topic Re: Cisco ISE sizing - small or medium in Network Access Control

Cisco ISE sizing - small or medium

drr — Tue, 02 Jan 2024 06:33:28 GMT

Hi team,

I'm trying to figure out what sizing we should establish as well as if we should go for a small or medium deployment.

Currently, there are around 15.000 active endpoint in the environment, but as the company is growing very fast, it could be around 25.000-30.000 active endpoint in the next year.

As per below guide, a small deployment can handle up to 50.000 endpoint, so a small deployment should be fine for now.
https://www.cisco.com/c/en/us/td/docs/security/ise/performance_and_scalability/b_ise_perf_and_scale.html

So, to my questions:
1. Is it possible to start with a small deployment with the VM specifications of, lets say, Cisco SNS 3715 for start that can handle 25.000 endpoint, and if we reach that size, we can scale/buff the VM resources to match the requirements for Cisco SNS 3755 so the deployment can handle 50.000 endpoint instead. Does it work that way?

2. Should we go for a small or medium deployment? After reading above link i can't really figure out what advantages dedicated PSN's would bring to the deployment in this case where we only have one datacenter. As far as I understand, the PAN/MnT node is limiting the deployment size. If we go for a small deployment, we could install 2x VM as PAN/MnT/PSN that can handle up to 50.000 endpoints. If we would go for a medium deployment, we would have 4x VM that can handle 50.000 endpoints as well, but will cost nearly double the computing resources.

3. If we initiate a small deployment to begin with, is it possible to later configure/transition the deployment to a medium deployment, i.e. add/move PSN to dedicated nodes and "remove" them from the original PAN/MnT node? I know in a small deployment, it's possible to add one more PSN. But if we would need even more PSN's to handle above 50.000 endpoint, is it possible to convert the deployment from small to medium? The reason for the question is that the wired network is only in scope now, but if we would like to add the wireless network to the deployment later, the total endpoints being handled would double.

Hope the questions are clear, otherwise please get back to me if clarification is needed.

Thanks!

Re: Cisco ISE sizing - small or medium

ahollifield — Tue, 02 Jan 2024 14:19:15 GMT

Yes, with the exception of disk space.
I always opt for medium if resources available. You can control load more effectively and handle things like service restarts/patching/certificate replacement much easier with a medium deployment. It's is also much easier to scale up to a large deployment when the time comes as you only need to add PSNs and dedicated MnT nodes.
Yes, but you will need to change all NAD configuration to reflect this change as PSN role will no longer be on the PAN/MnT node. This is also why I suggest starting at a medium deployment.

Re: Cisco ISE sizing - small or medium

Ruben Cocheno — Tue, 02 Jan 2024 16:24:01 GMT

@drr

If for Capex reasons you going for a small deployment for now, later on you can expand to Medium increasing the number of PSN nodes and reconfiguring the NAD to add new nodes while you pull the PAN/MNT from the current nodes to dedicated.

Re: Cisco ISE sizing - small or medium

drr — Thu, 04 Jan 2024 07:30:16 GMT

Thank you for your reply!

Re: Cisco ISE sizing - small or medium

drr — Thu, 04 Jan 2024 07:33:42 GMT

Thank you for your reply!

We have resources to go for a medium as well, the problem is that I didn't see the cost/benefit of going for a medium deployment right now (except for the administrative benefits that ahollifield mentioned above).