomh Ionad Ioma-Chatalaiche a chomasachadh, chan urrainn dhut a dhì-chomasachadh ach le bhith a’ toirt air falbh amalachadh Cisco ISE gu tur.
The Multiple Catalyst Center operation requires pxGrid functionality. You can’t disable pxGrid after enabling Multiple Catalyst Center.

Modh-obrach

1. Step 1 In the Catalyst Center GUI, click the menu icon and choose System > Settings > Authentication and Policy Servers.
2. Step 2 Add Cisco ISE.
3. Step 3 Enter the required Cisco ISE information. For information, see Catalyst Center and Cisco ISE integration.
4. Step 4 Choose System > Settings > Authentication and Policy Servers > Add > ISE > Advanced Settings.
   Bidh an suidse Roghainnean Adhartach a’ nochdadh grunn roghainnean adhartach, a’ gabhail a-steach an suidse gus obrachadh an Ionaid Catalyst Iomadach a chomasachadh.
5. Step 5 Enable the Multiple Catalyst Center Operation option.
6. Step 6 (Optional) If you are editing an existing Cisco ISE integration, re-enter the Cisco ISE admin password.
7. Ceum 7 Cliog air Add.

A’ ceangal iomadh Ionad Catalyst ri aon Cisco ISE
Tha riatanasan ann airson Ionad Catalyst agus Cisco ISE a thoirt còmhla airson a’ chiad uair. Airson fiosrachadh, faic Amalachadh Ionad Catalyst agus Cisco ISE.

Mus tòisich thu
When Catalyst Center is already integrated with Cisco ISE, complete the following steps to reintegrate Catalyst
Center and Cisco ISE after enabling the Multiple Catalyst Center operation. This allows Catalyst Center to negotiate the Author or Reader Node cluster role based on whether it’s a first node or subsequent node joining Cisco ISE with the Multiple Catalyst Center feature enabled.

Modh-obrach

1. Step 1 In the Catalyst Center GUI, click the menu icon and choose System > Settings > Authentication and Policy Servers.
2. Step 2 In the Actions column, hover your cursor over the ellipsis icon ( ) and choose Edit.
3. Step 3 Choose System > Settings > Authentication and Policy Servers > Add > ISE > Advanced Settings.
4. Step 4 Enable the Multiple Catalyst Center Operation option.
5. Step 5 Enter the Cisco ISE Admin password again.
6. Step 6 Click Add. Catalyst Center negotiates the Author Node role with Cisco ISE.
   • If the status of the configured Cisco ISE server displays “FAILED” because of a password change, click Retry, and update the password to resynchronize the Cisco ISE connectivity.
   • The status of the integration can be seen in the slide-in pane. Ensure that the integration Status displays as Active in the Authentication and Policy Server window.
7. Step 7 To verify the negotiated role of the cluster as the Author Node, choose System > Settings > System Configuration > Multiple Catalyst Center Settings.

A’ toirt a-steach cruinneachaidhean Ionad Catalyst eile le Cisco ISE mar Nòdan Leughadair

Gus na cruinneachaidhean às dèidh sin de Ionad Catalyst a thoirt còmhla leis an aon Cisco ISE aig a bheil Ionad Catalyst Iomadach air a chomasachadh, chan fhaod VNan neo-bhunait sam bith a bhith sa chruinneachadh Ionad Catalyst (VNan sam bith ach a-mhàin “DEFAULT_VN” agus “INFRA_VN”).

Mus tòisich thu
Verify that the cluster that you want to integrate includes only the default VNs under Policy > Virtual Network.

Modh-obrach

1. Step 1 In the Catalyst Center GUI, click the menu icon and choose System > Settings > Authentication and Policy Servers.
2. Step 2 Click Add and choose ISE.
3. Step 3 Enter the required Cisco ISE information. See Catalyst Center and Cisco ISE integration.
4. Step 4 Choose System > Settings > Authentication and Policy Servers > Add > ISE > Advanced Settings.
5. Step 5 Enable the Multiple Catalyst Center Operation option.
6. Ceum 6 Cliog air Add.
7. Step 7 (Optional) When integrating the cluster with Cisco ISE for the first time, click Accept in the slide-in pane for Catalyst Center to accept the certificate pushed by Cisco ISE. Close the slide-in pane.
8. Step 8 In the Authentication and Policy Server window, verify that the status of the integration displays as Active.

A’ cuir às do lìonra brìgheil

Chan eil fios aig cruinneachadh an Nòd Ùghdarrais mu chleachdadh Lìonra Brìgheil (VN) air cruinneachadh an Nòd Leughadair. Feumaidh tu a h-uile iomradh air VN a thoirt air falbh air a h-uile cruinneachadh Nòd Leughadair mus feuch thu ris an VN sin a dhubhadh às air cruinneachadh Nòd an Ùghdarrais. Ma sguabas tu às VN air cruinneachadh Nòd an Ùghdarrais, thèid an VN a dhubhadh às air nòd an Ùghdarrais agus air na cruinneachaidhean Nòd Leughadair aig nach eil iomraidhean air. Ach ma tha aon de na Nòdan Leughadair a’ cleachdadh an VN sin, nochdaidh inbhe an VN sin mar Neo-shioncronaichte leis an Ùghdar. Feumaidh tu na h-iomraidhean uile a thoirt air falbh (mar eisimpleirample, Cur-ris VN ann an Earrann Onboarding Host no sònrachadh puirt statach) den VN air cruinneachadh an Reader Node agus an uairsin lean air adhart gus an VN sin a dhubhadh às air cruinneachadh an Reader Node.

A’ cuir às do bhuidheann tèarainteachd

Chan eil fios aig cruinneachadh an Nòd Ùghdarrais mu chleachdadh buidhne tèarainteachd air cruinneachadh Nòd Leughadair. Feumaidh tu a h-uile iomradh air a’ bhuidheann tèarainteachd a thoirt air falbh air a h-uile cruinneachadh Nòd Leughadair mus feuch thu ris a’ bhuidheann tèarainteachd sin a dhubhadh às air cruinneachadh Nòd an Ùghdarrais. Ma sguabas tu às buidheann tèarainteachd air cruinneachadh Nòd an Ùghdarrais, thèid a’ bhuidheann tèarainteachd sin a dhubhadh às air cruinneachadh Nòd an Ùghdarrais, Cisco ISE, agus air cruinneachadh Nòd an Leughadair mura h-eil iomraidhean ann air. Ma tha aon de na cruinneachaidhean Nòd Leughadair a’ cleachdadh a’ bhuidheann tèarainteachd sin, nochdaidh inbhe a’ bhuidheann tèarainteachd sin mar A-mach à sioncranachadh leis an Ùghdar. Feumaidh tu a h-uile iomradh air a’ bhuidheann tèarainteachd a thoirt air falbh air cruinneachadh Nòd an Leughadair agus an uairsin a dhol air adhart gus a’ bhuidheann tèarainteachd sin a dhubhadh às air cruinneachadh Nòd an Leughadair.

Brosnachadh Nòdan Leughadair gu Dreuchd an Ùghdair
Tha iomadh cruinneachadh de Ionadan Catalyst aig ailtireachd fuasglaidh Multiple Catalyst Center agus chan urrainn ach aon chruinneachadh a bhith na Ùghdar poileasaidh. Dh’ fhaodadh gum bi suidheachaidhean ann far am feum an Rianadair cruinneachadh Nòd Leughadair adhartachadh gus dreuchd cruinneachadh Nòd an Ùghdair a ghabhail thairis. Cha bu chòir an t-àrdachadh seo a dhèanamh ach nuair:

You are taking the Author Node cluster out of service or making it unavailable for an extended period of time.
The Author Node cluster is permanently unavailable or unresponsive for an extended period of time and policy changes are required during that time.

This promotion of a Reader Node to an Author Node can be done in two ways:

1. Graceful Promotion of a Reader Node to the Author role.
2. Force Promotion of a Reader Node to the Author role.

Brosnachadh gràsmhor Nòd Leughadair gu Dreuchd an Ùghdair
’S urrainn dhut cruinneachadh Ionad Catalyst Leughadair àrdachadh gu Dreuchd an Ùghdair le làimh ma tha sin riatanach ann an cleachdadh Ionad Catalyst Iomadach. Tha putan Àrdaich gu Dreuchd Ùghdair aig a h-uile cruinneachadh Nod Leughadair. ’S urrainn dhut àrdachadh

cruinneachadh Nòd Leughadair gu Nòd Ùghdair fhad ‘s a tha an cruinneachadh Nòd Ùghdair agad fhathast ag obair. Ach, na tòisich air an obair adhartachaidh fhad ‘s a tha an cruinneachadh Nòd Ùghdair a th’ ann mar-thà ann am meadhan gnìomhachd ùghdarrachaidh poileasaidh stèidhichte air buidheann (mar eisimpleirample, fhad ’s a tha poileasaidhean gan sioncronachadh le Cisco ISE). Ma tha cruinneachadh an Nòd Ùghdair trang, tha an obair adhartachaidh stagair a ghiullachd gus an cuir an Nód Ùghdair crìoch air a phròiseasadh làithreach.

Thoir an aire

• Upon graceful promotion of a Reader Node cluster to the Author Role, the Reader Node cluster initiates a request to Cisco ISE for a role change (Reader to Author).
• When Cisco ISE receives the role change request, it requests the current Author Node to release the role of policy Author. The current Author node then releases the role of policy Author (if no sync in progress) and takes over the role of the Reader Node cluster.
• The current Reader Node that selected for promotion assumes the role of the Author Node. Upon the Author and Reader Role change, Cisco ISE updates the other Reader Node clusters about the new Author Node through a configuration update.

Modh-obrach

1. Step 1 On the Reader Node cluster, choose System > Settings > > System Configuration > Multiple Cisco Catalyst Center Settings and verify the Author and Reader Nodes.
2. Step 2 Click the Promote to Author button.
3. Step 3 Click Continue to promote the node to the Author Role.

Dh’fhaodadh am pròiseas gluasaid beagan mhionaidean a thoirt.

Àrdachadh Nòd Leughadair gu Dreuchd an Ùghdair a chur an gnìomh
'S e seòrsa de bhrosnachadh làimhe a th' ann an àrdachadh feachdail, a tha an dùil gu sònraichte àrdachadh a thoirt don chruinneachadh Nòd Leughadair gnàthach gu dreuchd Nòd Ùghdair anns na suidheachaidhean seo:

• The current Author Node cluster is out of service.
• The current Author Node cluster is nonresponsive.
• The graceful promotion of a Reader Node to the Author Role is taking more than 5 minutes.

Figear 3: Àrdachadh feachdaichte bho Nòd Leughadair gu Dreuchd an Ùghdair

Do not use the force promotion option while the existing Author Node cluster is in service with a GBP authoring activity, as this may result in data loss and the Author Node cluster going out of sync with Cisco ISE. Therefore, force promotion is only recommended if you must restore service immediately and you are willing to risk losing data. After the forced promotion, the promoted Reader Node cluster will become the new Author Node cluster for the deployment. When the former Author Node cluster becomes available, it will transition to a reader role and download the latest configuration data from Cisco ISE.
Upon initiating the promotion of a Reader Node cluster, the Reader Node cluster initiates a request to Cisco ISE for a Role change (in other words, Reader to Author). When Cisco ISE receives the role change request, it requests the current Author Node to release the role of policy Author.

If the current Author Node is unresponsive and if the administrator selects Force Promotion, the Reader Node cluster ACA initiates a request to force the change of the Reader Node cluster to the Author Role and vice versa immediately in Cisco ISE. This configuration update message is sent to all the nodes.
The steps to force promote a Reader Node cluster to Author Node cluster are exactly the same as exlained in the graceful promotion of a Reader Node to the Author Role section. There is an additional step at the end to initiate the Force Promotion function.