Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3973
Views
15
Helpful
4
Replies

Is supported maximum number of endpoints in the ISE 2.6 or later release depend on hardware models?

Go to solution
taasai
Cisco Employee
Cisco Employee

‎12-28-2019 07:31 AM

Hi, 

As this great document states ISE Performance & Scale maximum number of endpoints on ISE 2.6 is 2,000,000. Does this number differ by the hardware models you select? I believe that it affects the supported number of active sessions but I'm wondering if it also affects the number of endpoints.
I assume that database replications within the deployment will happen when ISE PSNs or Primary PAN learn new MAC addresses or new updates about a MAC address. Thus, when you have 2,000,000 of endpoints in the deployment, all the nodes have the same 2,000,000 of data in terms of the number of MAC addresses. 

I'm asking it because one of my customers will have much more than 2,000,000 of endpoints in their new deployment. (We are planning to have two or more ISE-CUBEs to store the 3millions of MAC addresses for MAB.) And we are looking at SNS-3615 for the PSNs. We are wondering if the hardware model is appropriate for this large amount of data. The following image is from one of my favorite presentations by Jason. This is quite informative but I'm a bit confused by this table.

https://www.ciscolive.com/c/dam/r/ciscolive/apjc/docs/2019/pdf/BRKSEC-3432.pdf

 

Capture.JPG

Does it mean that a single hardware appliance can't store 2,000,000 mac addresses for authentication even if it is SNS-3695?  The customer and I are discussing how we will be able to import the mac addresses into the ISE CUBE. We thought we would just need to import CSV files that list MAC addresses on the PAN, then the data would be replicated among all the other nodes in the deployment. But we are not sure.

 

And what happens if the number of MAC addresses exceeds 2,000,000? Data is deleted from the oldest ones?

1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎12-28-2019 09:33 AM

The 10k - 100k endpoints listed per appliance template/hardware model is for active endpoints and not known. The 2 million number is referring to active endpoints across all PSNs as well as stored MACs in the context visibility database.

3615's as PSNs would not be a good selection if you were planing for 2 million active endpoints since you are only allowed 50 PSNs per cube. 50 3615's would only provide max active endpoint capacity of 500k with no HA.

Leveraging 3655's you could deploy 40 PSNs to handle 2 million active endpoints, but it leaves no room for maintenance/uneven load/HA. So you would add another 4-10 PSN anyways likely.

Ideally, 3695's for dedicated PSNs. You will have less nodes to patch/upgrade when the time comes. In general it will be an easier to manage deployment with a lot more capacity. You would need 20 PSNs to support 2 million endpoints, plus any extra you deploy for HA. I would typically plan for a data center outage at least, so if you have 4 DCs, each with 5 PSNs, you only have support for 1.5 million active endpoints if you lose five.

Now, the stated maximum for "total known endpoints", or "Maximum number of Endpoints" as referred to in the performance and scale guides, states only 2 million stored in context visibility. I have had a deployment with 4.9 million known endpoints/MACs, and everything was still working. The issue really came down to managing the context visibility database. The exported endpoint CSV was 4.9 million rows and a little over 5 GB. I'm not sure where or how the 2 million known endpoint limit was tested, but it doesn't collapse upon hitting it. I have trouble with this published scale number, if you support 2 million active endpoints, you have to set up extremely aggressive endpoint purge policies. The criteria you have available to purge endpoints is missing some features I would want if getting this aggressive.

View solution in original post

4 Replies 4

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎12-28-2019 09:33 AM

The 10k - 100k endpoints listed per appliance template/hardware model is for active endpoints and not known. The 2 million number is referring to active endpoints across all PSNs as well as stored MACs in the context visibility database.

3615's as PSNs would not be a good selection if you were planing for 2 million active endpoints since you are only allowed 50 PSNs per cube. 50 3615's would only provide max active endpoint capacity of 500k with no HA.

Leveraging 3655's you could deploy 40 PSNs to handle 2 million active endpoints, but it leaves no room for maintenance/uneven load/HA. So you would add another 4-10 PSN anyways likely.

Ideally, 3695's for dedicated PSNs. You will have less nodes to patch/upgrade when the time comes. In general it will be an easier to manage deployment with a lot more capacity. You would need 20 PSNs to support 2 million endpoints, plus any extra you deploy for HA. I would typically plan for a data center outage at least, so if you have 4 DCs, each with 5 PSNs, you only have support for 1.5 million active endpoints if you lose five.

Now, the stated maximum for "total known endpoints", or "Maximum number of Endpoints" as referred to in the performance and scale guides, states only 2 million stored in context visibility. I have had a deployment with 4.9 million known endpoints/MACs, and everything was still working. The issue really came down to managing the context visibility database. The exported endpoint CSV was 4.9 million rows and a little over 5 GB. I'm not sure where or how the 2 million known endpoint limit was tested, but it doesn't collapse upon hitting it. I have trouble with this published scale number, if you support 2 million active endpoints, you have to set up extremely aggressive endpoint purge policies. The criteria you have available to purge endpoints is missing some features I would want if getting this aggressive.

Go to solution
taasai
Cisco Employee
Cisco Employee
In response to Damien Miller

‎01-05-2020 06:41 PM

Hi Demien,

Thank you very much for the informative comment. 

>The 10k - 100k endpoints listed per appliance template/hardware model is for active endpoints and not known. The 2 million number is referring to active endpoints across all PSNs as well as stored MACs in the context visibility database.

We have not confirmed if more than 2 million endpoints will actively connect to the network. There will be some small regions for the early stages of the deployment. I think we can use virtual machines that have equivalent performance as SNS-3615 for some of the PSNs.  

 

>Now, the stated maximum for "total known endpoints", or "Maximum number of Endpoints" as referred to in the performance and scale guides, states only 2 million stored in context visibility. I have had a deployment with 4.9 million known endpoints/MACs, and everything was still working. 

This is quite important for this customer. Thanks for the information.

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to taasai

‎01-06-2020 08:43 AM

keep in mind officialy we only support 2 mil endpoints in the database. Please if you have further needs reach out to the product managers:

To contact our product team for future enhancement requests, externally for cisco customers/partners at http://cs.co/ise-feedback for cisco employees internally at http://cs.co/ise-pm

0 Helpful

Go to solution
taasai
Cisco Employee
Cisco Employee
In response to Jason Kunst

‎01-06-2020 05:21 PM

Hi Jason,

Happy new year!

I understand that the number is not supported and I have already posted a comment to ise-pm forum last night. And a CSS contacted one of the PMs about it. Thanks for the feedback!

0 Helpful
Customers Also Viewed These Support Documents