Abubuwan da ke ciki boye
1 CISCO ISE Software
2 Ƙarsheview na Ƙaddamar da Ƙwararren Ƙwararrun Ƙwararru
3 Rukunin Node na marubuci
4 Gudanar da manufofin Cibiyar Catalyst da yawa
5 Haɓaka shawarwari don Cibiyar Kayayyakin Kayayyaki da yawa
6 Ƙaddamar da Ƙwararrun Ƙwararrun Ƙwararru
7 Ƙaddamar da Cibiyar Kayayyakin Kayayyakin Kaya da yawa
8 Takardu / Albarkatu
8.1 Magana

CISCO-logo

CISCO ISE Software

CISCO-ISE-Software-PRODUCT

Ƙarsheview na Ƙaddamar da Ƙwararren Ƙwararrun Ƙwararru

When you integrate more than one Catalyst Center cluster with a single Cisco ISE system, each Catalyst Center cluster is independent. No information is shared from any one cluster to any other. In this scenario, when Cisco Software-Defined Access (SD-Access) is deployed on Catalyst Center, the set of virtual networks (VNs) and all other SD-Access is local to each cluster.
Catalyst Center provides a mechanism to coordinate SD-Access and Group-Based Policy (GBP) elements across multiple Catalyst Center clusters integrated with a single Cisco ISE system. In order to allow global administration of SD-Access across multiple Catalyst Center clusters with a consistent set of VNs, the Multiple Catalyst Center feature leverages the existing secure connection with Cisco ISE to propagate VNs, security group tags (SGTs), Access Contracts, and Group-Based Access Control (GBAC) Policy from one cluster to another cluster. Cisco ISE takes the information learned from one cluster (known as the Author Node) and propagates it to the other clusters (known as the Reader Nodes).
The Multiple Catalyst Center feature is available when integrated with Cisco ISE Release 3.2 or later.

CISCO-ISE-Software (2)

Lura

  • The Multiple Catalyst Center operation is disabled by default. To use this feature, select the Enable Multiple Catalyst Center operation (under Advanced Settings) when integrating Catalyst Center with Cisco ISE. You can enable this feature at the initial configuration or at a later time (after Cisco ISE is already integrated). After this functionality is enabled, only deleting the Cisco ISE integration can disable the functionality.
  • If you are using earlier releases of Cisco ISE, you must contact your account team to submit a request to the Cisco SDA Design Council for inclusion in the Limited Availability program. A Multiple Catalyst Center Limited Availability package will be made available to provided to allow access to the limited availability (LA) version of this functionality. See the Multiple Cisco DNA Center to Single Cisco ISE Prescriptive Deployment Guide for more information.

The Multiple Catalyst Center feature has specific role designations for the clusters:

  • Rukunin Node na marubuci
  • Rukunin Node Reader

Rukunin Node na marubuci

  • An sanya aikin Node na Mawallafin zuwa gungu na farko (tare da zaɓin Multiple Catalyst Center zaɓi) wanda ke haɗawa tare da aikin Cisco ISE, ko gungu na farko wanda ke ba da damar zaɓin Cibiyar Catalyst Multiple. Tarin Marubucin Node shine wurin gudanarwa don Manufofin Ƙungiya na Ƙungiya (GBP) da don Cisco SD-Samar da bayanan duniya. Rukunin Node na Mawallafin yana sarrafa VNs, SGTs, Kwangilolin Samun dama, da Manufar GBAC. Ƙirƙirar, gyare-gyare, ko share abubuwan VNs da GBP kawai za a iya yin su akan gungu na Node na Mawallafi.
  • Marubucin Node cluster yana tura bayanan VN da GBP zuwa Cisco ISE ta ERS (REST) ​​APIs don Cisco ISE don amfani da wannan bayanin kuma a buga zuwa duk sauran Cibiyoyin Cibiyoyin Catalyst na Cisco a cikin Matsayin Node na Karatu ta hanyar Cisco ISE pxGrid.
  • Tari ɗaya ne kawai za a iya sanyawa azaman Node na Mawallafi. Ita ce kawai kumburi inda za a iya sarrafa GBP da bayanan SDA na duniya da aka ayyana mai amfani (kamar VNs ko manufofin extranet).
  • Idan SGTs ko VNs suna aiki akan Node na Mawallafi, SGTs ko VNs ba za a iya share su ba.

Rukunin Node Reader

  • Duk sauran gungu na Cibiyar Kayayyakin Kayayyakin Kaya waɗanda ke da fasalin Cibiyar Kayayyakin Kayayyakin Kaya da yawa ana sanya su aikin gungu na Node Reader. Rukunin Node na Karatu suna da karanta-kawai view VNs da SGTs.
  • Ko da yake masu karatun Node clusters suna cinye kuma suna dagewa VNs, SGTs, Kwangilolin Samun dama, da Manufofin GBAC waɗanda aka ayyana akan kullin Node na Mawallafi, gunkin Node na Karatu baya nuna Yarjejeniyoyi ko manufofi.
    VNs can only be created on the Author Node cluster. After created they are propagated to the Reader Node clusters, where they may be used in fabric provisioning operations. The Reader Node clusters configure the associated network attributes such as Virtual Network Identifies (VNID), Route Targets (RT), and Route
  • Distinguishers (RD) which are local to that cluster.
    Ban da fasalulluka na VN da GBP, kowane gungu na Node Reader gungu ne mai zaman kansa wanda ke sarrafa kayan aikin cibiyar sadarwar kansa.
  • Siffar Cibiyar Kayayyakin Kayayyakin Kayayyaki da yawa tana ba da damar gudanar da manufofin duniya a cikin rukunin cibiyoyin Cisco Catalyst da yawa da aka haɗa zuwa Cisco ISE guda ɗaya. Wannan damar ba ta canza ƙayyadaddun iyakoki na sarrafa cibiyoyin sadarwa na yau da kullun da yadudduka akan gungu na Cibiyar Catalyst na Cisco da yawa. VN na iya samun suna iri ɗaya a cikin gungu na Cibiyar Catalyst na Cisco, wanda ke ba shi damar tallafawa ƙungiyoyin tsaro masu daidaito-VN a cikin gungu da yawa. Amma a matakin gungu ɗaya, ainihin halayen hanyar sadarwa don haɗawa da VN (VRF, manufa ta hanya, mai rarrabe hanya, da sauransu) ba iri ɗaya bane a cikin gungu. Wannan daidai yake da lokacin gudanar da gungu na Cibiyar Catalyst mai zaman kanta.
  • Up to four Catalyst Center clusters can be added as Reader Node clusters. Before adding a Catalyst Center node as a Reader, you must remove all admin-created Cisco SD-Access global data on the Reader Node cluster for Catalyst Center to integrate with Cisco ISE. This includes nondefault VNs (any VNs other than
    “DEFAULT_VN” and “INFRA_VN”, Extranet Policy, and so on). In the event there’s any nondefault GBP data (SGTs, Access Contracts, GBP), the user has the option to automatically clean up (delete) all nondefault GBP data, or to merge any GBP data not already present in Cisco ISE.

Lura

  • Only five Catalyst Center clusters can be integrated with a single Cisco ISE deployment. This means one Author Node cluster and up to four Reader Node clusters.
  • It’s possible to delete SGTs or VNs on the Author Node even when they are in use on Reader Nodes. In that event, the stale SGTs or VNs must be deleted manually on the Reader Nodes (after removing any references).

Gudanar da manufofin Cibiyar Catalyst da yawa

Bayan haɗa Cibiyar Catalyst tare da Cisco ISE da yin aiki tare GBP, bayanan manufofin suna aiki tare tsakanin Cibiyar Catalyst da Cisco ISE. Abubuwan da ke ba da izini suna cikin Catalyst

Cibiyar. Cisco ISE windows don gudanar da SGTs, Tsaro Group ACLs (SGACLs), da Egress Policy zama karatu kawai.
Kuna iya sarrafa manufofin tushen rukuni (Ƙungiyoyin Tsaro, Ƙungiyoyin Samun damar, da Manufar GBAC) a cikin Cisco ISE maimakon a Cibiyar Catalyst.
A cikin GUI Centre Catalyst, danna gunkin menu kuma zaɓi Manufa> Ikon Samun Ƙungiya-Ƙungiya> Manufofi> Kanfigareshan GBAC> Sarrafa Ikon Samun Samun-Ƙungiya a Cisco ISE.

Haɓaka shawarwari don Cibiyar Kayayyakin Kayayyaki da yawa

A cikin mahalli mai ɗaukar hoto da yawa, an ba da shawarar gudanar da kayan aikin software na cibiyar mai ɗaukar hoto a gefen duk marubuci da kuma kumburin kumburi, sai a kan aiwatar da haɓakar gungu. Kuna iya haɓaka duk gungu na Node Reader da farko, sannan haɓaka gungun Node na Mawallafin don guje wa rarrabuwa da fasalin rashin jituwa a cikin nau'ikan software. Guji haɓaka gunkin Node na Karatu zuwa aikin Node na marubuci a tsakiyar zagayowar haɓakawa. Yakamata a inganta dukkan gungu na Cibiyar Catalyst da gudanar da sigar software iri ɗaya kafin haɓaka gungu na Node Reader.
Hoto 1: Haɓaka shawarwari don Cibiyar Kayayyakin Kayayyaki da yawa

CISCO-ISE-Software (3)The basic functionality of the Multiple Catalyst Center feature doesn’t require the same software version in all the participating Author and Reader Node clusters. However, using mismatched code versions may result in a difference in fixes, capabilities, and features between the clusters. The same Catalyst Center software version is recommended across all Author and Reader Node clusters.

Ƙaddamar da Ƙwararrun Ƙwararrun Ƙwararru

Akwai zaɓuɓɓukan tura Cibiyar Mai Kayatarwa da yawa guda biyu.

A new deployment of multiple Catalyst Center clusters that aren’t currently integrated with Cisco ISE.
An existing Catalyst Center cluster that is integrated with Cisco ISE and new additional Catalyst Center clusters without Cisco ISE Integration.

Ƙaddamar da Cibiyar Kayayyakin Kayayyakin Kaya da yawa

An kashe aikin tari mai yawa ta hanyar tsoho. Ana iya kunna shi yayin ko bayan haɗin kai tare da Cisco ISE. Bayan an kunna ayyukan Cibiyar Catalyst Multiple Catalyst, zaku iya kashe shi ta hanyar cire haɗin Cisco ISE gaba ɗaya.
The Multiple Catalyst Center operation requires pxGrid functionality. You can’t disable pxGrid after enabling Multiple Catalyst Center.

Tsari

  1. Step 1 In the Catalyst Center GUI, click the menu icon and choose System > Settings > Authentication and Policy Servers.
  2. Step 2 Add Cisco ISE.
  3. Step 3 Enter the required Cisco ISE information. For information, see Catalyst Center and Cisco ISE integration.
  4. Step 4 Choose System > Settings > Authentication and Policy Servers > Add > ISE > Advanced Settings.
    Maɓallin Saitunan Babba yana fallasa zaɓuɓɓukan ci-gaba iri-iri, gami da sauyawa don ba da damar aikin Cibiyar Catalyst da yawa.
  5. Step 5 Enable the Multiple Catalyst Center Operation option.
  6. Step 6 (Optional) If you are editing an existing Cisco ISE integration, re-enter the Cisco ISE admin password.
  7. Mataki 7 Danna Ƙara.

Haɗa Cibiyar Kayayyakin Kayayyakin Kaya da yawa tare da Cisco ISE guda ɗaya
Akwai abubuwan da ake buƙata don haɗa Cibiyar Catalyst da Cisco ISE a karon farko. Don bayani, duba Cibiyar Catalyst da haɗin gwiwar Cisco ISE.

Kafin ka fara
When Catalyst Center is already integrated with Cisco ISE, complete the following steps to reintegrate Catalyst
Center and Cisco ISE after enabling the Multiple Catalyst Center operation. This allows Catalyst Center to negotiate the Author or Reader Node cluster role based on whether it’s a first node or subsequent node joining Cisco ISE with the Multiple Catalyst Center feature enabled.

Tsari

  1. Step 1 In the Catalyst Center GUI, click the menu icon and choose System > Settings > Authentication and Policy Servers.
  2. Step 2 In the Actions column, hover your cursor over the ellipsis icon ( ) and choose Edit.
  3. Step 3 Choose System > Settings > Authentication and Policy Servers > Add > ISE > Advanced Settings.
  4. Step 4 Enable the Multiple Catalyst Center Operation option.
  5. Step 5 Enter the Cisco ISE Admin password again.
  6. Step 6 Click Add. Catalyst Center negotiates the Author Node role with Cisco ISE.
    • If the status of the configured Cisco ISE server displays “FAILED” because of a password change, click Retry, and update the password to resynchronize the Cisco ISE connectivity.
    • The status of the integration can be seen in the slide-in pane. Ensure that the integration Status displays as Active in the Authentication and Policy Server window.
  7. Step 7 To verify the negotiated role of the cluster as the Author Node, choose System > Settings > System Configuration > Multiple Catalyst Center Settings.

Haɗa wasu gungu na Cibiyar Kayayyakin Kaya tare da Cisco ISE azaman Nodes na Karatu

Don haɗa gungu na Cibiyar Catalyst na gaba tare da Cisco ISE iri ɗaya wanda ke da Cibiyar Kayayyakin Kayayyakin Kayayyakin Kayayyakin Kayayyakin Kayayyakin Kayayyakin, dole ne rukunin cibiyar Catalyst ba ta ƙunshi kowane VNs mara laifi ba (kowane VN ban da “DEFAULT_VN” da “INFRA_VN”).

Kafin ka fara
Verify that the cluster that you want to integrate includes only the default VNs under Policy > Virtual Network.

Tsari

  1. Step 1 In the Catalyst Center GUI, click the menu icon and choose System > Settings > Authentication and Policy Servers.
  2. Step 2 Click Add and choose ISE.
  3. Step 3 Enter the required Cisco ISE information. See Catalyst Center and Cisco ISE integration.
  4. Step 4 Choose System > Settings > Authentication and Policy Servers > Add > ISE > Advanced Settings.
  5. Step 5 Enable the Multiple Catalyst Center Operation option.
  6. Mataki 6 Danna Ƙara.
  7. Step 7 (Optional) When integrating the cluster with Cisco ISE for the first time, click Accept in the slide-in pane for Catalyst Center to accept the certificate pushed by Cisco ISE. Close the slide-in pane.
  8. Step 8 In the Authentication and Policy Server window, verify that the status of the integration displays as Active.

Share hanyar sadarwa mai kama-da-wane

Rukunin Node na Mawallafin bai san yadda ake amfani da hanyar sadarwa ta Virtual (VN) akan gungu na Node Reader ba. Dole ne ku cire duk nassoshi zuwa VN akan duk gungu na Node Reader kafin yunƙurin goge waccan VN akan gungu na Node na marubuci. Idan ka goge VN akan gungu na Node na Mawallafi, ana share VN akan kumburin Mawallafin da kuma kan gungu na Node Reader waɗanda ba su da nassoshi game da shi. Amma idan ɗaya daga cikin Nodes Reader yana amfani da wannan VN, matsayin irin wannan VN sannan yana nunawa azaman Ba ​​a daidaitawa tare da Mawallafi. Dole ne ku cire duk nassoshi (misaliample, VN Addition in Mai watsa shiri Onboarding Sashen ko a tsaye tashar tashar jiragen ruwa) na VN a kan Reader Node cluster sa'an nan kuma ci gaba da share wancan VN a kan Reader Node cluster.

Share ƙungiyar tsaro

Ƙungiyar Node ta Mawallafin ba ta da masaniya game da amfani da ƙungiyar tsaro akan gungu na Node Reader. Dole ne ku cire duk nassoshi game da ƙungiyar tsaro akan duk gungu na Node Reader kafin yunƙurin goge waccan rukunin tsaro akan gungu na Node na marubuci. Idan ka share ƙungiyar tsaro akan gungu na Node na Mawallafi, ana goge wannan rukunin tsaro akan gungu na Node na Mawallafi, Cisco ISE, da kuma akan gunkin Node na Karatu idan babu nassoshi game da shi. Idan ɗaya daga cikin gungu na Node Reader yana amfani da waccan rukunin tsaro, matsayin irin wannan rukunin tsaro yana nunawa azaman Ba ​​a daidaitawa tare da Mawallafi. Dole ne ku cire duk nassoshi na ƙungiyar tsaro akan cluster Node na Reader sannan ku ci gaba da share waccan rukunin tsaro akan kullin Karatu.

Ƙaddamar da Nodes Reader zuwa Matsayin Mawallafi
Ƙirƙirar Cibiyar Magani da Maɗaukakiyar Maɗaukaki tana da tari masu tarin yawa kuma tari ɗaya kaɗai zai iya zama Mawallafin manufofin. Akwai yuwuwar samun wasu lokutta inda Mai Gudanarwa ke buƙatar haɓaka gunkin Node na Karatu don ɗaukar aikin gunkin Node na Mawallafin. Wannan gabatarwa ya kamata a yi kawai lokacin da:

You are taking the Author Node cluster out of service or making it unavailable for an extended period of time.
The Author Node cluster is permanently unavailable or unresponsive for an extended period of time and policy changes are required during that time.

This promotion of a Reader Node to an Author Node can be done in two ways:

  1. Graceful Promotion of a Reader Node to the Author role.
  2. Force Promotion of a Reader Node to the Author role.

Kyakkyawan haɓaka Node Mai Karatu zuwa Matsayin Mawallafi
Kuna iya haɓaka gungu na Cibiyar Mai Kayayyakin Karatu da hannu zuwa Matsayin Mawallafi idan ya cancanta a cikin tura Cibiyar Mai Kayatarwa da yawa. Duk gungu na Node Reader suna da Maɓallin Ƙaddamarwa zuwa Mawallafi. Kuna iya ingantawa

gunkin Node na Karatu zuwa Node na Mawallafi yayin da gunkin Node na Mawallafin ku na yanzu yana kan aiki. Koyaya, kar a fara aikin haɓakawa yayin da gungu na Node na Mawallafin yana tsakiyar ayyukan mawallafin manufofin tushen rukuni (na misali.ample, yayin aiki tare da manufofin aiki tare da Cisco ISE). Idan gunkin Node na Mawallafin yana kan aiki, aikin haɓakawa shine staggered har sai Node Mawallafin ya gama sarrafa shi na yanzu.

Lura

  • Upon graceful promotion of a Reader Node cluster to the Author Role, the Reader Node cluster initiates a request to Cisco ISE for a role change (Reader to Author).
  • When Cisco ISE receives the role change request, it requests the current Author Node to release the role of policy Author. The current Author node then releases the role of policy Author (if no sync in progress) and takes over the role of the Reader Node cluster.
  • The current Reader Node that selected for promotion assumes the role of the Author Node. Upon the Author and Reader Role change, Cisco ISE updates the other Reader Node clusters about the new Author Node through a configuration update.

CISCO-ISE-Software (4)Tsari

  1. Step 1 On the Reader Node cluster, choose System > Settings > > System Configuration > Multiple Cisco Catalyst Center Settings and verify the Author and Reader Nodes.
  2. Step 2 Click the Promote to Author button.
  3. Step 3 Click Continue to promote the node to the Author Role.

Tsarin canji na iya ɗaukar 'yan mintuna kaɗan.

Tilasta haɓaka Node Mai Karatu zuwa Matsayin Mawallafi
Ƙaddamar da Ƙarfi wani nau'i ne na haɓakawa na hannu, wanda aka yi niyya sosai don haɓaka gungu na Node Reader zuwa Mawallafin Node a cikin waɗannan yanayi:

  • The current Author Node cluster is out of service.
  • The current Author Node cluster is nonresponsive.
  • The graceful promotion of a Reader Node to the Author Role is taking more than 5 minutes.

Hoto 3: Ƙaddamar da Ƙaddamar da Ƙirar Karatu zuwa Matsayin Mawallafi

CISCO-ISE-Software (1)

Do not use the force promotion option while the existing Author Node cluster is in service with a GBP authoring activity, as this may result in data loss and the Author Node cluster going out of sync with Cisco ISE. Therefore, force promotion is only recommended if you must restore service immediately and you are willing to risk losing data. After the forced promotion, the promoted Reader Node cluster will become the new Author Node cluster for the deployment. When the former Author Node cluster becomes available, it will transition to a reader role and download the latest configuration data from Cisco ISE.
Upon initiating the promotion of a Reader Node cluster, the Reader Node cluster initiates a request to Cisco ISE for a Role change (in other words, Reader to Author). When Cisco ISE receives the role change request, it requests the current Author Node to release the role of policy Author.

If the current Author Node is unresponsive and if the administrator selects Force Promotion, the Reader Node cluster ACA initiates a request to force the change of the Reader Node cluster to the Author Role and vice versa immediately in Cisco ISE. This configuration update message is sent to all the nodes.
The steps to force promote a Reader Node cluster to Author Node cluster are exactly the same as exlained in the graceful promotion of a Reader Node to the Author Role section. There is an additional step at the end to initiate the Force Promotion function.

Takardu / Albarkatu

CISCO ISE Software [pdf] Jagorar mai amfani
ISE Software, Software

Magana

Bar sharhi

Ba za a buga adireshin imel ɗin ku ba. Ana yiwa filayen da ake buƙata alama *