Solved: Amount of expected cross-traffic between ISE nodes

joe_lizzi · ‎05-07-2019

Hello,

We're setting up a fully-distributed 2.4 ISE cluster across 3 datacenters. 2 of the DCs will have PAN and MnT nodes (primary/secondary, of course), and all 3 DCs will have at least 2 PSNs each. The PSNs are being load-balanced behind F5s. The PSNs currently have 2 interfaces each - one MGMT net, and the other attached to the network where the F5 acts as a gateway. We've been thinking about having the PSNs have *only* the F5-net interface, to simply certain routing and firewall issues. However, there's a concern that this might overwhelm the F5 traffic license, or otherwise severely affect performance.

According to some of the Cisco Live presentation slides and other information, it at least appears that while ISE 2.6 has the PSNs sync/cache stuff between themselves, 2.4 and below basically talk to the PAN (and MnT to an extent) for almost everything. Is this perception correct? And if so, what does that traffic flow look like? How much data are we talking about the systems passing back and forth here? (This is especially going to be important for us to consider in the future as we eventually expand the ISE domain over the whole campus.)

Damien Miller · ‎05-07-2019

There is a bandwidth calculator to help estimate some of this.
https://community.cisco.com/t5/security-documents/ise-latency-and-bandwidth-calculators/ta-p/3641112

The differences between 2.4 and 2.6 are minimal as far as communication goes, and only change if you enable LSD which is disabled by default. PSN's still have to communicate endpoint changes and forward syslogs to the MNTs. The new light session directory in 2.6 leverages a local message bus which handles communication a little differently, some endpoint session data specific to handling coa's will be sent PSN > PSN. I haven't used 2.6 in production yet, so can't comment on if this changes bandwidth requirements.

Since ISE listens for radius on all interfaces, you could split authentication traffic to gig1, and dedicate gig0 to management. Gig0 is the interface that will be used for replication, and administration.

View solution in original post

Damien Miller · ‎05-07-2019

There is a bandwidth calculator to help estimate some of this.
https://community.cisco.com/t5/security-documents/ise-latency-and-bandwidth-calculators/ta-p/3641112

The differences between 2.4 and 2.6 are minimal as far as communication goes, and only change if you enable LSD which is disabled by default. PSN's still have to communicate endpoint changes and forward syslogs to the MNTs. The new light session directory in 2.6 leverages a local message bus which handles communication a little differently, some endpoint session data specific to handling coa's will be sent PSN > PSN. I haven't used 2.6 in production yet, so can't comment on if this changes bandwidth requirements.

Since ISE listens for radius on all interfaces, you could split authentication traffic to gig1, and dedicate gig0 to management. Gig0 is the interface that will be used for replication, and administration.

joe_lizzi · ‎05-08-2019

Thank you for the calculator link and the information. I know about the split-interface stuff, that's the way it's configured now, but we were trying to avoid the mess with static routes and other things that it entails. Based on some prelim numbers I plugged into that sheet, though, we might not be able to avoid it. Oh well.