cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2270
Views
0
Helpful
8
Replies

ISE high level design

xili5
Cisco Employee
Cisco Employee

Hi Expert,

 

I am seeking the best practice of ISE design.

1. From ISE design guide, the maximum number of PSN nodes are 5 when PAN&MnT is on a single node and PSN is on dedicated node.  How about if PSN role is on the primary/secondary PAN&MnT node in the distributed deployment, how many dedicate PSN nodes could have in this kind of cube? Is it possible to design like

Node1: Pri PAN&MnT+PSN

Node2: Sec PAN&MnT+PSN

Node3-7: 5 dedicated PSNs

OR

Node1: Pri PAN&MnT+PSN

Node2: Sec PAN&MnT+PSN

Node3-5: 3 dedicated PSNs

2. I have a customer that there are 20 PSN nodes needed in one distributed deployment. So from design guide, we need separate PAN and MNT on dedicated ise nodes and could have up to 50 dedicated PSNs supported. Which appliance or equivalent VM should I choose for PAN and MNT node if  I only need 20 dedicated PSNs? I only see 3595 and 3695 as PAN in the guide. What is the recommendation of appliance  or equivalent VM of PAN/MNT in a separate PAN, MnT and PSN nodes design if the number of PSNs node is not near 50?

8 Replies 8

Nidhi
Cisco Employee
Cisco Employee

1- None. if you run PAN+ MnT+ PSN in same appliance. you cannot add more PSNs. 

If you have a setup like node 1- PAN+MnT , node 2- PSN, in this case you can add 5 PSNs. 

2- For 20 dedicated PSNs , you need a distributed deployment with personas running on seperate Nodes. 

the sizing of the deployment depends on the number of concurrent sessions in teh deployment. 

I suggest starting with ciscoLive session  BRKSEC-3432 from SanDiego 2019 to understand teh best practices

Thanks,

Nidhi 

 
 
 

xili5
Cisco Employee
Cisco Employee

Thanks, Nidhi.

 

I went through BRKSEC-3432 and no answer was found for my second question. I just wanted to confirm that whether we have to choose 3595 and 3695 as PAN and MnT when we only need maybe 10 or 20 dedicated PSNs. 

 

You can choose the 3595, 3655, or 3695 templates/appliances, all three would be suitable for admin nodes in a dedicated deployment. The 3695 for admin nodes is geared towards 2,000,000 active endpoint deployments, both the 3595 and 3655 are supported for deployment of up to 50 PSN's and 500k active endpoints.

Thank, Damien.

 

I found this in 2.6 installation guide.

But it is not the same for 2.4 which mentioned 3695 PAN supports maximum of 500K, not 2,000,000 like 2.6.

 

Also hope the team could update ISE Performance & Scale page soon to clear the confusion when making ISE design.

https://community.cisco.com/t5/security-documents/ise-performance-amp-scale/ta-p/3642148#toc-hId-1418220509

Hi Nidhi,

 

1- Actually, we could do this without any warnings. All of PSNs are working. Are there any problems?

I think this deployment can be used for use case that dedicated PSNs are primary role and the PSNs of PAN+ MnT+ PSN node are backup role.3PSN.png

 

2- Does ISE deployment type depends on the number of PSN nodes rather than the number of RADIUS sessions?

How about the case below:

If our customer has total 10 x locations(2 x DC and 8 x remote offices).
They would like to deploy ISE at each site,and the latency between DCs and remote sites is lower than 100ms.

They only have around 50-100 user sessions at each site, total 1000 sessions.
What deployment type will you propose and why ? Please take more attention to the total sessions in this case is only 1000.

paul
Level 10
Level 10

There are only 4 supported ISE deployment models:

 

  1. Stand alone node running all personas.
  2. Two node deployment running all personas.
  3. 4-7 node deployment where the PAN/M&Ts are running on two nodes (no PSN functionality) and 2-5 PSNs.
  4. 6-54 node deployment.  Two dedicated PANs, two dedicated M&Ts and up to 50 PSNs based on your needs.

Once you move to #3 or #4 you cannot run PSN functionality on the PAN/M&Ts and still be running a supported model.

xili5
Cisco Employee
Cisco Employee

Thanks, Paul.

 

But how about my second question? Design guide only mentioned separate PAN and MnT on 3695 and 3595 could support up to 50 dedicated PSNs. Does it mean only 3595 and 3695 are supported in this kind of design? Or if we only need 10 or 20 dedicated PSNs, we could use 3615 or 3655 as PAN and MNT?

Of course it will work. From my point of view, there's no hard enforcement for these type of stuff.

The only thing which is enforced from my point of view is, that there are max. 2 PAN and 2 MNT nodes and that's it.

I guess even the max. sessions outlined in these papers are no hard limit.

 

The values are the validated and supported scenarios by Cisco.

The problem is, that there are no estimations of how many sessions, PSN nodes and endpoints are supported on a full distributed deployment using small appliances.

Again: I'm pretty sure it will work (heck, it works with tiny dimensioned VMs in my lab :) ). However if there are no reliable scale numbers and there is no support by Cisco I would only use the outlined designs from the Cisco documentation.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: