cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

125
Views
0
Helpful
1
Replies
Highlighted
Cisco Employee

ISE Architecture

2 questions about ISE architecture. Customer currently has standalone ISE deployment in DC1 and HA in DC2. Medium VMs running 2.4 for 6500 concurrent sessions. They want to add (resiliency) a branch office (BR1) and add DNAC functionality (introducing PXG). They only have enough resources at the new BR1 site for small VM. They are wanting least-additional resources possible for the additional location and PXG.

1) I am thinking of splitting up the current 2 Medium VMs (PAN+MnT+PXG on each), then adding 2 small VMs (or 3515s) for the PSN node to DC1 and BR1.  Any issues or considerations here?

2) Is there a more economical way to do this? (eg. I have read that you can install all 4 personas on 1 standalone medium VM deployment. Possible?  Supported?)

Thanks in advance!

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Engager

Re: ISE Architecture

Option 1 you identified would work. The consideration would be that each 3515 supports up to 7500 active endpoints, and your total deployment with 3595 PAN/MNT would be capped at 20k. This would leave you in a good position based on the 6500 endpoints. The issue would be that your secondary radius server for HA is no longer in the DC, but at a less reliable branch, maybe with bandwidth constraints. I would prefer having a PSN in each DC with the PAN/MNT/PXG nodes, and then a third 3515 in the branch for its own primary.

You can run all personas on a single node, or two nodes for HA (between 7500 total endpoints and up to 50k on 2.6+3695). Called a standalone deployment in the design guides. If you want branch resiliency though, that pushes you in to a hybrid design, moving to a PSN authentication services layer like in the option above.

If VMware resources are an issue, hardware appliance could be leveraged at the same time as virtual, you can mix the two.
1 REPLY 1
VIP Engager

Re: ISE Architecture

Option 1 you identified would work. The consideration would be that each 3515 supports up to 7500 active endpoints, and your total deployment with 3595 PAN/MNT would be capped at 20k. This would leave you in a good position based on the 6500 endpoints. The issue would be that your secondary radius server for HA is no longer in the DC, but at a less reliable branch, maybe with bandwidth constraints. I would prefer having a PSN in each DC with the PAN/MNT/PXG nodes, and then a third 3515 in the branch for its own primary.

You can run all personas on a single node, or two nodes for HA (between 7500 total endpoints and up to 50k on 2.6+3695). Called a standalone deployment in the design guides. If you want branch resiliency though, that pushes you in to a hybrid design, moving to a PSN authentication services layer like in the option above.

If VMware resources are an issue, hardware appliance could be leveraged at the same time as virtual, you can mix the two.