cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
826
Views
0
Helpful
3
Replies

Scaling ISE - adding pxGrid / TACACS+

MS-JK
Level 1
Level 1

Hey team, I'm searching for a good reference document that shows scalability within distributed environment 2.4 (separate PAN/MnT/PSN) now adding TACACS+ and pxGrid functions. What I'm searching for - pro/cons/#s IF I add TACACS+ to existing PSNs that are used for wired/wireless and the same for pxGrid. VS. Building brand new pair of PSNs for pxGrid ONLY and brand new pair of PSNs for TACACS+ ONLY. I understand the security good/bad - BUT I'm looking for actual #s and any limitations. Thanks for feedback!

1 Accepted Solution

Accepted Solutions

kthiruve
Cisco Employee
Cisco Employee

Please check out the ISE performance and scale community page that will give you idea about shared PSNs using PxGrid. This is under PxGrid scaling. The TACACS+ performance is based on dedicated appliance.

 

Apart of security, also think about service failure. Do you want device administration service impacted if there is a problem in PxGrid and node goes down?. Viceversa holds good as well.

My opinion is leave the TACACS+ seperate so that your device administration is smooth and network admins dont have a problem. However if your network is small and you have only a few administrators checking sporadically the status you can consider sharing. However remember that the purpose of using PxGrid is to share the context so that this is consumed by a Cisco or third party device for a specific reason. Think about the importance of that service and make the decision.

 

-Krishnan

 

View solution in original post

3 Replies 3

kthiruve
Cisco Employee
Cisco Employee

Please check out the ISE performance and scale community page that will give you idea about shared PSNs using PxGrid. This is under PxGrid scaling. The TACACS+ performance is based on dedicated appliance.

 

Apart of security, also think about service failure. Do you want device administration service impacted if there is a problem in PxGrid and node goes down?. Viceversa holds good as well.

My opinion is leave the TACACS+ seperate so that your device administration is smooth and network admins dont have a problem. However if your network is small and you have only a few administrators checking sporadically the status you can consider sharing. However remember that the purpose of using PxGrid is to share the context so that this is consumed by a Cisco or third party device for a specific reason. Think about the importance of that service and make the decision.

 

-Krishnan

 

Thanks Krishnan for feedback.

 

Do you know IF adding pxGrid function on existing standalone PSN nodes(that are handling wire/wireless) could have effect on performance for existing radius/802.1x servers that they are already providing?   Same with TACACS+. 

 

The debate is:

NOW: (scaled down - there are actually more PSNs)

DC1: pan(a) mnt(a) (psn1)

DC2: pan(s) mnt(s) (psn2)

vs: (keeping it distributed all nodes separated)

DC1: pan(a) mnt(a) (psn1) (pxgrid) (tacacs+)

DC2: pan(s) mnt(s) (psn2) (pxgrid) (tacacs+)

vs:

DC1: pan(a) mnt(a) (psn1+pxgrid) (tacacs+)

DC2: pan(s) mnt(s) (psn2+pxgrid) (tacacs+)

vs:

DC1: pan(a) mnt(a) (psn1+pxgrid+tacacs+)

DC2: pan(s) mnt(s) (psn2+pxgrid+tacacs+)

vs:

DC1: pan(a) mnt(a) (psn1+tacacs+) (pxgrid)

DC2: pan(s) mnt(s) (psn2+tacacs+) (pxgrid)

 

 

I have colocated those services with PSNs in large deployment models in the past without issue, but every customer flows/patterns are different.  My general recommendation (and those of our solution architects) are if you are large enough to build a large deployment model (separate PAN/M&T/PSNs) then build separate TACACS and pxGrid nodes.  

 

Not sure if you will find specific data as in many (probably most) cases colocating will work just fine, but the best practice is to split them off.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: