topic Re: ISE SDA Deployment Sizing in Network Access Control

ISE SDA Deployment Sizing

Krzysztof Grabowski — Fri, 31 May 2019 09:48:29 GMT

Hi Guys,

I have a question regarding ISE sizing in context of maximum supported authentications per second. ISE Performance and Scale provides unidirectional numbers for different authentication types (PAP/EAP-TLS etc... ) but does not provide a recommendation on number of PSN's.

One of my customers challenged my why not to use a single pair of SNS-3695's running PAN+MnT+PSN for an SDA deployment which according to papers should support up to 50K sessions in 2.6. I think that it is a risky approach due to PAN and MnT load and potential RADIUS congestion (in case of spike like WLC reload or major outage-recovery situation) but with data on ISE Performance and Scale I don't have solid arguments to defend my position to recommend hybrid/distributed deployment with more than 2 PSNs.

Could you please let me know what are the recommendations for number of PSNs with regards to auth/second rate? This dimension of ISE scaling seem to be a grey zone with no clear recommendations...

Cheers,
Chris

Re: ISE SDA Deployment Sizing

Jason Kunst — Fri, 31 May 2019 14:32:20 GMT

The information for everything running on one box as standalone with HA is the best scenario. If customer is starting with less than 50k then this is a good starting design depending on how network is design and tuned following Cisco live guidelines . Once approaching limit would evaluate system performance and anticipate a need to split out the PSNs where needed into a medium distributed model.

The limits are tested and recommended per that testing to include all persona models accordingly

I would also recommend looking at the information from BRKSEC-2059 and the BRKSEC-3432 from Cisco live training site

https://community.cisco.com/t5/security-documents/ise-performance-amp-scale/ta-p/3642148

Re: ISE SDA Deployment Sizing

Krzysztof Grabowski — Tue, 04 Jun 2019 15:02:32 GMT

Thanks Jason!