topic Re: Small/Basic distributed deployment with 3 datacenters in Network Access Control

Small/Basic distributed deployment with 3 datacenters

jpujol — Mon, 19 Mar 2018 17:38:38 GMT

Hi,

"ISE Performance & Scale" and the new "ISE-best practices" documents both require when using a 2 PAN/ MnT nodes setup a maximum of 5 PSNs and 20K active sessions (on 3595 as PAN+MnT).

For a world-wide support design with 3 zones (each 2 PSNs, so total = 6), that requires to use a fully distribution model with separate PAN / MnT nodes, even if the number of maximum sessions remains quite low (around 5K).

Can we reasonably deploy a cluster with 6 PSNs if the number of active sessions is far below what a 3595 can handle as a PAN+MnT server ?

The customer is asking why we need so many management appliances to handle a mere 5k sessions.

Thanks in advance,

jean-francois

Re: Small/Basic distributed deployment with 3 datacenters

Jason Kunst — Mon, 19 Mar 2018 17:44:54 GMT

This has been answered several times before on the reasons why

Please see

https://www.google.com/search?q=ise5psn&oq=ise5psn&aqs=chrome..69i57j69i64.3094j0j7&sourceid=chrome&ie=UTF-8

Re: Small/Basic distributed deployment with 3 datacenters

vrostowsky — Mon, 19 Mar 2018 20:31:33 GMT

jean-francois

I too had to justify the need. Your 3 locations need 2 PAN's / MnT just to have basic redundancy, and dual MnT will allow you to load balance the AAA functions across the 2 nodes. As for your other sites, if they are across weaker WAN circuits, then you would need / want to have nodes to perform the same functions at that location and so on. Best practice is to separate the functions of ISE, but of course you CAN have a deployment where you have all the roles enabled on each server, but the performance will definitely take a hit. Just don't call TAC to complain about latency and resource usage if you dont follow the recommended deployment model,

Realistically, I have 2 VM's one is the primary PAN and secondary Monitoring and secondary PxGrid, the other is secondary PAN and primary Monitoring and primary PxGrid. What i can't do is have true PAN failover, which takes 2 primary nodes and 1 secondary. Would I like to have done it differently? Yes, but sometimes budgeted projects get trimmed down.

HTH-

Vince