cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

102
Views
5
Helpful
1
Replies
Beginner

Cisco ISE capacity and planning

Hello,

In a hybrid deployment mode I have 2 (PAN &Mnt) and 2 PSN's 3515 and 7500 concurrent sessions are occupied, now I want to increase my sessions to support new site up to 5000 sessions.

Do I need to add one more PSN node and increase my base license. What is the best approach considering redundancy..?

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Engager

Re: Cisco ISE capacity and planning

You are already at the maximum active endpoint capacity for a hybrid 3515 deployment. With the PAN/MNT hosted on 3515's the suggested scale is 7500 active endpoints. So you have a few options here, but simply adding a PSN will not suffice.

Assuming you are running VM's and running version 2.4.

Option 1 - You could increase the 2x PAN/MNT nodes to 3595 templates (64 GB 16,000 MHz CPU). This would increase your total active endpoint scale to 20,000 from the current 7500. In this scenario, your two 3515's would mean you would immediately be able to realize 15,000 active endpoints (7,500 per PSN). Adding a third 3515 PSN would only allow 5,000 more endpoint scale rather than the 7,500. You are limited by the 20,000 endpoint scale on 2.4 hybrid deployments.

Option 2 - You increase the 2x PAN/MNT nodes to 3595 specs, and increase the 2 PSNs to 3595 spec. This would allow for 20,000 active endpoints in the deployment, but each of the two PSN's would support 20,000 active endpoints. If one were to fail, a single PSN could support your entire deployment scale (20k endpoints). Even though both PSN's support 20k active endpoints each, you still can't surpass 20k active endpoints total, you would try to split your load 10k active to each.

Option 3 - Increase the 2x PSN to 3595 spec (and increase HDD with reinstall), and move the PAN/MNT roles to them. Dropping from a 4 node deployment to a 2 node standalone. You still have 20k active endpoint scale, and each node supports 20k active endpoints allowing for full scale HA if a node were to die. I recommend moving everything to the PSN's since this would mean no changes to the NADs, the PSN IP's would stay the same. You total scale is still 20k active, and you would try to balance 10k to each node.


If you were to upgrade to ISE 2.6 your options change a bit but follow the above options.

The 3615 supports 10k active endpoints in hybrid or standalone.
The 3655 supports 25k active endpoints in hybrid or standalone.
And the 3695 supports 50k active endpoints in hybrid or standalone.

If it were me I would probably go with option 3, this allows for future scale up to 25k (with 2.6) fairly easily. 3695's are a bit tricky in a VM environment, they are 256 GB VMs which not too many VM teams like. The options are pretty similar if you are using SNS appliances, just not as flexible since you have to replace appliances rather than just change resources.

1 REPLY 1
Highlighted
VIP Engager

Re: Cisco ISE capacity and planning

You are already at the maximum active endpoint capacity for a hybrid 3515 deployment. With the PAN/MNT hosted on 3515's the suggested scale is 7500 active endpoints. So you have a few options here, but simply adding a PSN will not suffice.

Assuming you are running VM's and running version 2.4.

Option 1 - You could increase the 2x PAN/MNT nodes to 3595 templates (64 GB 16,000 MHz CPU). This would increase your total active endpoint scale to 20,000 from the current 7500. In this scenario, your two 3515's would mean you would immediately be able to realize 15,000 active endpoints (7,500 per PSN). Adding a third 3515 PSN would only allow 5,000 more endpoint scale rather than the 7,500. You are limited by the 20,000 endpoint scale on 2.4 hybrid deployments.

Option 2 - You increase the 2x PAN/MNT nodes to 3595 specs, and increase the 2 PSNs to 3595 spec. This would allow for 20,000 active endpoints in the deployment, but each of the two PSN's would support 20,000 active endpoints. If one were to fail, a single PSN could support your entire deployment scale (20k endpoints). Even though both PSN's support 20k active endpoints each, you still can't surpass 20k active endpoints total, you would try to split your load 10k active to each.

Option 3 - Increase the 2x PSN to 3595 spec (and increase HDD with reinstall), and move the PAN/MNT roles to them. Dropping from a 4 node deployment to a 2 node standalone. You still have 20k active endpoint scale, and each node supports 20k active endpoints allowing for full scale HA if a node were to die. I recommend moving everything to the PSN's since this would mean no changes to the NADs, the PSN IP's would stay the same. You total scale is still 20k active, and you would try to balance 10k to each node.


If you were to upgrade to ISE 2.6 your options change a bit but follow the above options.

The 3615 supports 10k active endpoints in hybrid or standalone.
The 3655 supports 25k active endpoints in hybrid or standalone.
And the 3695 supports 50k active endpoints in hybrid or standalone.

If it were me I would probably go with option 3, this allows for future scale up to 25k (with 2.6) fairly easily. 3695's are a bit tricky in a VM environment, they are 256 GB VMs which not too many VM teams like. The options are pretty similar if you are using SNS appliances, just not as flexible since you have to replace appliances rather than just change resources.