topic Re: It would be supported. in Network Access Control

Cisco ISE Hybrid Distributed Node Deployment

edwardonelife — Mon, 11 Mar 2019 07:15:01 GMT

Is it possible or recommended to have the deployment shown below;

Node 1 - Running Admin+MnT (Primary)+PSN - SNS3595

Node 2 - Running Admin+MnT (Secondary)+PSN - SNS3595

Node 3 - PSN - SNS3515

Node 4 - PSN - SNS3515

How many endpoints would such a deployment handle?

How many PSN nodes would it support max?

Hi Edward,

Kanwaljeet Singh — Wed, 23 Nov 2016 20:10:21 GMT

Hi Edward,

You would be interested in this document below:

https://communities.cisco.com/docs/DOC-68347

Hope this helps!

Regards,

Kanwal

Note: Please mark answers if they are helpful.

20,000 concurrent endpoints

Marvin Rhoads — Thu, 24 Nov 2016 03:47:29 GMT

20,000 concurrent endpoints max - that is noted on Craig's document which Fnu shared. To get to that you would need at least three SNS-3515 level appliances with ISE 2.1 (or 4 with ISE 2.0.1).

However a single PSN on SNS-3595 could handle it.

You could put a maximum of 5 PSNs in a deployment with combined PAN + MnT nodes. However, without a load balancing scheme in place, their use will be constrained based on capabilities of your NADs to load balance RADIUS natively.

Hi Marvin,

edwardonelife — Thu, 24 Nov 2016 06:57:50 GMT

Hi Marvin,

Based on the below setup, what do you think will be the maximums?

Is it a supported deployment?

Node 1 - Running Admin + MnT (Primary) + PSN - SNS3595

Node 2 - Running Admin + MnT (Secondary) + PSN - SNS3595

Node 3 - PSN - SNS3515

Node 4 - PSN - SNS3515

It would be supported.

Marvin Rhoads — Thu, 24 Nov 2016 13:59:02 GMT

It would be supported.

The maximum concurrent sessions would be 20,000 with just the first two nodes you listed. Adding Node 3 and Node 4 in that scenario would not do a lot for you unless you have some intelligent load balancing to allocate RADIUS sessions among the PSNs.

Remember a given NAD is limited in its ability to use multiple RADIUS servers. A Cisco WLC, for example, will only ever use the first defined RADIUS server for a given SSID as long as it is reachable. A Cisco switch with a 15.x IOS will do crude round robin load balancing of RADIUS server. 12.x IOS will not.

Re: It would be supported.

Uwe Siegrist — Tue, 05 Nov 2019 17:49:13 GMT

Sorry, if I warm up this thread again.
I've come across this question so often. Recently, even from Cisco side this was shown in a upgrade demo. A Cisco employee said that this is a valid small hybrid deployment. However, the ISE Installation Guide specifically states "Hybrid-Distributed deployment (Admin and MnT on same appliance; Policy Service on dedicated appliance)" and "In a medium-sized network deployment, you can not enable the policy persona on a node that runs the Administration persona, Monitoring persona, or Both. You need dedicated policy service node (s) ". So there is probably still need for explanation here.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_00.html#reference_A4A76D628B6847EDB1715F2C11C3B753

Re: Hi Marvin,

Jason Kunst — Tue, 05 Nov 2019 18:21:06 GMT

@edwardonelife wrote:

Hi Marvin,

Based on the below setup, what do you think will be the maximums?

Is it a supported deployment?

Node 1 - Running Admin + MnT (Primary) + PSN - SNS3595

Node 2 - Running Admin + MnT (Secondary) + PSN - SNS3595

Node 3 - PSN - SNS3515

Node 4 - PSN - SNS3515

This is not supported. Once you install a PSN outside of the node running admin and/or MNT then its a distributed hybrid model and policy services needs to be disabled on any node running admin and/or MNT

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_00.html#reference_A4A76D628B6847EDB1715F2C11C3B753

Re: Hi Marvin,

Uwe Siegrist — Tue, 05 Nov 2019 19:42:54 GMT

Hi Jason,

thank you for your clarification.