Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
719
Views
0
Helpful
2
Replies

ISE SDA Deployment Sizing

Go to solution
Krzysztof Grabowski
Cisco Employee
Cisco Employee

‎05-31-2019 02:48 AM

Hi Guys,

 

I have a question regarding ISE sizing in context of maximum supported authentications per second. ISE Performance and Scale provides unidirectional numbers for different authentication types (PAP/EAP-TLS etc... ) but does not provide a recommendation on number of PSN's. 

 

One of my customers challenged my why not to use a single pair of SNS-3695's running PAN+MnT+PSN for an SDA deployment which according to papers should support up to 50K sessions in 2.6. I think that it is a risky approach due to PAN and MnT load and potential RADIUS congestion (in case of spike like WLC reload or major outage-recovery situation) but with data on ISE Performance and Scale I don't have solid arguments to defend my position to recommend hybrid/distributed deployment with more than 2 PSNs. 

 

Could you please let me know what are the recommendations for number of PSNs with regards to auth/second rate? This dimension of ISE scaling seem to be a grey zone with no clear recommendations... 

 

Cheers,
Chris

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎05-31-2019 07:32 AM

The information for everything running on one box as standalone with HA is the best scenario. If customer is starting with less than 50k then this is a good starting design depending on how network is design and tuned following Cisco live guidelines . Once approaching limit would evaluate system performance and anticipate a need to split out the PSNs where needed into a medium distributed model.

The limits are tested and recommended per that testing to include all persona models accordingly

I would also recommend looking at the information from BRKSEC-2059 and the BRKSEC-3432 from Cisco live training site

https://community.cisco.com/t5/security-documents/ise-performance-amp-scale/ta-p/3642148

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee

‎05-31-2019 07:32 AM

The information for everything running on one box as standalone with HA is the best scenario. If customer is starting with less than 50k then this is a good starting design depending on how network is design and tuned following Cisco live guidelines . Once approaching limit would evaluate system performance and anticipate a need to split out the PSNs where needed into a medium distributed model.

The limits are tested and recommended per that testing to include all persona models accordingly

I would also recommend looking at the information from BRKSEC-2059 and the BRKSEC-3432 from Cisco live training site

https://community.cisco.com/t5/security-documents/ise-performance-amp-scale/ta-p/3642148
0 Helpful

Go to solution
Krzysztof Grabowski
Cisco Employee
Cisco Employee
In response to Jason Kunst

‎06-04-2019 08:02 AM

Thanks Jason!

0 Helpful
Customers Also Viewed These Support Documents