ISE Software
“
Product Information
Specifications:
- Product Name: Catalyst Center Clusters
- Compatibility: Single Cisco ISE System
- Cluster Configuration: One Author Node cluster and up to four
Reader Node clusters
Product Usage Instructions
The Author Node cluster is responsible for pushing VN and GBP
information to Cisco ISE via ERS (REST) APIs. It is the node where
GBP and user-defined global SDA data can be managed and propagated
to Reader Node clusters.
Reader Node Cluster:
The Reader Node cluster has a read-only view of VNs and SGTs. It
consumes and persists VNs, SGTs, Access Contracts, and GBAC
Policies defined on the Author Node cluster. However, it does not
display Access Contracts or policies. VNs can only be created on
the Author Node cluster and are then propagated to Reader Node
clusters for fabric provisioning operations.
Each Reader Node cluster is an independent cluster managing its
own network infrastructure, configuring associated network
attributes locally.
Multiple Catalyst Center Policy Management:
After integrating Catalyst Center with Cisco ISE, policy
information synchronization occurs between the two systems. Policy
authoring privileges are within Catalyst Center.
Upgrade Recommendations for Multiple Catalyst Center:
When upgrading, management of SGTs, SGACLs, and Egress Policy in
Cisco ISE becomes read-only. Group-based policy management can be
done in Cisco ISE instead of Catalyst Center by navigating to
Policy > Group-Based Access Control > Policies > GBAC
Configuration > Manage Group-Based Access Control in Cisco
ISE.
FAQ
Q: How many Reader Node clusters can be designated in the
Catalyst Center deployment?
A: Up to four Reader Node clusters can be designated in a
deployment with one Author Node cluster.
“`
Integrate Multiple Catalyst Center Clusters with a Single Cisco ISE System
· Overview of a Multiple Catalyst Center deployment, on page 1 · Author Node cluster, on page 2 · Reader Node cluster, on page 3 · Multiple Catalyst Center policy management, on page 3 · Upgrade recommendations for Multiple Catalyst Center, on page 4 · Multiple Catalyst Center deployments, on page 4 · Enabling Multiple Catalyst Center, on page 5 · Integrating Multiple Catalyst Center with a single Cisco ISE, on page 5 · Integrating other Catalyst Center clusters with Cisco ISE as Reader Nodes, on page 6 · Deleting a virtual network, on page 7 · Deleting a security group, on page 7 · Promotion of Reader Nodes to the Author Role, on page 7 · Graceful promotion of a Reader Node to the Author Role, on page 7 · Force promotion of a Reader Node to the Author Role, on page 9
Overview of a Multiple Catalyst Center deployment
When you integrate more than one Catalyst Center cluster with a single Cisco ISE system, each Catalyst Center cluster is independent. No information is shared from any one cluster to any other. In this scenario, when Cisco Software-Defined Access (SD-Access) is deployed on Catalyst Center, the set of virtual networks (VNs) and all other SD-Access is local to each cluster. Catalyst Center provides a mechanism to coordinate SD-Access and Group-Based Policy (GBP) elements across multiple Catalyst Center clusters integrated with a single Cisco ISE system. In order to allow global administration of SD-Access across multiple Catalyst Center clusters with a consistent set of VNs, the Multiple Catalyst Center feature leverages the existing secure connection with Cisco ISE to propagate VNs, security group tags (SGTs), Access Contracts, and Group-Based Access Control (GBAC) Policy from one cluster to another cluster. Cisco ISE takes the information learned from one cluster (known as the Author Node) and propagates it to the other clusters (known as the Reader Nodes). The Multiple Catalyst Center feature is available when integrated with Cisco ISE Release 3.2 or later.
Integrate Multiple Catalyst Center Clusters with a Single Cisco ISE System 1
Author Node cluster
Integrate Multiple Catalyst Center Clusters with a Single Cisco ISE System
Note
· The Multiple Catalyst Center operation is disabled by default. To use this feature, select the Enable
Multiple Catalyst Center operation (under Advanced Settings) when integrating Catalyst Center with
Cisco ISE. You can enable this feature at the initial configuration or at a later time (after Cisco ISE is
already integrated). After this functionality is enabled, only deleting the Cisco ISE integration can disable
the functionality.
· If you are using earlier releases of Cisco ISE, you must contact your account team to submit a request to the Cisco SDA Design Council for inclusion in the Limited Availability program. A Multiple Catalyst Center Limited Availability package will be made available to provided to allow access to the limited availability (LA) version of this functionality. See the Multiple Cisco DNA Center to Single Cisco ISE Prescriptive Deployment Guide for more information.
The Multiple Catalyst Center feature has specific role designations for the clusters: · Author Node cluster · Reader Node cluster
Author Node cluster
The Author Node role is assigned to the first cluster (with the Multiple Catalyst Center option enabled) that integrates with the Cisco ISE deployment, or the first cluster which enables the Multiple Catalyst Center option. The Author Node cluster is the administration point for Group-Based Policy (GBP) and for Cisco SD-Access global data. The Author Node cluster manages VNs, SGTs, Access Contracts, and GBAC Policy. Creation, modification, or deletion of VNs and GBP components can only be done on the Author Node cluster.
The Author Node cluster pushes VN and GBP information to Cisco ISE via ERS (REST) APIs for Cisco ISE to use this information and publish to all other Cisco Catalyst Center Clusters in the Reader Node role through Cisco ISE pxGrid.
Integrate Multiple Catalyst Center Clusters with a Single Cisco ISE System 2
Integrate Multiple Catalyst Center Clusters with a Single Cisco ISE System
Reader Node cluster
Only one cluster can be designated as the Author Node. It’s the only node where GBP and user-defined global SDA data (such as VNs or extranet policy) can be managed.
If SGTs or VNs are operational on the Author Node, the SGTs or VNs can’t be deleted.
Reader Node cluster
All other Catalyst Center clusters which have the Multiple Catalyst Center feature enabled are assigned the role of Reader Node cluster. Reader Node clusters have a read-only view of VNs and SGTs.
Even though Reader Node clusters consume and persist the same VNs, SGTs, Access Contracts, and GBAC Policies that are defined on the Author Node cluster, a Reader Node cluster doesn’t display Access Contracts or policies.
VNs can only be created on the Author Node cluster. After created they are propagated to the Reader Node clusters, where they may be used in fabric provisioning operations. The Reader Node clusters configure the associated network attributes such as Virtual Network Identifies (VNID), Route Targets (RT), and Route Distinguishers (RD) which are local to that cluster.
Except for the VN and GBP features, each Reader Node cluster is an independent cluster that manages its own network infrastructure.
The Multiple Catalyst Center feature enables global policy administration across multiple Cisco Catalyst Center clusters integrated to a single Cisco ISE. This capability doesn’t change the underlying limitations of managing virtual networks and fabrics on multiple Cisco Catalyst Center clusters. A VN may have the same name across multiple Cisco Catalyst Center clusters, which allows it to support consistent security group-VN associations across multiple clusters. But at the individual cluster level, the actual network attributes to associate with a VN (VRF, route target, route distinguisher, and so on) aren’t identical across clusters. This is the same as when operating independent Catalyst Center clusters.
Up to four Catalyst Center clusters can be added as Reader Node clusters. Before adding a Catalyst Center node as a Reader, you must remove all admin-created Cisco SD-Access global data on the Reader Node cluster for Catalyst Center to integrate with Cisco ISE. This includes nondefault VNs (any VNs other than “DEFAULT_VN” and “INFRA_VN”, Extranet Policy, and so on). In the event there’s any nondefault GBP data (SGTs, Access Contracts, GBP), the user has the option to automatically clean up (delete) all nondefault GBP data, or to merge any GBP data not already present in Cisco ISE.
Note
· Only five Catalyst Center clusters can be integrated with a single Cisco ISE deployment. This means
one Author Node cluster and up to four Reader Node clusters.
· It’s possible to delete SGTs or VNs on the Author Node even when they are in use on Reader Nodes. In that event, the stale SGTs or VNs must be deleted manually on the Reader Nodes (after removing any references).
Multiple Catalyst Center policy management
After integrating Catalyst Center with Cisco ISE and doing GBP synchronization, policy information is synchronized between Catalyst Center and Cisco ISE. The policy authoring privileges are within Catalyst
Integrate Multiple Catalyst Center Clusters with a Single Cisco ISE System 3
Upgrade recommendations for Multiple Catalyst Center
Integrate Multiple Catalyst Center Clusters with a Single Cisco ISE System
Center. The Cisco ISE windows for management of SGTs, Security Group ACLs (SGACLs), and Egress Policy become read only.
You can manage group-based policy (Security Groups, Access Contracts, and GBAC Policy) in Cisco ISE instead of in Catalyst Center.
In the Catalyst Center GUI, click the menu icon and choose Policy > Group-Based Access Control > Policies > GBAC Configuration > Manage Group-Based Access Control in Cisco ISE.
Upgrade recommendations for Multiple Catalyst Center
In a Multiple Catalyst Center environment, it’s recommended to run the same Catalyst Center software version across all Author and Reader Node clusters, except during the process of cluster upgrades. You can upgrade all Reader Node clusters first, and then upgrade the Author Node cluster to avoid feature disparity and feature incompatibility across software versions. Avoid the promotion of a Reader Node cluster to the Author Node role in the middle of an upgrade cycle. All Catalyst Center clusters should be upgraded and running the same software version before promoting a Reader Node cluster.
Figure 1: Upgrade recommendations for Multiple Catalyst Center
Note The basic functionality of the Multiple Catalyst Center feature doesn’t require the same software version in all the participating Author and Reader Node clusters. However, using mismatched code versions may result in a difference in fixes, capabilities, and features between the clusters. The same Catalyst Center software version is recommended across all Author and Reader Node clusters.
Multiple Catalyst Center deployments
There are two Multiple Catalyst Center deployment options.
Integrate Multiple Catalyst Center Clusters with a Single Cisco ISE System 4
Integrate Multiple Catalyst Center Clusters with a Single Cisco ISE System
Enabling Multiple Catalyst Center
· A new deployment of multiple Catalyst Center clusters that aren’t currently integrated with Cisco ISE. · An existing Catalyst Center cluster that is integrated with Cisco ISE and new additional Catalyst Center
clusters without Cisco ISE Integration.
Enabling Multiple Catalyst Center
The Multiple Catalyst Center cluster functionality is disabled by default. It can be enabled during or after integration with Cisco ISE. After the Multiple Catalyst Center functionality is enabled, you can disable it only by removing the Cisco ISE integration completely.
Note The Multiple Catalyst Center operation requires pxGrid functionality. You can’t disable pxGrid after enabling Multiple Catalyst Center.
Procedure
Step 1 Step 2 Step 3 Step 4
Step 5 Step 6 Step 7
In the Catalyst Center GUI, click the menu icon and choose System > Settings > Authentication and Policy Servers. Add Cisco ISE. Enter the required Cisco ISE information. For information, see Catalyst Center and Cisco ISE integration. Choose System > Settings > Authentication and Policy Servers > Add > ISE > Advanced Settings.
The Advanced Settings switch exposes various advanced options, including the switch to enable the Multiple Catalyst Center operation.
Enable the Multiple Catalyst Center Operation option. (Optional) If you are editing an existing Cisco ISE integration, re-enter the Cisco ISE admin password. Click Add.
Integrating Multiple Catalyst Center with a single Cisco ISE
There are prerequisites for integrating Catalyst Center and Cisco ISE for the first time. For information, see Catalyst Center and Cisco ISE integration.
Before you begin
When Catalyst Center is already integrated with Cisco ISE, complete the following steps to reintegrate Catalyst Center and Cisco ISE after enabling the Multiple Catalyst Center operation. This allows Catalyst Center to negotiate the Author or Reader Node cluster role based on whether it’s a first node or subsequent node joining Cisco ISE with the Multiple Catalyst Center feature enabled.
Integrate Multiple Catalyst Center Clusters with a Single Cisco ISE System 5
Integrating other Catalyst Center clusters with Cisco ISE as Reader Nodes
Integrate Multiple Catalyst Center Clusters with a Single Cisco ISE System
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6
Step 7
In the Catalyst Center GUI, click the menu icon and choose System > Settings > Authentication and Policy Servers.
In the Actions column, hover your cursor over the ellipsis icon ( ) and choose Edit. Choose System > Settings > Authentication and Policy Servers > Add > ISE > Advanced Settings. Enable the Multiple Catalyst Center Operation option. Enter the Cisco ISE Admin password again. Click Add. Catalyst Center negotiates the Author Node role with Cisco ISE.
· If the status of the configured Cisco ISE server displays “FAILED” because of a password change, click Retry, and update the password to resynchronize the Cisco ISE connectivity.
· The status of the integration can be seen in the slide-in pane. Ensure that the integration Status displays as Active in the Authentication and Policy Server window.
To verify the negotiated role of the cluster as the Author Node, choose System > Settings > System Configuration > Multiple Catalyst Center Settings.
Integrating other Catalyst Center clusters with Cisco ISE as Reader Nodes
To integrate the subsequent Catalyst Center clusters with the same Cisco ISE that has Multiple Catalyst Center enabled, the Catalyst Center cluster must not contain any nondefault VNs (any VNs other than “DEFAULT_VN” and “INFRA_VN”).
Before you begin Verify that the cluster that you want to integrate includes only the default VNs under Policy > Virtual Network.
Procedure
Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Step 7
Step 8
In the Catalyst Center GUI, click the menu icon and choose System > Settings > Authentication and Policy Servers. Click Add and choose ISE. Enter the required Cisco ISE information. See Catalyst Center and Cisco ISE integration. Choose System > Settings > Authentication and Policy Servers > Add > ISE > Advanced Settings. Enable the Multiple Catalyst Center Operation option. Click Add. (Optional) When integrating the cluster with Cisco ISE for the first time, click Accept in the slide-in pane for Catalyst Center to accept the certificate pushed by Cisco ISE. Close the slide-in pane. In the Authentication and Policy Server window, verify that the status of the integration displays as Active.
Integrate Multiple Catalyst Center Clusters with a Single Cisco ISE System 6
Integrate Multiple Catalyst Center Clusters with a Single Cisco ISE System
Deleting a virtual network
Step 9
To verify the Author and Reader Nodes, choose System > Settings > System Configuration > Multiple CiscoCatalyst CenterSettings.
Deleting a virtual network
The Author Node cluster does not know of Virtual Network (VN) usage on the Reader Node cluster. You must remove all references to a VN on all the Reader Node clusters before attempting to delete that VN on the Author Node cluster. If you delete a VN on the Author Node cluster, the VN is deleted on the Author node and on the Reader Node clusters which do not have references to it. But if one of the Reader Nodes is using that VN, the status of such a VN then displays as Out of sync with Author. You must remove all the references (for example, VN Addition in Host Onboarding Section or static port assignment) of the VN on the Reader Node cluster and then proceed to delete that VN on the Reader Node cluster.
Deleting a security group
The Author Node cluster is not aware of security group usage on a Reader Node cluster. You must remove all references to the security group on all the Reader Node clusters before attempting to delete that security group on the Author Node cluster. If you delete a security group on the Author Node cluster, that security group is deleted on the Author Node cluster, Cisco ISE, and on the Reader Node cluster if there are no references to it. If one of the Reader Node clusters is using that security group, the status of such a security group then displays as Out of sync with Author. You must remove all the references of the security group on the Reader Node cluster and then proceed to delete that security group on the Reader Node cluster.
Promotion of Reader Nodes to the Author Role
The Multiple Catalyst Center solution architecture has multiple Catalyst Center clusters and only one cluster can be the policy Author. There may be instances where the Administrator needs to promote a Reader Node cluster to take over the role of the Author Node cluster. This promotion should only be done when:
· You are taking the Author Node cluster out of service or making it unavailable for an extended period of time.
· The Author Node cluster is permanently unavailable or unresponsive for an extended period of time and policy changes are required during that time.
This promotion of a Reader Node to an Author Node can be done in two ways: 1. Graceful Promotion of a Reader Node to the Author role.
2. Force Promotion of a Reader Node to the Author role.
Graceful promotion of a Reader Node to the Author Role
You can manually promote a Reader Catalyst Center cluster to the Author Role if necessary in the Multiple Catalyst Center deployment. All the Reader Node clusters have a Promote to Author button. You can promote
Integrate Multiple Catalyst Center Clusters with a Single Cisco ISE System 7
Graceful promotion of a Reader Node to the Author Role
Integrate Multiple Catalyst Center Clusters with a Single Cisco ISE System
a Reader Node cluster to an Author Node while your current Author Node cluster is still in operation. However, do not start the promotion operation while the existing Author Node cluster is in the middle of a group-based policy authoring activity (for example, while synchronizing policies with Cisco ISE). If the Author Node cluster is busy, the promotion operation is staggered until the Author Node completes its current processing.
Note
· Upon graceful promotion of a Reader Node cluster to the Author Role, the Reader Node cluster initiates
a request to Cisco ISE for a role change (Reader to Author).
· When Cisco ISE receives the role change request, it requests the current Author Node to release the role of policy Author. The current Author node then releases the role of policy Author (if no sync in progress) and takes over the role of the Reader Node cluster.
· The current Reader Node that selected for promotion assumes the role of the Author Node. Upon the Author and Reader Role change, Cisco ISE updates the other Reader Node clusters about the new Author Node through a configuration update.
Figure 2: Graceful promotion of a Reader Node to the Author Role
Procedure
Step 1
Step 2 Step 3
On the Reader Node cluster, choose System > Settings > > System Configuration > Multiple Cisco Catalyst Center Settings and verify the Author and Reader Nodes. Click the Promote to Author button. Click Continue to promote the node to the Author Role.
The transition process may take a few minutes.
Integrate Multiple Catalyst Center Clusters with a Single Cisco ISE System 8
Integrate Multiple Catalyst Center Clusters with a Single Cisco ISE System
Force promotion of a Reader Node to the Author Role
Force promotion of a Reader Node to the Author Role
Force promotion is a form of manual promotion, that is intended strictly to promote the current Reader Node cluster to Author Node role in these situations:
· The current Author Node cluster is out of service. · The current Author Node cluster is nonresponsive. · The graceful promotion of a Reader Node to the Author Role is taking more than 5 minutes.
Figure 3: Force promotion of a Reader Node to the Author Role
Do not use the force promotion option while the existing Author Node cluster is in service with a GBP authoring activity, as this may result in data loss and the Author Node cluster going out of sync with Cisco ISE. Therefore, force promotion is only recommended if you must restore service immediately and you are willing to risk losing data. After the forced promotion, the promoted Reader Node cluster will become the new Author Node cluster for the deployment. When the former Author Node cluster becomes available, it will transition to a reader role and download the latest configuration data from Cisco ISE. Upon initiating the promotion of a Reader Node cluster, the Reader Node cluster initiates a request to Cisco ISE for a Role change (in other words, Reader to Author). When Cisco ISE receives the role change request, it requests the current Author Node to release the role of policy Author. If the current Author Node is unresponsive and if the administrator selects Force Promotion, the Reader Node cluster ACA initiates a request to force the change of the Reader Node cluster to the Author Role and vice versa immediately in Cisco ISE. This configuration update message is sent to all the nodes. The steps to force promote a Reader Node cluster to Author Node cluster are exactly the same as exlained in the graceful promotion of a Reader Node to the Author Role section. There is an additional step at the end to initiate the Force Promotion function.
Integrate Multiple Catalyst Center Clusters with a Single Cisco ISE System 9
Force promotion of a Reader Node to the Author Role
Integrate Multiple Catalyst Center Clusters with a Single Cisco ISE System
Integrate Multiple Catalyst Center Clusters with a Single Cisco ISE System 10
Documents / Resources
 |
CISCO ISE Software [pdf] User Guide ISE Software, Software |