https://community.cisco.com/t5/network-access-control/ise-servers/m-p/3206402#M551626 <P>New Identity Services Engine Deployment</P> <P>Is it possible to mix and match servers?</P> <P>Example</P> <P>3495 admin node</P> <P>3595 policy node</P> <P>&nbsp;</P> Fri, 21 Feb 2020 18:37:16 GMT Alex Pfeil 2020-02-21T18:37:16Z https://community.cisco.com/t5/network-access-control/ise-servers/m-p/3206402#M551626 <P>New Identity Services Engine Deployment</P> <P>Is it possible to mix and match servers?</P> <P>Example</P> <P>3495 admin node</P> <P>3595 policy node</P> <P>&nbsp;</P> Fri, 21 Feb 2020 18:37:16 GMT https://community.cisco.com/t5/network-access-control/ise-servers/m-p/3206402#M551626 Alex Pfeil 2020-02-21T18:37:16Z https://community.cisco.com/t5/network-access-control/ise-servers/m-p/3206422#M551627 You can have different hardware in a deployment as long as they run the same software version. The sizing depends on the Admin node hardware type. The sizing for different distributed deployments is here:<BR /><A href="https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/install_guide/b_ise_InstallationGuide22/b_ise_InstallationGuide22_chapter_00.pdf" target="_blank">https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/install_guide/b_ise_InstallationGuide22/b_ise_InstallationGuide22_chapter_00.pdf</A> Fri, 27 Oct 2017 13:12:21 GMT https://community.cisco.com/t5/network-access-control/ise-servers/m-p/3206422#M551627 Rahul Govindan 2017-10-27T13:12:21Z https://community.cisco.com/t5/network-access-control/ise-servers/m-p/3206436#M551628 So,<BR />I could deploy:<BR />2 admin - 3495<BR />2 monitor - 3495<BR />2 policy - 3595<BR />This meets the large deployment model and supports 40,000 clients?<BR /> Fri, 27 Oct 2017 13:29:04 GMT https://community.cisco.com/t5/network-access-control/ise-servers/m-p/3206436#M551628 Alex Pfeil 2017-10-27T13:29:04Z https://community.cisco.com/t5/network-access-control/ise-servers/m-p/3206463#M551629 Yes. A 3495 Admin node large deployment can scale at 20000 sessions per PSN. So with 2 PSN's, you can get 40000 concurrent sessions for the deployment. Fri, 27 Oct 2017 13:59:33 GMT https://community.cisco.com/t5/network-access-control/ise-servers/m-p/3206463#M551629 Rahul Govindan 2017-10-27T13:59:33Z https://community.cisco.com/t5/network-access-control/ise-servers/m-p/3206505#M551630 <P>Based on recent findings and issues in our LARGE distributed environment, you should do the following:</P> <P>&nbsp;</P> <P>1.-All the PAN and MNT Nodes MUST be the same type of device, in our case 3595's to handle the significant amount of data our Wireless network generates. We realized that 3495 as MNT's is NOT good enough for a large deployment (60k+ endusers/concurrent sessions).&nbsp;</P> <P>&nbsp;</P> <P>2.-Use 3495 preferably as PSN only.</P> <P>3.-DO NOT, combine 2 personas on the same node 3495/3595 because the performance goes significantly down. (it does not apply to your case).</P> <P>4.-USE Load balancing to efficiently distribute the load between the PSN's.</P> <P>&nbsp;</P> <P>The most important piece is the version that you would like to run. I would strongly suggest to use 2.3 version.</P> <P>&nbsp;</P> <P>BTW, from your post above if you are using 3595 as PSN's then you have 40K sessions x node so that would cover you without needing another PSN. WHY the Load Balancing mechanism is important??.</P> <P>&nbsp;</P> <P>1.-Round Robin DNS does not work properly when using CWA or WebAuth on the WLC.</P> <P>2.-Failover mechanism is straightforward when using for example F5 (our case).</P> <P>&nbsp;</P> <P>If you use 3495 as PSN's, then you would need another PSN to be covered in case of failure</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 27 Oct 2017 15:06:39 GMT https://community.cisco.com/t5/network-access-control/ise-servers/m-p/3206505#M551630 ajc 2017-10-27T15:06:39Z https://community.cisco.com/t5/network-access-control/ise-servers/m-p/3206506#M551631 <P>Rahul is correct but also note that using both PSNs requires some sort of RADIUS load balancing.</P> <P>&nbsp;</P> <P>Cisco wireless delivered via WLC usually doesn't do this on its own and you would need some sort of Application Delivery controller / load balancer in front of your PSNs (i.e. F5 Big-IP, Citrix Netscaler or such).</P> <P>&nbsp;</P> <P>Cisco wired has some crude round robin load balancing but still a real ADC is recommended.</P> <P>&nbsp;</P> <P>You also need to consider failure scenarios. If you require 2 PSNs for your deployment day to day it's recommended to add a 3rd for availability.</P> Fri, 27 Oct 2017 14:56:49 GMT https://community.cisco.com/t5/network-access-control/ise-servers/m-p/3206506#M551631 Marvin Rhoads 2017-10-27T14:56:49Z