topic Re: 3615 ISE in Network Access Control

3615 ISE

ibrahimbadr4669 — Thu, 10 Aug 2023 09:46:47 GMT

Dears,

if i want to do basic 2 redundant implementation, 2 nodes at HQ (carrying all personas) and 2 nodes at DR (carrying all personas). What's the max active sessions? do I need double license count (one for HQ and one for DR) as the Admin persona at HQ and DR will be separated

Thanks and BR;

Re: 3615 ISE

Milos_Jovanovic — Thu, 10 Aug 2023 09:57:36 GMT

Hi @ibrahimbadr4669,

When it comes to scaling an capacity, you can check Performance and Scalability Guide. What you've described correlates to Small deployment, in general. However, it is unclear to me if you want entire deployment to be a single deployment or you are looking int having independent deployments in HQ and DR.

In case of a single deployment, then no, you can't have all roles on each device, as deployment can have maximum of 2 PAN and 2 MnT nodes, so you would need to rebalance them. Also, in this case, you deployment scale is 12.5k.

In case of split deployment, then yes, you could have all roles on each pair of nodes. In this case, your cpaacity would be 2x 12.5k sessions.

License-wise, it depends on what are your needs and use cases. If you expect to have maximum of e.g. 5k users in a given moment, then you need a license for 5k users, regardless if those users are connected to one or another deployment (also, regardless of single or split deployment).

Kind regards,

Milos

Re: 3615 ISE

ibrahimbadr4669 — Thu, 10 Aug 2023 10:30:10 GMT

we plan to have the following two nodes at HQ, and have the same setup at DR and the two deployment will be independent, and when configure the radius on the NAD, DR PSN order will be after the HQ PSN.

1- in the case the max session per site will be 12.5 or 2x12.5 ?

2-in case, 5k users license, do i need to purchase 10k count or just 5k count can work both site

BR;

Re: 3615 ISE

Charlie Moreton — Thu, 10 Aug 2023 12:58:44 GMT

Place one node at HQ, one node at DR site. Configuration will sync.

The way you're planning it will require manual configuration at the DR site to keep the configuration in sync. With Smart Licensing, they can share the same license pool.

Re: 3615 ISE

ibrahimbadr4669 — Thu, 10 Aug 2023 13:46:22 GMT

I read that the license is attached with the UDI of the primary and backup PAN, so if I do the independent deployment, I will have 4 independent primary/secondary PAN, if I have 5k users, is it mean that I will need 10k license (5k for HQ and 5k for the DR) ?

Re: 3615 ISE

Milos_Jovanovic — Fri, 11 Aug 2023 08:14:16 GMT

It falls down to what I mentioned - what do you want to achieve, single or split deployment.

In a single deployment, you can have bot redundancy and flexibility. Here is an example on what you can configure:

Site 1, node 1 - PAN and PSN
Site 1, node 2 - MnT and PSN
Site 2, node 1 - sPAN and PSN
Site 2, node 2 - sMnT and PSN

This way, you are splitting mgmt roles, so you have redundancy and you also have capacity. Operations-wise, you have a single deployment to configure.

Second deployment is split deployment or better said two deployments. Example could be:

Site 1, node 1 - PAN, sMnT and PSN
Site 1, node 2 - sPAN, MnT and PSN
Site 2, node 1 - PAN, sMnT and PSN
Site 2, node 2 - sPAN, MnT and PSN

This way, you have two independent deployments, with double capacity (should you need it), but you'll have to configure everything twice, logs will be at two places, and similar.

In both cases, if you expet max of 5k simultaneous sessions (if user is connected to site 1, he/she won't be connected to site 2 at same time), then you need 5k licenses, regardless of deployment type. Licenses are smart, so either way, they'll be on SA.

Kind regards,

Milos