https://community.cisco.com/t5/network-access-control/ise-sizing-recommendations-for-performance-for-distributed/m-p/4394634#M566928 <P>Thanks Marcelo,&nbsp;</P><P>&nbsp;</P><P>The document is useful, what is the performance impact if we run pxgrid service on PSN. I will end up using 2 ISE PSNs to cater majority of the traffic and rest all traffic within the same deployment will be dispersed to local ISE PSNs so will it be considered medium or large deployment.</P><P>&nbsp;</P><P>Total ISE PSNs = 20+ but main DC will have 2 ISE PSNs and rest all ISE PSNs will be kind of dedicated to small branches so as per cisco will it be counted as large or medium deployment.</P><P>&nbsp;</P><P>Regards,</P><P>Meh</P> Wed, 28 Apr 2021 09:27:33 GMT net87 2021-04-28T09:27:33Z https://community.cisco.com/t5/network-access-control/ise-sizing-recommendations-for-performance-for-distributed/m-p/4394320#M566906 <P>We are sizing a 100k+ endpoints /active sessions, I reviewed performance scale document but it seems to be confusing so can someone clarify below</P><P>Current usage for one centralized deployment</P><P>===================================</P><P>&nbsp;</P><P>1) 2x3695 ( PAN )</P><P>2) 2x3695 ( MNT)</P><P>3) 2x3655 ( PSN ) behind F5 running pxgrid service as well</P><P>4) 2x3655 ( PSN) behind F5 ( will keep it in disabled state as cold standby for disaster)</P><P>5) 18x ISE 3615 ( Local PSNs in remote sites ), which are kind of dedicated with no F5 and connected via WAN links but replicated from main admin node</P><P>&nbsp;</P><P>&nbsp;</P><P>Technically I will have 2 active PSNs in main DC behind F5 , the other 2 PSNs which I will keep in disabled state is in Cold standby but in DR and part of same deployment</P><P>&nbsp;</P><P>1) Does Pxgrid service shared on one PSN is fine or I need to run it on both PSNs ( it is only for DNAC purpose)</P><P>&nbsp;</P><P>2)We plan to use TACACS+ so if I will share TACACS+ with Radius + pxgrid will there be any concern wth ISE 3655 or there is a separate 3615 node is enough.</P><P>&nbsp;</P><P>3) Since TACACS+ license is per PSN based so I think for any other node in DR I would need to buy dedicated TACACS+ license</P><P>&nbsp;</P><P>&nbsp;</P><P>Regards,</P><P>Meh</P> Tue, 27 Apr 2021 20:39:19 GMT https://community.cisco.com/t5/network-access-control/ise-sizing-recommendations-for-performance-for-distributed/m-p/4394320#M566906 net87 2021-04-27T20:39:19Z https://community.cisco.com/t5/network-access-control/ise-sizing-recommendations-for-performance-for-distributed/m-p/4394459#M566914 <P>Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/624196">@net87</a>,</P><P>&nbsp;please take a look at: <A href="https://community.cisco.com/t5/security-documents/ise-performance-amp-scale/ta-p/3642148" target="_blank" rel="noopener">ISE Performance &amp; Scale</A>., search for:</P><P>1. <STRONG>Latency between Nodes</STRONG> (<EM>300 ms</EM>)</P><P>2. <STRONG>Maximum Active Sessions</STRONG> for <U>each</U> <STRONG>PSN</STRONG>: <STRONG>3655</STRONG> (<EM>25,000 for Medium &amp; 50,000 for Large</EM>) &amp; <STRONG>3695</STRONG> (<EM>50,000 for Medium &amp; 100,000 for Large</EM>)</P><P>3. <STRONG>Maximum PSN Nodes</STRONG> for <STRONG>Large</STRONG> (<EM>50</EM>) and <STRONG>Medium</STRONG> (<EM>5 or 6</EM>) Deployment</P><P>4. <STRONG>Maximum pxGrid Nodes</STRONG> for <STRONG>Large</STRONG> (<EM>4</EM>) or <STRONG>Medium</STRONG> (<EM>2</EM>) Deployment</P><P>5. <STRONG>Mnt Persona Log Storage Requirements</STRONG></P><P>&nbsp;please take a look at: <A href="https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/guide-c07-656177.html" target="_blank" rel="noopener">ISE Ordering Guide</A>, search for:</P><P>1. <STRONG>Device Administration (TACACS+)</STRONG>: ".<EM>..You must have <STRONG>Device Administration license</STRONG> for each of the <STRONG>Policy Service Nodes</STRONG> that you enable <STRONG>TACACS+ service on</STRONG>...</EM>"</P><P>Note: you can choose version <STRONG>2.7</STRONG> (the <EM>Suggested Release</EM>) or <STRONG>3.0</STRONG> (will be a <EM>Suggested Release</EM> soon)</P><P>&nbsp;</P><P>Hope this helps !!!</P> Wed, 28 Apr 2021 02:35:05 GMT https://community.cisco.com/t5/network-access-control/ise-sizing-recommendations-for-performance-for-distributed/m-p/4394459#M566914 Marcelo Morais 2021-04-28T02:35:05Z https://community.cisco.com/t5/network-access-control/ise-sizing-recommendations-for-performance-for-distributed/m-p/4394634#M566928 <P>Thanks Marcelo,&nbsp;</P><P>&nbsp;</P><P>The document is useful, what is the performance impact if we run pxgrid service on PSN. I will end up using 2 ISE PSNs to cater majority of the traffic and rest all traffic within the same deployment will be dispersed to local ISE PSNs so will it be considered medium or large deployment.</P><P>&nbsp;</P><P>Total ISE PSNs = 20+ but main DC will have 2 ISE PSNs and rest all ISE PSNs will be kind of dedicated to small branches so as per cisco will it be counted as large or medium deployment.</P><P>&nbsp;</P><P>Regards,</P><P>Meh</P> Wed, 28 Apr 2021 09:27:33 GMT https://community.cisco.com/t5/network-access-control/ise-sizing-recommendations-for-performance-for-distributed/m-p/4394634#M566928 net87 2021-04-28T09:27:33Z https://community.cisco.com/t5/network-access-control/ise-sizing-recommendations-for-performance-for-distributed/m-p/4394829#M566936 <P>Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/624196">@net87</a>&nbsp;</P><P>&nbsp;you can enable <STRONG>PXG</STRONG>:on&nbsp;<STRONG>PAN+MNT Node</STRONG> or in&nbsp;<STRONG>Dedicate Nodes</STRONG> (in this case, reducing <STRONG>PSN</STRONG> count).</P><P>&nbsp;In a&nbsp;<STRONG>Large/Dedicated Deployment</STRONG>, all <STRONG>ISE Personas</STRONG> are <U>fully distributed</U>, running on <U>separate</U> <STRONG>VM</STRONG> or <STRONG>Appliance Nodes</STRONG>.</P><P>&nbsp;In a <STRONG>Medium/Hybrid Deployment</STRONG>,&nbsp;<STRONG>PAN + MnT + PXG</STRONG> running on <U>same</U>&nbsp;<STRONG>Node</STRONG> and <STRONG>PSNs</STRONG> on <STRONG>Dedicated Nodes</STRONG>.</P><P>&nbsp;</P><P>Hope this helps !!!</P> Wed, 28 Apr 2021 14:40:15 GMT https://community.cisco.com/t5/network-access-control/ise-sizing-recommendations-for-performance-for-distributed/m-p/4394829#M566936 Marcelo Morais 2021-04-28T14:40:15Z https://community.cisco.com/t5/network-access-control/ise-sizing-recommendations-for-performance-for-distributed/m-p/4394872#M566941 <P>Thanks Marcelo,&nbsp;</P><P>&nbsp;</P><P>So in a large scale deployment it is mandatory to have a dedicated appliance, is it like if I share the persona like Pxgrid on one of the PSN then that PSN ISE 3655 it&nbsp; would only support 25000 sessions even though it is categorized as large scale.</P><P>&nbsp;</P><P>&nbsp;</P><P>Regards,</P><P>Meh</P> Wed, 28 Apr 2021 15:35:32 GMT https://community.cisco.com/t5/network-access-control/ise-sizing-recommendations-for-performance-for-distributed/m-p/4394872#M566941 net87 2021-04-28T15:35:32Z https://community.cisco.com/t5/network-access-control/ise-sizing-recommendations-for-performance-for-distributed/m-p/4395048#M566946 <P>Hi,</P><P>&nbsp;yes, for a <STRONG>Large Deployment</STRONG> you must have <STRONG>Dedicated Nodes</STRONG>.</P><P>Note: for a <STRONG>Large Deployment</STRONG> the <STRONG>Maximum PSNs+pxGrid Nodes</STRONG> is <STRONG>50</STRONG> ... if you have <STRONG>4x pxGrid</STRONG>, then the maximum number of <STRONG>PSNs</STRONG> would be <STRONG>46</STRONG>.</P><P>&nbsp;</P><P>Hope this helps !!!&nbsp; &nbsp;</P> Wed, 28 Apr 2021 19:27:46 GMT https://community.cisco.com/t5/network-access-control/ise-sizing-recommendations-for-performance-for-distributed/m-p/4395048#M566946 Marcelo Morais 2021-04-28T19:27:46Z https://community.cisco.com/t5/network-access-control/ise-sizing-recommendations-for-performance-for-distributed/m-p/4395284#M566961 <P>"must" means "it's not going to work" "it's going to get you in trouble" or simply violates cisco deployment rules?</P><P>In other word, if I want to temporary enable pxgrid on PAN nodes for a large deployment, waiting to have enough resources on virtual environment in order to deploy dedicated nodes, is it going to work?&nbsp;&nbsp;</P> Thu, 29 Apr 2021 08:26:03 GMT https://community.cisco.com/t5/network-access-control/ise-sizing-recommendations-for-performance-for-distributed/m-p/4395284#M566961 Massimo Baschieri 2021-04-29T08:26:03Z https://community.cisco.com/t5/network-access-control/ise-sizing-recommendations-for-performance-for-distributed/m-p/4395293#M566962 <P>Hi Massimo,</P><P>&nbsp;IMO, whenever (<U>temporary</U>) I do not follow a "best practice/recommendation", I understand that "odd things can happen".</P><P>&nbsp;</P><P>Hope this helps !!!&nbsp;</P> Thu, 29 Apr 2021 08:47:12 GMT https://community.cisco.com/t5/network-access-control/ise-sizing-recommendations-for-performance-for-distributed/m-p/4395293#M566962 Marcelo Morais 2021-04-29T08:47:12Z https://community.cisco.com/t5/network-access-control/ise-sizing-recommendations-for-performance-for-distributed/m-p/4395372#M566971 <P>I understand your point, but it's hard to persuade the customer when the same role can be taken from a PAN node in a standalone deplyment and the current PANs performances are around 2% cpu and 30% memory&nbsp;</P> Thu, 29 Apr 2021 11:37:57 GMT https://community.cisco.com/t5/network-access-control/ise-sizing-recommendations-for-performance-for-distributed/m-p/4395372#M566971 Massimo Baschieri 2021-04-29T11:37:57Z