https://community.cisco.com/t5/network-access-control/thresholds-for-using-a-load-balancer-in-front-of-a-psn/m-p/3569362#M509223 <HTML><HEAD></HEAD><BODY><P>You would need to reach out to wireless team to get the max sessions per WLC platform.</P><P></P><P>Max RADIUS sessions per ISE PSN is documented here: <A href="https://community.cisco.com/docs/DOC-68347">ISE Performance &amp;amp; Scale</A></P><P>Of course, max is not what you design against and should take into consideration bursts, HA/redundancy requirements, and unexpected activity from "misbehaving" clients or NADs.&nbsp; Auth method is another consideration since web auth scale is lower than MAB only, or 802.1X.</P><P></P><P>I mention a number of items to consider to scale wireless and guest in Cisco Live session BRKSEC-3699 (reference version) available on ciscolive.com. </P><P></P><P>My general recommendation on use of load balancer to distribute load starts after 2 or 3 PSNs.&nbsp; If a single WLC can fully accommodate the load including bursts and unexpected noise, then a basic A/S or mutual A/A redundancy scheme may suffice, but if require more PSNs to support load, then manual distribution efforts become challenging and more prone to error.&nbsp; Plus there is the opex cost of having to reconfigure NADs when add/remove PSNs or change their addressing.</P><P></P><P>Craig</P></BODY></HTML> Fri, 08 Jun 2018 09:32:31 GMT Craig Hyps 2018-06-08T09:32:31Z https://community.cisco.com/t5/network-access-control/thresholds-for-using-a-load-balancer-in-front-of-a-psn/m-p/3569361#M509222 <HTML><HEAD></HEAD><BODY><P>I have a large higher-ed customer who was burned a few years back on WiSM2s running out of RADIUS sessions IDs during class change.&nbsp; They eventually spread their wireless clients out across 22 WiSM2s before they finally felt comfortable enough with the load to move forward.&nbsp; Fast-forward a few years and they’re consolidating down to 5-7 8540 WLCs and are concerned about the same issue occurring, only worse due to number of devices growing over the years.&nbsp; Do we have any kind of guidelines on maximum number of clients / RADIUS sessions to expect on a WLC -&gt; ISE PSN before we should introduce a stateful load balancer to begin distributing?&nbsp; </P></BODY></HTML> Thu, 07 Jun 2018 19:03:13 GMT https://community.cisco.com/t5/network-access-control/thresholds-for-using-a-load-balancer-in-front-of-a-psn/m-p/3569361#M509222 blandrum 2018-06-07T19:03:13Z https://community.cisco.com/t5/network-access-control/thresholds-for-using-a-load-balancer-in-front-of-a-psn/m-p/3569362#M509223 <HTML><HEAD></HEAD><BODY><P>You would need to reach out to wireless team to get the max sessions per WLC platform.</P><P></P><P>Max RADIUS sessions per ISE PSN is documented here: <A href="https://community.cisco.com/docs/DOC-68347">ISE Performance &amp;amp; Scale</A></P><P>Of course, max is not what you design against and should take into consideration bursts, HA/redundancy requirements, and unexpected activity from "misbehaving" clients or NADs.&nbsp; Auth method is another consideration since web auth scale is lower than MAB only, or 802.1X.</P><P></P><P>I mention a number of items to consider to scale wireless and guest in Cisco Live session BRKSEC-3699 (reference version) available on ciscolive.com. </P><P></P><P>My general recommendation on use of load balancer to distribute load starts after 2 or 3 PSNs.&nbsp; If a single WLC can fully accommodate the load including bursts and unexpected noise, then a basic A/S or mutual A/A redundancy scheme may suffice, but if require more PSNs to support load, then manual distribution efforts become challenging and more prone to error.&nbsp; Plus there is the opex cost of having to reconfigure NADs when add/remove PSNs or change their addressing.</P><P></P><P>Craig</P></BODY></HTML> Fri, 08 Jun 2018 09:32:31 GMT https://community.cisco.com/t5/network-access-control/thresholds-for-using-a-load-balancer-in-front-of-a-psn/m-p/3569362#M509223 Craig Hyps 2018-06-08T09:32:31Z