03-10-2016 07:07 PM
Hi ISE team,
Need some assistance on a few questions for a distributed design I have with a customer.
Situation is that they want to run a distributed ISE deployment – having the Policy Service node at the branch location. They will be purchasing roughly 70 routers + UCS-E 140 module - deployed in a HA setup so 30-40 routers will be the active router. Each location will have 100-200 devices.
Hardware config:
Questions:
Thanks in advance!
Regards,
Minh Nguyen
Solved! Go to Solution.
03-11-2016 05:55 AM
Hi Minh,
The 3415 OVA would not meet our performance specifications on the UCS-E 140. Even in a virtual environment, we require the 3415/3495 equivalents to have resource reservations. This will ensure that if the customer needed to max out scale (44 3495 appliances supporting 250K endpoints) the system will perform as expected. This is the current scale limit today, but we are going to surpass that with future versions. If the customer needs to go beyond that limit today, an additional deployment would need to be installed.
Regards,
-Tim
03-11-2016 05:55 AM
Hi Minh,
The 3415 OVA would not meet our performance specifications on the UCS-E 140. Even in a virtual environment, we require the 3415/3495 equivalents to have resource reservations. This will ensure that if the customer needed to max out scale (44 3495 appliances supporting 250K endpoints) the system will perform as expected. This is the current scale limit today, but we are going to surpass that with future versions. If the customer needs to go beyond that limit today, an additional deployment would need to be installed.
Regards,
-Tim
03-11-2016 09:15 AM
Thanks Tim for confirming - UCS E160 will be the blade of choice then.
160D: Intel Xeon processor E5-2418Lv2 (10-MB cache, 2.0 GHz, and 6 cores)
03-11-2016 06:04 AM
Is it also good design to put a PSN at every small sites.
Might be best looking into geographical deployed clusters of PSNs behind load balancers instead. This will reduce the amount of PSNs and also improve redundancy (from an ISE standpoint). If you have a robust WAN and backup links this would work out better.
If you have PSNs at these remotes sites are they within the limits of latency when synchronization with the PAN/MNT?
03-11-2016 09:18 AM
Jason,
We plan on putting a PSN (policy node) at every site using the UCS-E 160 blade. When you mentioned clusters of PSN, do you mean to deploy a few appliances for a specific region then have the small sites make calls to that cluster?
How would you load balance across the PSN (is that a feature of ISE)?
03-11-2016 09:41 AM
Yes you're correct you would point several small sites at a regional site, we have load balancing guide here
Cisco Identity Services Engine - Design Guides - Cisco
HowTo: Cisco and F5 Deployment Guide-ISE Load Balancing Using BIG-IP
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide