cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

88
Views
0
Helpful
3
Replies
Beginner

ISE Design question - scalability

Hi,

 

Hope someone could help me.

 

we are in a process of deploying ISE in our organization. we got over 80 branches worldwide.

 

we will be deploying Large scale deployment. But, due to the Budget constraint, management is looking to cut-down the number of PSNs. But, i need to give solid technical explanations why we need x number of PSNs.

 

Solution:-

ISE PAN (HA)

MNT  -  Single Node

2 Main PSN (HA) - one PSN per Data centre

* latency is less than 300ms for All the branches when

* we have few sites with nearly 100 staff and others vary between 5-50

**************************************************************************

Do we need PSN for each site where number of users are high (close to 100)

 

what are the base requirements to put a PSN in a remote site?

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: ISE Design question - scalability

For 100 sessions, I would not recommend hosting a local PSN. If the concern is around network access during ISE failure, I would suggest looking into designing the network for fail open in case of ISE failure. Although the decision to have local PSN can be based on many factors, such as WAN quality, existence of AD server, # of users and endpoints, but generally would not need to consider one unless there are more than 3k concurrent sessions at a single location. Also, I would suggest that you also make MnT node HA pair.

Highlighted
VIP Engager

Re: ISE Design question - scalability

I have some customers that want ISE nodes at critical facilities, but I would argue that this should be handled a different way. If a site is so critical that it requires a dedicated ISE node, it should have two WAN circuits, two routers, and you should have ISE hosted in two data centers. This way you have survivability via two fault domains.

Authentication latency below 5 seconds is typically fine, users will have many other issues if you link wasn't capable of this. Authentication traffic load is typically quite low. I would avoid placing PSNs at remote sites unless there is an absolute need.

I am with @howon, I would go even further and look at having just two nodes, one in each data center hosting admin, mnt, and psn roles. Two node deployments are able to scale between 7500 and 50,000 active endpoints depending on the ISE version and template deployed.

3 REPLIES 3
Cisco Employee

Re: ISE Design question - scalability

For 100 sessions, I would not recommend hosting a local PSN. If the concern is around network access during ISE failure, I would suggest looking into designing the network for fail open in case of ISE failure. Although the decision to have local PSN can be based on many factors, such as WAN quality, existence of AD server, # of users and endpoints, but generally would not need to consider one unless there are more than 3k concurrent sessions at a single location. Also, I would suggest that you also make MnT node HA pair.

Highlighted
VIP Engager

Re: ISE Design question - scalability

I have some customers that want ISE nodes at critical facilities, but I would argue that this should be handled a different way. If a site is so critical that it requires a dedicated ISE node, it should have two WAN circuits, two routers, and you should have ISE hosted in two data centers. This way you have survivability via two fault domains.

Authentication latency below 5 seconds is typically fine, users will have many other issues if you link wasn't capable of this. Authentication traffic load is typically quite low. I would avoid placing PSNs at remote sites unless there is an absolute need.

I am with @howon, I would go even further and look at having just two nodes, one in each data center hosting admin, mnt, and psn roles. Two node deployments are able to scale between 7500 and 50,000 active endpoints depending on the ISE version and template deployed.

Beginner

Re: ISE Design question - scalability

Hi Howton and Damien,

 

Thanks you so much for your Valuable advise