Solved: Correct 2.4 VM Deployment

matrhebe · ‎05-16-2019

Hello Communities-

I have a situation where we will be deploying ISE 2.4 in an environment that has 20k-60k devices authenticating on the network on a given day. My plan is to deploy 2 Medium VMs for the PAN/MNT functions and either 2 Medium or 2 Large PSNs.

Using physical appliances is a non starter in this environment. Are there other designs/solutions I should consider? Will 2 Medium PSN be too small? It's not entirely clear to me based on the resources I have seen the scale numbers for Medium VM PSNs.

Thanks!

Matt

Damien Miller · ‎05-16-2019

There are two ways to approach this, will it run vs what's been tested and published.

In regards to #1, 2.4 has not been given the green light to run on 3600 series VM templates and will not run on 3600 appliances today. Seeing as you're internal, you could talk to ISE PM for more insight on this topic.

On #2, 2.4 will certainly run on a 3655 VM template since it is just RHEL Linux underneath. It will boot, install, and generally not care if it has more resources. I would suspect that VM license warnings would occur though since 2.4 would probably consider a VM larger than 64 GB a large node. But no one is stating that it will support 50k endpoints and if TAC was involved in troubleshooting they would likely ask for the VM template to be corrected.

Depending on the timelines, building this with 2.6 and 3600 scaling in mind could be beneficial. 2.6 is the next long term support release for ISE, and while 2.4 is considered mature and currently being recommended, that will eventually move to 2.6.

View solution in original post

Jason Kunst · ‎05-16-2019

Would recommend you look at Cisco live on scale at http://cs.co/ise-training
BRKSEC-3432<>
https://community.cisco.com/t5/security-documents/ise-performance-amp-scale/ta-p/3642148

Depends on your release vehicle and your design deployment as well

Damien Miller · ‎05-16-2019

To get you started with some baseline information, the scale of a hybrid deployment on 2.4, where the PAN and MNT functionality is shared on the same nodes, is only 20k active endpoints. Even if you were to leverage 2.6 and 3695 VM's (256GB), total active endpoint count for a hybrid deployment is only 50k.

If 60k is a reliable number, then you need 4 dedicated nodes to handle PAN/MNT functions, using additional dedicated PSNs for authentication. Each dedicated 2.4 3595 VM will support 40k active endpoints. You also want to consider failure and patching scenarios, where you put the PSN's depends on authentication load. It's also entirely possible to use 3515 nodes for PSNs, just more of them since they only support 7500 active endpoints.

matrhebe · ‎05-16-2019

Thanks for both of your replies.

I looked at the CL session and presentation and have a few more questions. Assuming to 60k number is right (up for debate still) it seems to me the better design is to split the PAN and MNT out to separate nodes and scale out the PSNs as you mention Damien.

My questions:

1. Can I run 2.4 on 3655 virtual appliances? Slide 74 of CL presentation seems to indicate you can, at least on HW

2. If so, I believe the scale numbers of 50k max sessions apply to 2.6 only. What are the scale numbers if running 2.4 on 3655 virtual?

3. If the answer to question #1 is no, then I obviously need to stick with the 3595 equivalent VM for my PSNs. In that case, do I license it as a Large or Medium. Slide 72 of the CL presentation shows Large, however the snip below seems to contradict that.

* ISE 2.4 introduces a new Large VM appliance. The current SNS-3595 hardware (or its VM equivalent) will be reclassified as a Medium appliance. Under ISE 2.4, there is currently no Large Hardware-based appliance, only a Large Virtual appliance. The Large VM appliance has identical specifications as the SNS-3595, but with 256GB RAM. The Large 3595-based VM is intended for use as a performance-enhanced MnT node. There is currently no application for its use as a PAN, PSN, or pxGrid node.

Thanks!

Matt

Damien Miller · ‎05-16-2019

There are two ways to approach this, will it run vs what's been tested and published.

In regards to #1, 2.4 has not been given the green light to run on 3600 series VM templates and will not run on 3600 appliances today. Seeing as you're internal, you could talk to ISE PM for more insight on this topic.

On #2, 2.4 will certainly run on a 3655 VM template since it is just RHEL Linux underneath. It will boot, install, and generally not care if it has more resources. I would suspect that VM license warnings would occur though since 2.4 would probably consider a VM larger than 64 GB a large node. But no one is stating that it will support 50k endpoints and if TAC was involved in troubleshooting they would likely ask for the VM template to be corrected.

Depending on the timelines, building this with 2.6 and 3600 scaling in mind could be beneficial. 2.6 is the next long term support release for ISE, and while 2.4 is considered mature and currently being recommended, that will eventually move to 2.6.