Solved: Re: ISE 2.4 Design Confusion

thilinar8 · ‎07-22-2019

Hi,

we are trying deploy ISE in our organization. Cisco Partner is giving some information. But, i don't trust them as they are trying to maximize the sale.

Question:- initially they proposed two ISE nodes (Active/Passive) all services running on one Server.- two Medium Size VM.

But, that design is not suite to our organization due to geographically distributed offices.

we thought of going to Distributed Deployment. But, Partner is keep saying we need to go for Large VM for this Option. But, as we know maximum Radius sessions will not even reach the capacity of the small ISE node.

*****************************************************************************************************************

can i do the Distributed deployment with Medium Size VMs ?

Damien Miller · ‎07-22-2019

I don't want to step on any toes, but you are correct, you do not need 256 GB VM's for a distributed deployment. There might be some confusion there if they are referring to the 3595 as the large VM which at one point in the past it was.

A distributed deployment has been tested and is supported using medium or large VM's for the PAN and MNTs, slight variation based on the version you deploy, 2.4 vs 2.6.

You are good to run 4x 3595 for pan/mnt's, or 4x 3655/3695.

View solution in original post

gbekmezi-DD · ‎07-22-2019

Of course you can. Having said that, numbers do matter. How many total endpoints do you project you’ll have in the deployment and what do you anticipate the peak concurrent session count to be?

Will there be a lot of guest and byod as well?

thilinar8 · ‎07-22-2019

maximum sessions upto 20000.

total devices will be around 10,000.

Guest/BYOD is just Portal login. No posturing

i need to have more than 8 PSN. can i achieve it using only Medium VMS?

Damien Miller · ‎07-22-2019

If your max active sessions will be up to 20k but not over, then you require 3595 or 3655 sized appliances (Medium). You can support 20k active on a standalone or hybrid 3595 deployment, and 25k active on a 3655 deployment.

If you need to have 8 PSN's, you should really have a 12 node deployment. 2x admin, 2x monitoring, 8x psn. The Admin and MNT's should be medium sized nodes, while the PSN's could potentially be small 3515 or 3615's. Each 3515/3615 will support 7500 or 10000 active sessions respectively.

This is of course strictly an active session count picture, there are more detailed authentication type limits documented. I suspect you won't hit the session auth per second limits that are published unless you host large events and are peaky.

This is of course all documented in the community scaling guide.
https://community.cisco.com/t5/security-documents/ise-performance-amp-scale/ta-p/3642148

thilinar8 · ‎07-22-2019

Hi Damien,

yes, thats what i thought too.

But, our partner said that when you go for Distributed deployment, PAN and MNT should be Large VM. The cost of a Large VM is almost twice the medium.

is that means i need 4X3595 Appliances ( or equivalent VM-Basically, Large VMS) for PAN and MNT

Damien Miller · ‎07-22-2019

I don't want to step on any toes, but you are correct, you do not need 256 GB VM's for a distributed deployment. There might be some confusion there if they are referring to the 3595 as the large VM which at one point in the past it was.

A distributed deployment has been tested and is supported using medium or large VM's for the PAN and MNTs, slight variation based on the version you deploy, 2.4 vs 2.6.

You are good to run 4x 3595 for pan/mnt's, or 4x 3655/3695.

thilinar8 · ‎07-23-2019

Hi Damien,

Thanks for the information