Re: Cisco ISE design

Hamada Elboshy · ‎10-25-2025

I have customer has two DCs with almost 10K endpoints, and I need to deploy for him Cisco ISE, which best practice should be applied and include HA?

Also want to know Each endpoint count as active session? or endpoint can be multiple active session? because I want to know the size tier if I will go to small or medium?

Rob Ingram · ‎10-25-2025

@Hamada Elboshy 10K active sessions will be a small deployment, 2 nodes for HA. All ISE personas (PAN, MnT, PSN, and pxGrid) on the same appliance or VM instances. Two-node deployment. One node as primary and the other node as secondary for redundancy.

Refer to the performance and scale guide - https://www.cisco.com/c/en/us/td/docs/security/ise/performance_and_scalability/b_ise_perf_and_scale.html

Each endpoint with a unique MAC address counts as one active session.

Marcelo Morais · ‎10-26-2025

Hi @Hamada Elboshy ,

beyond what @Rob Ingram already said ...

Please take a look at:

ISE - What we need to know about SNS / VM, pay special attention to: Cisco ISE Compatibility.
ISE - Software Download, the today Suggested Release is 3.4 P3.

about " ... want to know each Endpoint count as Active Session ? ... ", please take a look at:

Navigating Security in a Chaotic Environment - Part II, search for Unknowns to Knowns to Classified !!!

Hope this helps !

ajc · ‎10-27-2025

In addition to the above, keep in mind the TPS because if you are using ENTRA ID/Azure with ISE then the number of PSN's required could be higher so you do not start having "issues".