cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2133
Views
10
Helpful
7
Replies

ISE 2.6 Distributed Deployment with small VM (SNS 3615)

mikoconn
Cisco Employee
Cisco Employee

Hi,

 

Got a customer considering upgrade to ISE 2.6 using 'Small' VMS equivalent to SNS-3615 spec. Approx 20,000 total endpoints, assumed to be not all concurrent.

 

Had been looking at 6-node cluster of 2xPAN, 2xMNT, 2xPSN but Install Guide(1) and Performance and Scale page(2) don't provide data for this type of deployment. Is that because it's not supported, or not recommended, or just not tested?

 

Alternative may be to go to 4 'Medium' nodes (SNS-3655) with Hybrid model (2 x PAN+MNT, 2 x PSN) but that's more resources than the 6x3615 which is unfortunate

 

(1) https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/install_guide/b_ise_InstallationGuide26/b_ise_InstallationGuide_26_chapter_00.html#reference_A4A76D628B6847EDB1715F2C11C3B753

(2) https://community.cisco.com/t5/security-documents/ise-performance-amp-scale/ta-p/3642148#toc-hId--1992574445

2 Accepted Solutions

Accepted Solutions

ldanny
Cisco Employee
Cisco Employee

The 3615 will only support up to 10k concurrent sessions not matter the deployment model , that being said it doesnt mean it wont work but in terms of Cisco its not supported.

Your best option is what you suggested .

View solution in original post

Just to clarify here, even with 4x 3655's you still have a max of 25k active endpoints. If the PAN and MNT run on the same node(s), you can only support 25k active endpoints in this deployment.

The active endpoint count is determined by how the PAN/MNT are hosted and not what the PSN's can scale. A dedicated 3655 PSN can handle 50k per node, but with the PAN and MNT hosted on the same 3655, they are your limitation.

Standalone (all roles on one or two nodes)
3615 - 10k active
3655 - 25k active
3695 - 50k active

Hybrid (PAN and MNT on same node, up to 5 separate PSNs)
3615 - 10k active
3655 - 25k active
3695 - 50k active

There are no differences in active endpoints between standalone and hybrid deployment methods. Only dedicated deployments where the PAN, MNT and PSN's are hosted on their own nodes scale higher than these numbers.

View solution in original post

7 Replies 7

ldanny
Cisco Employee
Cisco Employee

The 3615 will only support up to 10k concurrent sessions not matter the deployment model , that being said it doesnt mean it wont work but in terms of Cisco its not supported.

Your best option is what you suggested .

If it’s under 10k "ACTIVE" endpoints then you can use the 3615

Damien Miller
VIP Alumni
VIP Alumni
You could also go with two 3655's instead of four. It's a supported deployment design to run all services on two nodes with HA support of 25k active endpoints. This way you would only have two 96 GB VM's/appliances and still have acceptable redundancy, I would lean this way.

Same thought process, you could do two 3615's running all services and support 10k active endpoints. There is no need to break the PSN's out unless it is being asked for, or targeted for a specific reason. An accurate estimate of active endpoints is important here.

Thank you for the responses @ldanny@Jason Kunst@Damien Miller, greatly appreciated.

 

I'm going to propose the 4 x 3655 hybrid cluster which gives 50,000 session total for the cluster and each PSN. Plenty of headroom and resilience. And if I need to scale out at a later date then it's a good place to be starting from.

Just to clarify here, even with 4x 3655's you still have a max of 25k active endpoints. If the PAN and MNT run on the same node(s), you can only support 25k active endpoints in this deployment.

The active endpoint count is determined by how the PAN/MNT are hosted and not what the PSN's can scale. A dedicated 3655 PSN can handle 50k per node, but with the PAN and MNT hosted on the same 3655, they are your limitation.

Standalone (all roles on one or two nodes)
3615 - 10k active
3655 - 25k active
3695 - 50k active

Hybrid (PAN and MNT on same node, up to 5 separate PSNs)
3615 - 10k active
3655 - 25k active
3695 - 50k active

There are no differences in active endpoints between standalone and hybrid deployment methods. Only dedicated deployments where the PAN, MNT and PSN's are hosted on their own nodes scale higher than these numbers.

Agreed. Looks like there might be a mistake in the install guide (there's certainly a discrepancy between it and the Performance and Scale page). @howon is aware.

The 2.6 Install Guide has been updated accordingly, thanks to @howon.