cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1071
Views
2
Helpful
4
Replies
synaqvi
Cisco Employee

ISE 3595 & 3495 in same deployment

Team

My customer has a query about whether a 3595 is compatible with a 3495 in the same deployment. They would need to deploy a 3495 in one DC and a 3595 in a different DC for Guest access. Is that supported? Are there any specific guidelines that we need to follow to make it work? Understand that 3595 needs to run ISE 2.0.

1 ACCEPTED SOLUTION

Accepted Solutions
Jason Kunst
Cisco Employee

There is no h/w requirement against using different h/w across DC. From the s/w side you need the same s/w on these h/w.

But you need to be aware of the performance difference and see if this is OK.

The performance and scale for this is very different that needs to be understood. Also ISE 2.0.1/2.1 supports 3595 not ISE 2.0.

https://communities.cisco.com/docs/DOC-68347

Its ok to mix different appliances and VMs in your deployment as long as they are sized appropriately depending on how many clients they will be serving from a specific node or for the whole deployment and the persona they be running.

View solution in original post

4 REPLIES 4
Jason Kunst
Cisco Employee

There is no h/w requirement against using different h/w across DC. From the s/w side you need the same s/w on these h/w.

But you need to be aware of the performance difference and see if this is OK.

The performance and scale for this is very different that needs to be understood. Also ISE 2.0.1/2.1 supports 3595 not ISE 2.0.

https://communities.cisco.com/docs/DOC-68347

Its ok to mix different appliances and VMs in your deployment as long as they are sized appropriately depending on how many clients they will be serving from a specific node or for the whole deployment and the persona they be running.

Hi Jason,

I had a follow-up question on the mix of 3495/3595 that the sizing guide does not seem to address.

If the PAN/MNT nodes are 3495, but the PSNs are 3595, do we still get the max concurrent endpoints of 40K/PSN (with ISE 2.2), or does that require the PAN/MNT nodes to also be 3595?

Examples - Separate (4) PAN/MNT nodes on 3495, separate PSNs on 3595:

Max number of endpoints = 250K (limit of PAN/MNT hardware)

Max number of PSNs = 40 (limit of PAN hardware)

Max concurrent endpoints per PSN (all PSNs are 3595) = 40,000 (limit of PSN hardware?)

Can you please confirm if these are the limits for a mixed distributed deployment?

I would assume if the PSNs are also mixed 3495/3595, the supported limit would be 20,000 endpoints. Is that correct?

I would think that 20,000 would be the correct number. Did you ever get a response to this question?

Thanks,

Alex

You can mix and match

See table 1 - Cisco Identity Services Engine Installation Guide, Release 2.2  - Network Deployments in Cisco ISE [Cisco Identity Servi…

A deployment total amount of endpoints has to do with what your PAN/MNT is setup as.

With 3495 running as PAN/MNT we support up to 250k total active endpoints in a distributed deployment

Totally separate specification, You can run a PSN 3595 with a max of 40k endpoints in this same deployment.

ISE Performance & Scale

The resources of the PAN/MNT nodes don't restrict the capacity of the PSNs themselves.

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube