Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2721
Views
10
Helpful
4
Replies

Are dedicated SXPSNs required in large ISE deployment

Go to solution
dvan
Cisco Employee
Cisco Employee

‎06-06-2019 02:52 AM - edited ‎02-21-2020 11:06 AM

Hi,

 

According to ISE architecture for a large deployment, each persona requires a dedicated node, and some services call for dedicated nodes also (eg. PassiveID PSNs) whilst other services can be shared with existing RADIUS PSNs (eg. TrustSec Policy downloads).

 

Given the above, in a large ISE deployment with dedicated nodes, is a dedicated SXP PSN pair required, or can SXP service run on an existing RADIUS PSN with low utilisation?

 

In this instance, the SXP service is only required for integrating with ACI for policy plane integration.  Assume 15-20k ISE-SGT mappings total to be in ISE which consists of RADIUS sessions + ACI learnt mappings.

 

Thanks,

Denis

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎06-06-2019 08:43 AM

From a technical perspective it will run, but as you have already pointed to, you have to be mindful of the load. SXP is a pretty chatty protocol as updates are near real time so the load it generates really depends on four things. The number of IP-SGT mappings, number of SXP connections, type of SXP connections (unidirectional vs bidirectional), and the frequency of change.  If you're only looking at a couple of SXP speaker connections, then I would spin it up on a couple existing PSN's.  

Worst case you find load is too high and spin SXP out to a couple of 3515/3615's. 

View solution in original post

4 Replies 4

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎06-06-2019 08:43 AM

From a technical perspective it will run, but as you have already pointed to, you have to be mindful of the load. SXP is a pretty chatty protocol as updates are near real time so the load it generates really depends on four things. The number of IP-SGT mappings, number of SXP connections, type of SXP connections (unidirectional vs bidirectional), and the frequency of change.  If you're only looking at a couple of SXP speaker connections, then I would spin it up on a couple existing PSN's.  

Worst case you find load is too high and spin SXP out to a couple of 3515/3615's. 

Go to solution
dvan
Cisco Employee
Cisco Employee
In response to Damien Miller

‎06-06-2019 07:33 PM - edited ‎06-06-2019 07:40 PM

Thanks for the response Damien :)

 

I also want to confirm whether this is an officially supported setup or not?

 

Pretty sure yes as the overarching persona (PSN) is dedicated as per large deployment guideline, and only the underlying PSN services (SXP, RADIUS etc) are shared, however want to be certain on this.

 

Cisco TME's,

Are you able to add any further comments to this?

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to dvan

‎06-07-2019 07:14 AM

Yes this would be supported as @Damien Miller  stated please watch the performance of the nodes. . Also please look at the performance and scale page https://community.cisco.com/t5/security-documents/ise-performance-amp-scale/ta-p/3642148 and also the resources link to BRKSEC-3432

Go to solution
dvan
Cisco Employee
Cisco Employee
In response to Jason Kunst

‎06-10-2019 10:35 PM

Thanks Jason

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents