Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
603
Views
0
Helpful
1
Replies

ISE Architecture

Go to solution
darryldigsit
Cisco Employee
Cisco Employee

‎03-06-2019 10:27 AM

2 questions about ISE architecture. Customer currently has standalone ISE deployment in DC1 and HA in DC2. Medium VMs running 2.4 for 6500 concurrent sessions. They want to add (resiliency) a branch office (BR1) and add DNAC functionality (introducing PXG). They only have enough resources at the new BR1 site for small VM. They are wanting least-additional resources possible for the additional location and PXG.

1) I am thinking of splitting up the current 2 Medium VMs (PAN+MnT+PXG on each), then adding 2 small VMs (or 3515s) for the PSN node to DC1 and BR1.  Any issues or considerations here?

2) Is there a more economical way to do this? (eg. I have read that you can install all 4 personas on 1 standalone medium VM deployment. Possible?  Supported?)

Thanks in advance!

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎03-06-2019 05:51 PM

Option 1 you identified would work. The consideration would be that each 3515 supports up to 7500 active endpoints, and your total deployment with 3595 PAN/MNT would be capped at 20k. This would leave you in a good position based on the 6500 endpoints. The issue would be that your secondary radius server for HA is no longer in the DC, but at a less reliable branch, maybe with bandwidth constraints. I would prefer having a PSN in each DC with the PAN/MNT/PXG nodes, and then a third 3515 in the branch for its own primary.

You can run all personas on a single node, or two nodes for HA (between 7500 total endpoints and up to 50k on 2.6+3695). Called a standalone deployment in the design guides. If you want branch resiliency though, that pushes you in to a hybrid design, moving to a PSN authentication services layer like in the option above.

If VMware resources are an issue, hardware appliance could be leveraged at the same time as virtual, you can mix the two.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎03-06-2019 05:51 PM

Option 1 you identified would work. The consideration would be that each 3515 supports up to 7500 active endpoints, and your total deployment with 3595 PAN/MNT would be capped at 20k. This would leave you in a good position based on the 6500 endpoints. The issue would be that your secondary radius server for HA is no longer in the DC, but at a less reliable branch, maybe with bandwidth constraints. I would prefer having a PSN in each DC with the PAN/MNT/PXG nodes, and then a third 3515 in the branch for its own primary.

You can run all personas on a single node, or two nodes for HA (between 7500 total endpoints and up to 50k on 2.6+3695). Called a standalone deployment in the design guides. If you want branch resiliency though, that pushes you in to a hybrid design, moving to a PSN authentication services layer like in the option above.

If VMware resources are an issue, hardware appliance could be leveraged at the same time as virtual, you can mix the two.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents