topic Re: Scaling ISE - adding pxGrid / TACACS+ in Network Access Control

Scaling ISE - adding pxGrid / TACACS+

MS-JK — Wed, 12 Sep 2018 20:39:38 GMT

Hey team, I'm searching for a good reference document that shows scalability within distributed environment 2.4 (separate PAN/MnT/PSN) now adding TACACS+ and pxGrid functions. What I'm searching for - pro/cons/#s IF I add TACACS+ to existing PSNs that are used for wired/wireless and the same for pxGrid. VS. Building brand new pair of PSNs for pxGrid ONLY and brand new pair of PSNs for TACACS+ ONLY. I understand the security good/bad - BUT I'm looking for actual #s and any limitations. Thanks for feedback!

Re: Scaling ISE - adding pxGrid / TACACS+

kthiruve — Wed, 12 Sep 2018 21:08:07 GMT

Please check out the ISE performance and scale community page that will give you idea about shared PSNs using PxGrid. This is under PxGrid scaling. The TACACS+ performance is based on dedicated appliance.

Apart of security, also think about service failure. Do you want device administration service impacted if there is a problem in PxGrid and node goes down?. Viceversa holds good as well.

My opinion is leave the TACACS+ seperate so that your device administration is smooth and network admins dont have a problem. However if your network is small and you have only a few administrators checking sporadically the status you can consider sharing. However remember that the purpose of using PxGrid is to share the context so that this is consumed by a Cisco or third party device for a specific reason. Think about the importance of that service and make the decision.

-Krishnan

Re: Scaling ISE - adding pxGrid / TACACS+

MS-JK — Thu, 13 Sep 2018 04:02:31 GMT

Thanks Krishnan for feedback.

Do you know IF adding pxGrid function on existing standalone PSN nodes(that are handling wire/wireless) could have effect on performance for existing radius/802.1x servers that they are already providing? Same with TACACS+.

The debate is:

NOW: (scaled down - there are actually more PSNs)

DC1: pan(a) mnt(a) (psn1)

DC2: pan(s) mnt(s) (psn2)

vs: (keeping it distributed all nodes separated)

DC1: pan(a) mnt(a) (psn1) (pxgrid) (tacacs+)

DC2: pan(s) mnt(s) (psn2) (pxgrid) (tacacs+)

vs:

DC1: pan(a) mnt(a) (psn1+pxgrid) (tacacs+)

DC2: pan(s) mnt(s) (psn2+pxgrid) (tacacs+)

vs:

DC1: pan(a) mnt(a) (psn1+pxgrid+tacacs+)

DC2: pan(s) mnt(s) (psn2+pxgrid+tacacs+)

vs:

DC1: pan(a) mnt(a) (psn1+tacacs+) (pxgrid)

DC2: pan(s) mnt(s) (psn2+tacacs+) (pxgrid)

Re: Scaling ISE - adding pxGrid / TACACS+

paul — Thu, 13 Sep 2018 04:23:41 GMT

I have colocated those services with PSNs in large deployment models in the past without issue, but every customer flows/patterns are different. My general recommendation (and those of our solution architects) are if you are large enough to build a large deployment model (separate PAN/M&T/PSNs) then build separate TACACS and pxGrid nodes.

Not sure if you will find specific data as in many (probably most) cases colocating will work just fine, but the best practice is to split them off.