Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
721
Views
4
Helpful
4
Replies

Cisco ISE sizing - small or medium

Go to solution
drr
Level 1
Level 1

‎01-01-2024 10:33 PM

Hi team,

I'm trying to figure out what sizing we should establish as well as if we should go for a small or medium deployment.

Currently, there are around 15.000 active endpoint in the environment, but as the company is growing very fast, it could be around  25.000-30.000 active endpoint in the next year.

As per below guide, a small deployment can handle up to 50.000 endpoint, so a small deployment should be fine for now.
https://www.cisco.com/c/en/us/td/docs/security/ise/performance_and_scalability/b_ise_perf_and_scale.html

So, to my questions:
1. Is it possible to start with a small deployment with the VM specifications of, lets say, Cisco SNS 3715 for start that can handle 25.000 endpoint, and if we reach that size, we can scale/buff the VM resources to match the requirements for Cisco SNS 3755 so the deployment can handle 50.000 endpoint instead. Does it work that way?

2. Should we go for a small or medium deployment? After reading above link i can't really figure out what advantages dedicated PSN's would bring to the deployment in this case where we only have one datacenter. As far as I understand, the PAN/MnT node is limiting the deployment size. If we go for a small deployment, we could install 2x VM as PAN/MnT/PSN that can handle up to 50.000 endpoints. If we would go for a medium deployment, we would have 4x VM that can handle 50.000 endpoints as well, but will cost nearly double the computing resources.

3. If we initiate a small deployment to begin with, is it possible to later configure/transition the deployment to a medium deployment, i.e. add/move PSN to dedicated nodes and "remove" them from the original PAN/MnT node? I know in a small deployment, it's possible to add one more PSN. But if we would need even more PSN's to handle above 50.000 endpoint, is it possible to convert the deployment from small to medium? The reason for the question is that the wired network is only in scope now, but if we would like to add the wireless network to the deployment later, the total endpoints being handled would double.

Hope the questions are clear, otherwise please get back to me if clarification is needed.

Thanks!

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
ahollifield
VIP
VIP

‎01-02-2024 06:19 AM

  1. Yes, with the exception of disk space.
  2. I always opt for medium if resources available.  You can control load more effectively and handle things like service restarts/patching/certificate replacement much easier with a medium deployment.  It's is also much easier to scale up to a large deployment when the time comes as you only need to add PSNs and dedicated MnT nodes.
  3. Yes, but you will need to change all NAD configuration to reflect this change as PSN role will no longer be on the PAN/MnT node.  This is also why I suggest starting at a medium deployment.

View solution in original post

Go to solution
Ruben Cocheno
Spotlight
Spotlight

‎01-02-2024 08:24 AM

@drr 

If for Capex reasons you going for a small deployment for now, later on you can expand to Medium increasing the number of PSN nodes and reconfiguring the NAD to add new nodes while you pull the PAN/MNT from the current nodes to dedicated.

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/

View solution in original post

4 Replies 4

Go to solution
ahollifield
VIP
VIP

‎01-02-2024 06:19 AM

  1. Yes, with the exception of disk space.
  2. I always opt for medium if resources available.  You can control load more effectively and handle things like service restarts/patching/certificate replacement much easier with a medium deployment.  It's is also much easier to scale up to a large deployment when the time comes as you only need to add PSNs and dedicated MnT nodes.
  3. Yes, but you will need to change all NAD configuration to reflect this change as PSN role will no longer be on the PAN/MnT node.  This is also why I suggest starting at a medium deployment.

Go to solution
drr
Level 1
Level 1
In response to ahollifield

‎01-03-2024 11:30 PM

Thank you for your reply!

0 Helpful

Go to solution
Ruben Cocheno
Spotlight
Spotlight

‎01-02-2024 08:24 AM

@drr 

If for Capex reasons you going for a small deployment for now, later on you can expand to Medium increasing the number of PSN nodes and reconfiguring the NAD to add new nodes while you pull the PAN/MNT from the current nodes to dedicated.

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/

Go to solution
drr
Level 1
Level 1
In response to Ruben Cocheno

‎01-03-2024 11:33 PM

Thank you for your reply!

We have resources to go for a medium as well, the problem is that I didn't see the cost/benefit of going for a medium deployment right now (except for the administrative benefits that ahollifield mentioned above).

0 Helpful
Customers Also Viewed These Support Documents