topic Re: PAN/MNT hybrid question. in Network Access Control

PAN/MNT hybrid question.

JasonMahan — Mon, 16 Sep 2019 16:37:17 GMT

Have some ISE 3595's on the shelf. (understand these are EOS as of March).

Need to get them off the shelf and deployed. Believe there's a total of 40K possible endpoints at this time.

Question regarding Hybrid deployment with the PAN+MNT in the same 3595.

6 X 3595 appliances.

The thought is to put 3 in each DC (2 Datacenters).

PAN +MNT running on one appliance with two PSNs in each data centers.

Split the load by configuring NADs in an odd / even fashion so that only in a DC failure situation does one deployment have all end points.

Is this possible with the PAN+MnT in same appliance?

Obviously there's no HA, it would be failover from one DC to the other based on field configs on switches using primary and secondary radius configurations.

If this is possible, what are the drawbacks. I am concerned about the PAN + MnT in one appliance during any situation where the MnT is handling massive amounts of traffic.

If you need more information, please me know.

All thoughts welcome.

Thanks,

-Jason

Re: PAN/MNT hybrid question.

Colby LeMaire — Mon, 16 Sep 2019 17:03:57 GMT

Your scenario would be fine except that when the Admin/MnT are combined in one appliance, the maximum concurrent sessions supported for the overall deployment is 20K. In order to scale above 20K, you would need to have dedicated appliances for Admin and MnT. Scalability numbers are in the link below:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/install_guide/b_ise_InstallationGuide_26/b_ise_InstallationGuide_26_chapter_00.html#id_101614

Re: PAN/MNT hybrid question.

JasonMahan — Mon, 16 Sep 2019 17:09:45 GMT

Thank you Colby!

When reading the documentation, I misread it as 20K per PSN not the entire deployment. Based on the limitation that makes sense.

Re: PAN/MNT hybrid question.

Colby LeMaire — Mon, 16 Sep 2019 17:11:20 GMT

Yeah, there are maximums for a particular appliance and then separate maximums for the deployment as a whole. It can be confusing at times.

Re: PAN/MNT hybrid question.

JasonMahan — Mon, 16 Sep 2019 17:25:08 GMT

So if I read this right, does that mean a single 3595 PSN can support 40K endpoints if I have a separate 3595 as Admin and another 3595 as MnT? If that works we could grow PSNs as budget and time permits. Moving to 3600s over time.
Does that make sense?

Re: PAN/MNT hybrid question.

Colby LeMaire — Mon, 16 Sep 2019 17:43:02 GMT

That is correct. The 3595 as a PSN can handle 40K sessions itself assuming the Admin and MnT nodes are on their own separate/dedicated appliances. So with 6 appliances, you would have 2 for Admin (Pri/Sec), 2 for MnT (Pri/Sec), and 2 for PSN functionality. In that scenario, the deployment as a whole could handle over 20K sessions but then you run into limitations on each PSN individually and have to add PSNs to scale higher.