cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

14878
Views
15
Helpful
5
Replies
Harvey khatri
Beginner

Cisco ISE Appliance Sizing and Endpoint Support

Hello all

 

We are in the process of deploying a corporate ISE solution to support 20,000 endpoints. The solution was supposed to consist of 6 x 3495 appliances all deployed as standalone nodes 2 x Admin, 2 x Mon and 2 x PSN. However due to budget constraints we ended up with 2 x 3495 appliances and 4 x 3415 appliances, this has therefore raised a number of questions around the endpoint support and deployment configuration.

According to the Cisco docs the 3495 can support 20,000 endpoints as a dedicated PSN and the 3415 can support 5,000 endpoints as a dedicated PSN, a ¼ of the 3495. Furthermore the 3495 appliance can support 250,000 endpoints as a dedicated Admin or Mon node. There is no documentation that details the number of endpoints supported by a dedicated 3415 Admin or Mon node or whether this is a supported configuration.

The diagram below illustrates our preferred deployment configuration

I am aware we could turn the configuration on its head and use the 3495’s as the Admin and Mon nodes and use the 4x 3415 as PSN’s giving us the 20,000 node support required, albeit without redundancy should a PSN fail.

 

Does anyone have any real world experience using the 3415 as dedicated Admin/ Mon nodes? How many endpoints can they support? Is it a supported configuration? Any help at all would be greatly appreciated.

 

Thankyou in advance for any help you can provide, it is very much appreciated.

 

Harvey

5 REPLIES 5
Jatin Katyal
Cisco Employee

Cisco ISE Deployment—Size and Scaling Recommendations

ISE 1.2

ISE 1.3

ISE 1.4

ISE 2.0

 

~ Jatin

~Jatin

Hello Jatin

Thank you kindly for your prompt response, it is very much appreciated.  I have already referenced these documents and as explained in my post, Cisco do not provide information on whether a small appliance (3415) can be used as a stand alone Admin or Mon node, and how many endpoints it supports.

I know the large appliance is spec'd to double that of the small, double the RAM, CPU and disk. Knowing that the large can support 40 PSN's and 250,000 endpoints you would expect the small, half the size, to support close to a 1/4 of the large, some 10 PSN's and 60,000 endpoints.

Jatin what I need to know is if

a. You can use a 3415 in stand alone mode ( is it supported)

b. How many endpoints can a stand alone 3415 in admin or Mon mode support

Thank you again fro your prompt response and I look forward t hearing from you soon.

Harvey

Regards

Harvey

Yes you can use a 3415 in standalone mode. The table below highlights that and the maximum supported endpoints.

Table 1 Cisco ISE Deployment—Size and Scaling Recommendations

Deployment Type

Number of Nodes/Personas

Appliance Platform

Maximum Number of Dedicated Policy Service Nodes

Number of Active Endpoints

Small

Standalone or redundant (2) nodes with Administration, Policy Service, and Monitoring personas enabled

Cisco ISE 3415

0

Maximum of 5,000 endpoints

Cisco ISE 3495

0

Maximum of 10,000 endpoints

Hello

Thank you for this, I must apologise I probably haven't been clear in my question.  What I meant was how many endpoints can a 3415 support when deployed as dedicated nodes,  running just a single persona.  The table above is a small deployment with the 3415 running all three persona on a single node.

Basically Cisco in the documentation under the  'Large' deployment only details the 3495, stating support for 40 PSN's and 250,000 end points.  There are no details on the 3415 in this configuration.

Deployment Type
Number of Nodes/Personas
Appliance Platform
Maximum Number of Dedicated Policy Service Nodes
Number of Active Endpoints

Small

Standalone or redundant (2) nodes with Administration, Policy Service, and Monitoring personas enabled.

Cisco ISE 3300 Series (3315, 3355, 3395)

0

Maximum of 2,000 endpoints

Cisco ISE 3415

0

Maximum of 5,000 endpoints

Cisco ISE 3495

0

Maximum of 10,000 endpoints

Medium

Administration and Monitoring personas on single or redundant nodes. Maximum of 2 Administration and Monitoring nodes.

Cisco ISE-3355 or Cisco SNS 3415 appliances for Administration and Monitoring personas

5

Maximum of 5,000 endpoints

Cisco ISE 3395 or Cisco SNS 3495 appliances for Administration and Monitoring personas

5

Maximum of 10,000 endpoints

Large

Dedicated Administration node/nodes. Maximum of 2 Administration nodes.

Dedicated Monitoring node/nodes. Maximum of 2 Monitoring nodes.

Cisco ISE 3395 appliances for Administration and Monitoring personas

40

Maximum of 100,000 endpoints

Cisco SNS 3495 appliances for Administration and Monitoring personas

40

Maximum of 250,000 endpoints

Regards 

Hi Harvey, the 3415 appliances are designed to be used for small and/or medium size deployments. Those appliances are not build to scale nor support large deployments. Thus, if you want to run the 3415s as PANs then the max Endpoints supported in your deployment would equal 5,000.

The 250,000 max endpoints is basically the total maximum endpoints that you can get in one deployment regardless of the total count of your PSNs. For instance, 1 x 3495 can support 10,000 concurrent endpoints. However, even though the max supported PSNs is 40, you can still only have a max of 250,000 endpoints and NOT 400,000 (40 x 10,000).

With all of that being said, if your deployment requires 20,000 concurrent endpoints then you are facing a tough situation because you will indeed need a minimum of 6 x 3495 appliances so you can have:

1 x Primari Admin

1 x Primary Monitor

1 x Secondary Admin

1 x Secondary Monitor

2 x PSN - Maximum of 20,000 concurrent endpoints. This is actually not ideal as you don't have redundancy. Thus, you should actually have another node (7th) that will provide you with an N+1 deployment where one of the PSNs can fail. 

One thing to stress here: All of these documents are referring to concurrent endpoints and not total endpoints. So if your environment has 20,000 endpoints but only 5,000 are concurrent then we could probably make this work :) If you do have 20,000 concurrent endpoints then you will need to swap those 3415s with 3495s or build equivalent Virtual Appliances. 

Check out this Cisco Live session that covers all of this very well:

http://d2zmdbbm9feqrf.cloudfront.net/2015/usa/pdf/BRKSEC-3699.pdf

I hope this helps!

Thank you for rating helpful posts!

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel