topic Distributed environment question and UCS sizing in Network Access Control

Distributed environment question and UCS sizing

minhngu2 — Fri, 11 Mar 2016 03:07:11 GMT

Hi ISE team,

Need some assistance on a few questions for a distributed design I have with a customer.

Situation is that they want to run a distributed ISE deployment – having the Policy Service node at the branch location. They will be purchasing roughly 70 routers + UCS-E 140 module - deployed in a HA setup so 30-40 routers will be the active router. Each location will have 100-200 devices.

Hardware config:

ISR4K with UCS-E 140 blade (4 core, 1.8Ghz, 16GB ram, 1TB drive)

Questions:

Would the “small” image of the ISE ova function correctly on the UCS-E 140 blade? – can you confirm it would be okay since we’re only monitoring 100-200 devices max per location. The small ova goes up to 5K devices.
- I would assume if there is any performance issue and TAC is contacted – TAC will say it’s not sized right?
- I understand upgrading to a E160/180 would solve this but cost is a big factor.
How do we go about passing the 40 policy node limit? Is there a way around this or do we have to spin up another ISE instance?
- http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/release_notes/ise20_rn.html

Thanks in advance!

Regards,

Minh Nguyen

Re: Distributed environment question and UCS sizing

Timothy Abbott — Fri, 11 Mar 2016 13:55:29 GMT

Hi Minh,

The 3415 OVA would not meet our performance specifications on the UCS-E 140. Even in a virtual environment, we require the 3415/3495 equivalents to have resource reservations. This will ensure that if the customer needed to max out scale (44 3495 appliances supporting 250K endpoints) the system will perform as expected. This is the current scale limit today, but we are going to surpass that with future versions. If the customer needs to go beyond that limit today, an additional deployment would need to be installed.

Regards,

-Tim

Re: Distributed environment question and UCS sizing

Jason Kunst — Fri, 11 Mar 2016 14:04:32 GMT

Is it also good design to put a PSN at every small sites.

Might be best looking into geographical deployed clusters of PSNs behind load balancers instead. This will reduce the amount of PSNs and also improve redundancy (from an ISE standpoint). If you have a robust WAN and backup links this would work out better.

If you have PSNs at these remotes sites are they within the limits of latency when synchronization with the PAN/MNT?

Re: Distributed environment question and UCS sizing

minhngu2 — Fri, 11 Mar 2016 17:15:47 GMT

Thanks Tim for confirming - UCS E160 will be the blade of choice then.

160D: Intel Xeon processor E5-2418Lv2 (10-MB cache, 2.0 GHz, and 6 cores)

Re: Distributed environment question and UCS sizing

minhngu2 — Fri, 11 Mar 2016 17:18:17 GMT

Jason,

We plan on putting a PSN (policy node) at every site using the UCS-E 160 blade. When you mentioned clusters of PSN, do you mean to deploy a few appliances for a specific region then have the small sites make calls to that cluster?

How would you load balance across the PSN (is that a feature of ISE)?

Re: Distributed environment question and UCS sizing

Jason Kunst — Fri, 11 Mar 2016 17:41:20 GMT

Yes you're correct you would point several small sites at a regional site, we have load balancing guide here

Cisco Identity Services Engine - Design Guides - Cisco

HowTo: Cisco and F5 Deployment Guide-ISE Load Balancing Using BIG-IP