Yaliyomo kujificha
1 Programu ya CISCO ISE
2 Zaidiview ya uwekaji wa Kituo cha Vichochezi Nyingi
3 Nguzo ya Nodi ya Mwandishi
4 Usimamizi wa sera wa Kituo cha Vichocheo vingi
5 Mapendekezo ya kuboresha kwa ajili ya Multiple Catalyst Center
6 Usambazaji wa Vituo vingi vya Kichocheo
7 Inawasha Kituo cha Kichochezi Nyingi
8 Nyaraka / Rasilimali
8.1 Marejeleo

CISCO-nembo

Programu ya CISCO ISE

CISCO-ISE-Software-PRODUCT

Zaidiview ya uwekaji wa Kituo cha Vichochezi Nyingi

When you integrate more than one Catalyst Center cluster with a single Cisco ISE system, each Catalyst Center cluster is independent. No information is shared from any one cluster to any other. In this scenario, when Cisco Software-Defined Access (SD-Access) is deployed on Catalyst Center, the set of virtual networks (VNs) and all other SD-Access is local to each cluster.
Catalyst Center provides a mechanism to coordinate SD-Access and Group-Based Policy (GBP) elements across multiple Catalyst Center clusters integrated with a single Cisco ISE system. In order to allow global administration of SD-Access across multiple Catalyst Center clusters with a consistent set of VNs, the Multiple Catalyst Center feature leverages the existing secure connection with Cisco ISE to propagate VNs, security group tags (SGTs), Access Contracts, and Group-Based Access Control (GBAC) Policy from one cluster to another cluster. Cisco ISE takes the information learned from one cluster (known as the Author Node) and propagates it to the other clusters (known as the Reader Nodes).
The Multiple Catalyst Center feature is available when integrated with Cisco ISE Release 3.2 or later.

CISCO-ISE-Software (2)

Kumbuka

  • The Multiple Catalyst Center operation is disabled by default. To use this feature, select the Enable Multiple Catalyst Center operation (under Advanced Settings) when integrating Catalyst Center with Cisco ISE. You can enable this feature at the initial configuration or at a later time (after Cisco ISE is already integrated). After this functionality is enabled, only deleting the Cisco ISE integration can disable the functionality.
  • If you are using earlier releases of Cisco ISE, you must contact your account team to submit a request to the Cisco SDA Design Council for inclusion in the Limited Availability program. A Multiple Catalyst Center Limited Availability package will be made available to provided to allow access to the limited availability (LA) version of this functionality. See the Multiple Cisco DNA Center to Single Cisco ISE Prescriptive Deployment Guide for more information.

The Multiple Catalyst Center feature has specific role designations for the clusters:

  • Nguzo ya Nodi ya Mwandishi
  • Kundi la Nodi za Kisomaji

Nguzo ya Nodi ya Mwandishi

  • Jukumu la Nodi ya Mwandishi limekabidhiwa kundi la kwanza (na chaguo la Multiple Catalyst Center limewashwa) ambalo linaunganishwa na uwekaji wa Cisco ISE, au nguzo ya kwanza inayowezesha chaguo la Multiple Catalyst Center. Kundi la Nodi ya Waandishi ni sehemu ya usimamizi ya Sera ya Kundi-Basi (GBP) na kwa data ya kimataifa ya Cisco SD-Access. Kundi la Nodi ya Waandishi hudhibiti VN, SGT, Mikataba ya Ufikiaji na Sera ya GBAC. Uundaji, urekebishaji, au ufutaji wa VN na vijenzi vya GBP vinaweza tu kufanywa kwenye nguzo ya Nodi ya Mwandishi.
  • Kundi la Nodi ya Waandishi husukuma maelezo ya VN na GBP kwa Cisco ISE kupitia API za ERS (REST) kwa Cisco ISE ili kutumia maelezo haya na kuchapisha kwa Makundi mengine yote ya Kituo cha Cisco Catalyst katika jukumu la Reader Node kupitia Cisco ISE pxGrid.
  • Kundi moja tu linaweza kuteuliwa kama Njia ya Mwandishi. Ndiyo njia pekee ambapo GBP na data ya kimataifa ya SDA iliyofafanuliwa na mtumiaji (kama vile VN au sera ya nje) inaweza kudhibitiwa.
  • Ikiwa SGT au VN zinafanya kazi kwenye Nodi ya Mwandishi, SGT au VN haziwezi kufutwa.

Kundi la Nodi za Kisomaji

  • Vikundi vingine vyote vya Kituo cha Catalyst ambavyo vimewashwa kipengele cha Multiple Catalyst Center vimepewa jukumu la Kundi la Reader Node. Kundi za Nodi za Kisomaji zina kusoma pekee view ya VNs na SGTs.
  • Ingawa vikundi vya Reader Node hutumia na kuendelea na VN, SGT, Mikataba ya Ufikiaji na Sera za GBAC zilezile ambazo zimefafanuliwa kwenye nguzo ya Nodi ya Mwandishi, nguzo ya Njia ya Kusoma haionyeshi Mikataba au sera za Ufikiaji.
    VNs can only be created on the Author Node cluster. After created they are propagated to the Reader Node clusters, where they may be used in fabric provisioning operations. The Reader Node clusters configure the associated network attributes such as Virtual Network Identifies (VNID), Route Targets (RT), and Route
  • Distinguishers (RD) which are local to that cluster.
    Isipokuwa kwa vipengele vya VN na GBP, kila nguzo ya Njia ya Kusoma ni nguzo inayojitegemea ambayo inasimamia miundombinu yake ya mtandao.
  • Kipengele cha Multiple Catalyst Center huwezesha usimamizi wa sera za kimataifa katika makundi mengi ya Cisco Catalyst Center yaliyounganishwa kwa Cisco ISE moja. Uwezo huu haubadilishi vikwazo vya kimsingi vya kudhibiti mitandao pepe na vitambaa kwenye makundi mengi ya Kituo cha Cisco Catalyst. VN inaweza kuwa na jina sawa katika makundi mengi ya Kituo cha Kichochezi cha Cisco, ambayo huiruhusu kuauni miungano ya vikundi vya usalama-VN katika makundi mengi. Lakini katika kiwango cha nguzo ya mtu binafsi, sifa halisi za mtandao za kuhusishwa na VN (VRF, shabaha ya njia, kitofautisha njia, na kadhalika) hazifanani katika makundi yote. Hii ni sawa na wakati wa kufanya kazi na vikundi huru vya Kituo cha Kichocheo.
  • Up to four Catalyst Center clusters can be added as Reader Node clusters. Before adding a Catalyst Center node as a Reader, you must remove all admin-created Cisco SD-Access global data on the Reader Node cluster for Catalyst Center to integrate with Cisco ISE. This includes nondefault VNs (any VNs other than
    “DEFAULT_VN” and “INFRA_VN”, Extranet Policy, and so on). In the event there’s any nondefault GBP data (SGTs, Access Contracts, GBP), the user has the option to automatically clean up (delete) all nondefault GBP data, or to merge any GBP data not already present in Cisco ISE.

Kumbuka

  • Only five Catalyst Center clusters can be integrated with a single Cisco ISE deployment. This means one Author Node cluster and up to four Reader Node clusters.
  • It’s possible to delete SGTs or VNs on the Author Node even when they are in use on Reader Nodes. In that event, the stale SGTs or VNs must be deleted manually on the Reader Nodes (after removing any references).

Usimamizi wa sera wa Kituo cha Vichocheo vingi

Baada ya kuunganisha Kituo cha Catalyst na Cisco ISE na kufanya usawazishaji wa GBP, maelezo ya sera yanasawazishwa kati ya Kituo cha Catalyst na Cisco ISE. Haki za uidhinishaji sera ziko ndani ya Catalyst

Kituo. Madirisha ya Cisco ISE ya usimamizi wa SGT, ACL za Kundi la Usalama (SGACLs), na Sera ya Egress husomwa pekee.
Unaweza kudhibiti sera ya kikundi (Vikundi vya Usalama, Mikataba ya Ufikiaji na Sera ya GBAC) katika Cisco ISE badala ya katika Kituo cha Catalyst.
Katika GUI ya Kituo cha Catalyst, bofya ikoni ya menyu na uchague Sera > Udhibiti wa Ufikiaji wa Kikundi > Sera > Usanidi wa GBAC > Dhibiti Udhibiti wa Ufikiaji wa Kikundi katika Cisco ISE.

Mapendekezo ya kuboresha kwa ajili ya Multiple Catalyst Center

Katika mazingira ya Kituo cha Vichocheo vingi, inashauriwa kuendesha toleo lile lile la programu la Kituo cha Catalyst kwenye makundi yote ya Waandishi na Visomaji, isipokuwa wakati wa uboreshaji wa nguzo. Unaweza kupata toleo jipya la makundi yote ya Nodi ya Kisomaji kwanza, na kisha kuboresha Nguzo ya Nodi ya Mwandishi ili kuepuka kutofautiana kwa vipengele na kutopatana kwa vipengele katika matoleo yote ya programu. Epuka utangazaji wa kundi la Nodi ya Kisomaji hadi jukumu la Nodi ya Mwandishi katikati ya mzunguko wa kuboresha. Kundi zote za Kituo cha Catalyst zinapaswa kuboreshwa na kuendesha toleo lile lile la programu kabla ya kutangaza kundi la Reader Node.
Kielelezo cha 1: Mapendekezo ya kuboresha kwa Kituo cha Vichocheo vingi

CISCO-ISE-Software (3)The basic functionality of the Multiple Catalyst Center feature doesn’t require the same software version in all the participating Author and Reader Node clusters. However, using mismatched code versions may result in a difference in fixes, capabilities, and features between the clusters. The same Catalyst Center software version is recommended across all Author and Reader Node clusters.

Usambazaji wa Vituo vingi vya Kichocheo

Kuna chaguo mbili za uwekaji za Kituo cha Kichochezi Nyingi.

A new deployment of multiple Catalyst Center clusters that aren’t currently integrated with Cisco ISE.
An existing Catalyst Center cluster that is integrated with Cisco ISE and new additional Catalyst Center clusters without Cisco ISE Integration.

Inawasha Kituo cha Kichochezi Nyingi

Utendaji wa nguzo za Kituo cha Vichochezi Nyingi huzimwa kwa chaguomsingi. Inaweza kuwezeshwa wakati au baada ya kuunganishwa na Cisco ISE. Baada ya utendakazi wa Multiple Catalyst Center kuwezeshwa, unaweza kuizima tu kwa kuondoa muunganisho wa Cisco ISE kabisa.
The Multiple Catalyst Center operation requires pxGrid functionality. You can’t disable pxGrid after enabling Multiple Catalyst Center.

Utaratibu

  1. Step 1 In the Catalyst Center GUI, click the menu icon and choose System > Settings > Authentication and Policy Servers.
  2. Step 2 Add Cisco ISE.
  3. Step 3 Enter the required Cisco ISE information. For information, see Catalyst Center and Cisco ISE integration.
  4. Step 4 Choose System > Settings > Authentication and Policy Servers > Add > ISE > Advanced Settings.
    Swichi ya Mipangilio ya Kina hufichua chaguo mbalimbali za kina, ikiwa ni pamoja na swichi ili kuwezesha uendeshaji wa Kituo cha Vichochezi Nyingi.
  5. Step 5 Enable the Multiple Catalyst Center Operation option.
  6. Step 6 (Optional) If you are editing an existing Cisco ISE integration, re-enter the Cisco ISE admin password.
  7. Hatua ya 7 Bonyeza Ongeza.

Kuunganisha Kituo cha Kichochezi Nyingi na ISE moja ya Cisco
Kuna sharti za kuunganisha Kituo cha Catalyst na Cisco ISE kwa mara ya kwanza. Kwa habari, angalia Kituo cha Catalyst na ushirikiano wa Cisco ISE.

Kabla ya kuanza
When Catalyst Center is already integrated with Cisco ISE, complete the following steps to reintegrate Catalyst
Center and Cisco ISE after enabling the Multiple Catalyst Center operation. This allows Catalyst Center to negotiate the Author or Reader Node cluster role based on whether it’s a first node or subsequent node joining Cisco ISE with the Multiple Catalyst Center feature enabled.

Utaratibu

  1. Step 1 In the Catalyst Center GUI, click the menu icon and choose System > Settings > Authentication and Policy Servers.
  2. Step 2 In the Actions column, hover your cursor over the ellipsis icon ( ) and choose Edit.
  3. Step 3 Choose System > Settings > Authentication and Policy Servers > Add > ISE > Advanced Settings.
  4. Step 4 Enable the Multiple Catalyst Center Operation option.
  5. Step 5 Enter the Cisco ISE Admin password again.
  6. Step 6 Click Add. Catalyst Center negotiates the Author Node role with Cisco ISE.
    • If the status of the configured Cisco ISE server displays “FAILED” because of a password change, click Retry, and update the password to resynchronize the Cisco ISE connectivity.
    • The status of the integration can be seen in the slide-in pane. Ensure that the integration Status displays as Active in the Authentication and Policy Server window.
  7. Step 7 To verify the negotiated role of the cluster as the Author Node, choose System > Settings > System Configuration > Multiple Catalyst Center Settings.

Kuunganisha vikundi vingine vya Kituo cha Catalyst na Cisco ISE kama Nodi za Kisomaji

Ili kuunganisha makundi yanayofuata ya Kituo cha Catalyst na Cisco ISE ile ile ambayo imewashwa Kituo cha Vichocheo Vingi, nguzo ya Kituo cha Kichocheo lazima kiwe na VN zozote zisizo za msingi (VN zozote isipokuwa "DEFAULT_VN" na "INFRA_VN").

Kabla ya kuanza
Verify that the cluster that you want to integrate includes only the default VNs under Policy > Virtual Network.

Utaratibu

  1. Step 1 In the Catalyst Center GUI, click the menu icon and choose System > Settings > Authentication and Policy Servers.
  2. Step 2 Click Add and choose ISE.
  3. Step 3 Enter the required Cisco ISE information. See Catalyst Center and Cisco ISE integration.
  4. Step 4 Choose System > Settings > Authentication and Policy Servers > Add > ISE > Advanced Settings.
  5. Step 5 Enable the Multiple Catalyst Center Operation option.
  6. Hatua ya 6 Bonyeza Ongeza.
  7. Step 7 (Optional) When integrating the cluster with Cisco ISE for the first time, click Accept in the slide-in pane for Catalyst Center to accept the certificate pushed by Cisco ISE. Close the slide-in pane.
  8. Step 8 In the Authentication and Policy Server window, verify that the status of the integration displays as Active.

Inafuta mtandao pepe

Kundi la Nodi ya Mwandishi hajui matumizi ya Mtandao wa Mtandao (VN) kwenye nguzo ya Reader Node. Lazima uondoe marejeleo yote ya VN kwenye nguzo zote za Njia ya Kusoma kabla ya kujaribu kufuta VN hiyo kwenye nguzo ya Nodi ya Mwandishi. Ukifuta VN kwenye nguzo ya Nodi ya Mwandishi, VN inafutwa kwenye nodi ya Mwandishi na kwenye nguzo za Reader Node ambazo hazina marejeleo yake. Lakini ikiwa moja ya Nodi za Kisomaji inatumia VN hiyo, hali ya VN kama hiyo huonyeshwa kama Haijasawazishwa na Mwandishi. Lazima uondoe marejeleo yote (kwa mfanoample, Ongezeko la VN katika Sehemu ya Upandaji wa Mwenyeji au ugawaji wa bandari tuli) wa VN kwenye nguzo ya Njia ya Kusoma kisha uendelee kufuta VN hiyo kwenye nguzo ya Njia ya Kusoma.

Kufuta kikundi cha usalama

Kundi la Nodi ya Mwandishi halijui matumizi ya kikundi cha usalama kwenye nguzo ya Njia ya Kusoma. Lazima uondoe marejeleo yote kwa kikundi cha usalama kwenye nguzo zote za Njia ya Kusoma kabla ya kujaribu kufuta kikundi hicho cha usalama kwenye nguzo ya Nodi ya Mwandishi. Ukifuta kikundi cha usalama kwenye nguzo ya Nodi ya Mwandishi, kikundi hicho cha usalama kitafutwa kwenye nguzo ya Nodi ya Mwandishi, Cisco ISE, na kwenye nguzo ya Reader Node ikiwa hakuna marejeleo yake. Ikiwa mojawapo ya makundi ya Njia ya Kusoma inatumia kikundi hicho cha usalama, hali ya kikundi kama hicho cha usalama huonyeshwa kama Haijasawazishwa na Mwandishi. Lazima uondoe marejeleo yote ya kikundi cha usalama kwenye nguzo ya Njia ya Kusoma na kisha uendelee kufuta kikundi hicho cha usalama kwenye nguzo ya Njia ya Kusoma.

Ukuzaji wa Nodi za Msomaji hadi Jukumu la Mwandishi
Usanifu wa Suluhu la Kituo cha Vichochezi Nyingi una makundi mengi ya Kituo cha Kichocheo na nguzo moja pekee inayoweza kuwa Mtunzi wa sera. Huenda kukawa na matukio ambapo Msimamizi anahitaji kukuza nguzo ya Njia ya Kusoma ili kuchukua jukumu la Nguzo ya Nodi ya Mwandishi. Ukuzaji huu unapaswa kufanywa tu wakati:

You are taking the Author Node cluster out of service or making it unavailable for an extended period of time.
The Author Node cluster is permanently unavailable or unresponsive for an extended period of time and policy changes are required during that time.

This promotion of a Reader Node to an Author Node can be done in two ways:

  1. Graceful Promotion of a Reader Node to the Author role.
  2. Force Promotion of a Reader Node to the Author role.

Ukuzaji mzuri wa Njia ya Kisomaji kwa Jukumu la Mwandishi
Unaweza kutangaza mwenyewe kikundi cha Kituo cha Kichochezi cha Msomaji hadi kwa Jukumu la Mwandishi ikihitajika katika uwekaji wa Kituo cha Vichocheo vingi. Vikundi vyote vya Nodi ya Kisomaji vina kitufe cha Kukuza hadi kwa Mwandishi. Unaweza kukuza

nguzo ya Njia ya Kusoma kwa Njia ya Mtunzi wakati nguzo yako ya sasa ya Nodi ya Waandishi bado inafanya kazi. Hata hivyo, usianze shughuli ya ukuzaji wakati nguzo iliyopo ya Nodi ya Waandishi iko katikati ya shughuli ya utungaji sera ya kikundi (kwa mfano.ample, wakati wa kusawazisha sera na Cisco ISE). Ikiwa nguzo ya Nodi ya Mwandishi ina shughuli nyingi, utendakazi wa ukuzaji ni staggered hadi Nodi ya Mwandishi ikamilishe usindikaji wake wa sasa.

Kumbuka

  • Upon graceful promotion of a Reader Node cluster to the Author Role, the Reader Node cluster initiates a request to Cisco ISE for a role change (Reader to Author).
  • When Cisco ISE receives the role change request, it requests the current Author Node to release the role of policy Author. The current Author node then releases the role of policy Author (if no sync in progress) and takes over the role of the Reader Node cluster.
  • The current Reader Node that selected for promotion assumes the role of the Author Node. Upon the Author and Reader Role change, Cisco ISE updates the other Reader Node clusters about the new Author Node through a configuration update.

CISCO-ISE-Software (4)Utaratibu

  1. Step 1 On the Reader Node cluster, choose System > Settings > > System Configuration > Multiple Cisco Catalyst Center Settings and verify the Author and Reader Nodes.
  2. Step 2 Click the Promote to Author button.
  3. Step 3 Click Continue to promote the node to the Author Role.

Mchakato wa mpito unaweza kuchukua dakika chache.

Lazimisha utangazaji wa Njia ya Kisomaji hadi Jukumu la Mwandishi
Lazimisha ukuzaji ni aina ya ukuzaji wa mikono, ambayo inakusudiwa madhubuti kukuza nguzo ya sasa ya Nodi ya Kisomaji hadi jukumu la Nodi ya Mwandishi katika hali hizi:

  • The current Author Node cluster is out of service.
  • The current Author Node cluster is nonresponsive.
  • The graceful promotion of a Reader Node to the Author Role is taking more than 5 minutes.

Kielelezo cha 3: Lazimisha utangazaji wa Njia ya Kisomaji hadi Jukumu la Mwandishi

CISCO-ISE-Software (1)

Do not use the force promotion option while the existing Author Node cluster is in service with a GBP authoring activity, as this may result in data loss and the Author Node cluster going out of sync with Cisco ISE. Therefore, force promotion is only recommended if you must restore service immediately and you are willing to risk losing data. After the forced promotion, the promoted Reader Node cluster will become the new Author Node cluster for the deployment. When the former Author Node cluster becomes available, it will transition to a reader role and download the latest configuration data from Cisco ISE.
Upon initiating the promotion of a Reader Node cluster, the Reader Node cluster initiates a request to Cisco ISE for a Role change (in other words, Reader to Author). When Cisco ISE receives the role change request, it requests the current Author Node to release the role of policy Author.

If the current Author Node is unresponsive and if the administrator selects Force Promotion, the Reader Node cluster ACA initiates a request to force the change of the Reader Node cluster to the Author Role and vice versa immediately in Cisco ISE. This configuration update message is sent to all the nodes.
The steps to force promote a Reader Node cluster to Author Node cluster are exactly the same as exlained in the graceful promotion of a Reader Node to the Author Role section. There is an additional step at the end to initiate the Force Promotion function.

Nyaraka / Rasilimali

Programu ya CISCO ISE [pdf] Mwongozo wa Mtumiaji
Programu ya ISE, Programu

Marejeleo

Acha maoni

Barua pepe yako haitachapishwa. Sehemu zinazohitajika zimetiwa alama *