topic ISE Scalability in Network Access Control

ISE Scalability

sameesin — Wed, 11 Jul 2018 14:22:32 GMT

Hi,

As per the scalability giude, if I have a dedicated 3595 as PAN and a dedicated 3595 as MnT, then I can have a maximum concurrent session of 500,000. But for a 3595 as PSN, maximum concurrent session is 40,000. So does it mean that if I have multiple PSNs, then the maximum that I can have is 500,000.

And if so, then does this mean that my maximum concurrent session will depend upon the model that I am using for PSN.

Can I have a 3515 as PAN and a 3595 as a PSN attached to it?

Just trying to get some clarity.

Re: ISE Scalability

howon — Wed, 11 Jul 2018 20:11:03 GMT

Maximum concurrent session for the deployment is based on the PAN and MnT. You can get 500,000 concurrent endpoints in a deployment if the PAN and MnT is on 3595 or VM equivalent. Once you satisfy this number then each of the PSN (3595) you add to the deployment can support 40,000 concurrent endpoints per box.

Although you can have 3515 as PAN and 3595 as a PSN but you will lose out as 3515 used as PAN can only support 7500 concurrent endpoint for the whole deployment.

Re: ISE Scalability

kvenkata1 — Wed, 11 Jul 2018 20:25:53 GMT

ISE Performance & Scale

This is our one source of truth for ISE performance & scale.

In the first table, if you are referring to row 1 - Yes, 500,000 is the max concurrent sessions in a dedicated deployment. The 40,000 sessions number is per 3595 PSN. See ISE PSN performance table (table 3 from top)

Your max concurrent sessions will depend on your deployment type (standalone, hybrid or dedicated) and the type of hardware.

Between 3515 & 3595, I would choose 3595 as the PAN & 3515 as the PSN.

- Krish

Re: ISE Scalability

Damien Miller — Thu, 12 Jul 2018 00:10:33 GMT

For clarity sake, if you are aiming for 40k active sessions per 3595 PSN, then you would need 4 nodes dedicated for Admin and Monitoring. The roles must be split out in what the design and scaling guide refers to as dedicated nodes.

2 x 3595 Admin nodes

2 x 3595 Monitoring nodes

The next discussion that stems from this question would be if you want to design for 40,000 Active sessions per PSN. It's my opinion that scaling numbers should always be taken with a grain of salt. In a perfect world and under the ideal test conditions you might be able to attain scaling numbers. Something I have come to notice over time is that scaling numbers are often led with a marketing mentality. In the real world things don't always go to plan. I'm not beating up ISE specifically, this happens with all products, manufactures, and industries.

You always have to be conscious of what could happen. If you design for 40k per PSN and have some misbehaving endpoints and network devices that slip through the cracks, what impact will it have. If you want to do maintenance or lose a PSN, will you have the capacity to float through until it can be corrected? Always needs to be considered during the design phase.