cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

184
Views
10
Helpful
7
Replies
Cisco Employee

ISE 2.6 Distributed Deployment with small VM (SNS 3615)

Hi,

 

Got a customer considering upgrade to ISE 2.6 using 'Small' VMS equivalent to SNS-3615 spec. Approx 20,000 total endpoints, assumed to be not all concurrent.

 

Had been looking at 6-node cluster of 2xPAN, 2xMNT, 2xPSN but Install Guide(1) and Performance and Scale page(2) don't provide data for this type of deployment. Is that because it's not supported, or not recommended, or just not tested?

 

Alternative may be to go to 4 'Medium' nodes (SNS-3655) with Hybrid model (2 x PAN+MNT, 2 x PSN) but that's more resources than the 6x3615 which is unfortunate

 

(1) https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/install_guide/b_ise_InstallationGuide26/b_ise_InstallationGuide_26_chapter_00.html#reference_A4A76D628B6847EDB1715F2C11C3B753

(2) https://community.cisco.com/t5/security-documents/ise-performance-amp-scale/ta-p/3642148#toc-hId--1992574445

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Cisco Employee

Re: ISE 2.6 Distributed Deployment with small VM (SNS 3615)

The 3615 will only support up to 10k concurrent sessions not matter the deployment model , that being said it doesnt mean it wont work but in terms of Cisco its not supported.

Your best option is what you suggested .

VIP Engager

Re: ISE 2.6 Distributed Deployment with small VM (SNS 3615)

Just to clarify here, even with 4x 3655's you still have a max of 25k active endpoints. If the PAN and MNT run on the same node(s), you can only support 25k active endpoints in this deployment.

The active endpoint count is determined by how the PAN/MNT are hosted and not what the PSN's can scale. A dedicated 3655 PSN can handle 50k per node, but with the PAN and MNT hosted on the same 3655, they are your limitation.

Standalone (all roles on one or two nodes)
3615 - 10k active
3655 - 25k active
3695 - 50k active

Hybrid (PAN and MNT on same node, up to 5 separate PSNs)
3615 - 10k active
3655 - 25k active
3695 - 50k active

There are no differences in active endpoints between standalone and hybrid deployment methods. Only dedicated deployments where the PAN, MNT and PSN's are hosted on their own nodes scale higher than these numbers.
7 REPLIES 7
Highlighted
Cisco Employee

Re: ISE 2.6 Distributed Deployment with small VM (SNS 3615)

The 3615 will only support up to 10k concurrent sessions not matter the deployment model , that being said it doesnt mean it wont work but in terms of Cisco its not supported.

Your best option is what you suggested .

Cisco Employee

Re: ISE 2.6 Distributed Deployment with small VM (SNS 3615)

If it’s under 10k "ACTIVE" endpoints then you can use the 3615

VIP Engager

Re: ISE 2.6 Distributed Deployment with small VM (SNS 3615)

You could also go with two 3655's instead of four. It's a supported deployment design to run all services on two nodes with HA support of 25k active endpoints. This way you would only have two 96 GB VM's/appliances and still have acceptable redundancy, I would lean this way.

Same thought process, you could do two 3615's running all services and support 10k active endpoints. There is no need to break the PSN's out unless it is being asked for, or targeted for a specific reason. An accurate estimate of active endpoints is important here.
Cisco Employee

Re: ISE 2.6 Distributed Deployment with small VM (SNS 3615)

Thank you for the responses @ldanny@Jason Kunst@Damien Miller, greatly appreciated.

 

I'm going to propose the 4 x 3655 hybrid cluster which gives 50,000 session total for the cluster and each PSN. Plenty of headroom and resilience. And if I need to scale out at a later date then it's a good place to be starting from.

VIP Engager

Re: ISE 2.6 Distributed Deployment with small VM (SNS 3615)

Just to clarify here, even with 4x 3655's you still have a max of 25k active endpoints. If the PAN and MNT run on the same node(s), you can only support 25k active endpoints in this deployment.

The active endpoint count is determined by how the PAN/MNT are hosted and not what the PSN's can scale. A dedicated 3655 PSN can handle 50k per node, but with the PAN and MNT hosted on the same 3655, they are your limitation.

Standalone (all roles on one or two nodes)
3615 - 10k active
3655 - 25k active
3695 - 50k active

Hybrid (PAN and MNT on same node, up to 5 separate PSNs)
3615 - 10k active
3655 - 25k active
3695 - 50k active

There are no differences in active endpoints between standalone and hybrid deployment methods. Only dedicated deployments where the PAN, MNT and PSN's are hosted on their own nodes scale higher than these numbers.
Cisco Employee

Re: ISE 2.6 Distributed Deployment with small VM (SNS 3615)

Agreed. Looks like there might be a mistake in the install guide (there's certainly a discrepancy between it and the Performance and Scale page). @howon is aware.

Cisco Employee

Re: ISE 2.6 Distributed Deployment with small VM (SNS 3615)

The 2.6 Install Guide has been updated accordingly, thanks to @howon.