topic Re: ISE 2.4: A few questions regarding deployment sizing in distributed installations in Network Access Control

ISE 2.4: A few questions regarding deployment sizing in distributed installations

Nadav — Fri, 08 Jun 2018 10:40:59 GMT

Hi everyone,

I was hoping some of you can chime in regarding some deployment questions.

I looked over the latest ISE 2.4 installation documentation:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_00.html

1) Under the "PAN and MnT on same node-Dedicated PSNs" deployment model, it states that the maximum number of PSN's is 5. What would happen if you were to try to install a 6th PSN? Would the PAN not allow it?

2) Assuming that you can install more than 5, does that mean there is no hard number of PSN installs but rather it's a function of the "Max RADIUS Sessions Per Deployment", so that if you have many small dispersed sites with only a few computers then you can just as easily install 10 PSN's for a "PAN and MnT on same node-Dedicated PSNs" deployment model?

3) Under the "Dedicated (PAN, MnT, PXG, and PSN Nodes)" deployment mode, the Virtual Large SNS-3595 is provided as both PAN and MnT. This sounds counter-intuitive since the Virtual Large SNS-3595 was introduced solely as a dedicated MnT persona for extremely large deployments that required the added performance.

This is according to https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_01.html

If that's the case, why would you need such a VM to match the scalability of the SNS-3595 hardware?

4) I read the following post:

https://communities.cisco.com/thread/78678?start=0&tstart=0

It states that the sizing is according to the PAN. I would just like to confirm this is still the case for pure virtual and hybrid deployments (physical and virtual nodes).

Thanks in advance for your time!

Re: ISE 2.4: A few questions regarding deployment sizing in distributed installations

Craig Hyps — Fri, 08 Jun 2018 16:38:54 GMT

Docs require update per most current info posted here: ISE Performance & Scale

The specification of a Large PAN is also in error and needs correction. Community post should be accurate on these points. I will notify doc team of needed updates.

ISE will not prevent addition of 6th PSN in the Medium/Hybrid deployment model, but it is not a QA tested config, so if run into issues, may be asked by TAC to change design to be compliant with officially supported configurations.

Re: ISE 2.4: A few questions regarding deployment sizing in distributed installations

Nadav — Fri, 08 Jun 2018 17:09:16 GMT

Thanks.

Any inputs regarding the second question (maximum concurrent RADIUS connections dictate number of PSNs)?

P.S.: I noticed that you're maintaining the Performance and Scale document. It doesn't mention the transactions per second when session resumption is enabled, even though a different post mentioned that it roughly doubles the performance.

Re: ISE 2.4: A few questions regarding deployment sizing in distributed installations

Craig Hyps — Fri, 08 Jun 2018 17:29:13 GMT

Short answer is 'yes'.

More detailed answer: Anything over 20k sessions requires all nodes to be dedicated personas (PAN / MNT / PSN / PXG). Total possible deployment size is determined by deployment model and platforms used for the PAN/MNT nodes.

The deployment models are typically referred to as Small / Medium / Large. I think it is more intuitive to refer to them as:

Standalone (all personas on same node, or redundant pair of nodes)
Hybrid (Mix of nodes with shared and dedicated personas)
Dedicated (All personas on dedicated nodes)

So if have a Hybrid deployment and using 3515s as PSNs, then you would need at least (4) PSNs to support 20k endpoints assuming N+1 redundancy. If had a Dedicated deployment with 3595 PSNs, you would minimally require (3) 3595s to support 80k session (again, assuming N+1 redundancy).

However, that guidance would be a product marketing response. I would never assume that I could fully push 80k sessions evenly across two 3595s with multiple services and also account for bursts and exceptionally noisy endpoints. The nodes are rated "up to X sessions", and although we do test multiple services, there is always variability in the level of noise due to misconfigured NADs and clients. If planning to offer geographic HA across data centers, then the number of PSNs can climb higher (if assume you may lose 50% capacity at a single DC).

Therefore, the technical marketing response would be more conservative, and to plan closer to 40% capacity on each node at start. If another vendor claims they support 100% capacity regardless of noise, then they are "selling" to you, not advising you. Yes, there are some very clean environments with low noise levels where amazing capacity utilization is seen, but I always like to plan for worst case.

Regards,
Craig