topic Re: PSN Limits in Network Access Control

PSN Limits

Cory Peterson — Wed, 18 Jan 2017 18:19:32 GMT

Hello,

I am looking at some of the ISE designs and had a question around the following design.

If I run two PAN/MnT nodes but run primary PAN/secondary MnT on Node 1 and Primary MnT/secondary PAN on Node 2 is there still a limit of 5 PSNs in this deployment type?

Also, is the 5 PSNs a hard limit or just a recommendation?

Thank You

-Cory

Re: PSN Limits

joeshoj — Wed, 18 Jan 2017 23:06:33 GMT

Yes...still a limit...if you want to scale higher, they have to be dedicated.

I believe it is a hard limit, but I haven't tested.

Re: PSN Limits

hslai — Thu, 19 Jan 2017 04:54:49 GMT

It's a recommendation based on our testings.

Re: PSN Limits

Craig Hyps — Thu, 19 Jan 2017 23:43:27 GMT

So if not crystal clear already...

The 5 PSN limit (when PAN and MNT personas collocated on same ISE node) is not a hard limit in the sense that UI prevents admin from registering additional PSNs, but it is a hard limit in terms of official Cisco support. All testing is conducting based on supported deployment models. Mileage may vary, but as Hsing rightly stated, it is our recommendation to stay within supported limits, even though UI may allow unsupported configurations to be deployed.

/Craig

Re: PSN Limits

troy.moyers — Thu, 25 Jul 2019 18:33:24 GMT

For a small, but distributed deployment (30 sites with less than 500 total "client" nodes), where you want to add PSNs at the remote sites in order to mitigate latency, is it practical to have more than the recommended 5 limit? BTW, the need is to do only TACACS+ AAA.

Re: PSN Limits

Damien Miller — Thu, 25 Jul 2019 20:05:47 GMT

I would keep the ISE PSN's to a minimum for a few reasons.

1. The latency of authentication is not typically the issue, the issue is the latency between the ISE admin nodes and the PSN's. We can account for authentication latency, but an ISE PSN should only be 300 ms RTT from the Admin.
2. When you go to upgrade, every node adds significant time to the work effort.
3. Cost, PSN's are not cheap to buy/deploy/maintain.
4. To have more than 5 PSN's, you have to leverage a distributed deployment where the Admin and Monitoring personas are on they own dedicated nodes. This typically means 4 nodes just for PAN/MNT.

There are some fringe use cases where PSN's in sites can be useful, but I would try to avoid it here.