cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4374
Views
110
Helpful
18
Replies

ISE Deployment

Eugen Bitca
Level 1
Level 1

Hi,

 

We have the following ISE deployment with maximum number of session 5000:

Node 1 - Running Admin(Primary) + MnT (Secondary) + PSN [CPU 14, RAM 24GB, Disk 600GB]
Node 2 - Running Admin(Secondary) + MnT (Primary) + PSN [CPU 14, RAM 24GB, Disk 600GB]
Node 3 - PSN [CPU 14, RAM 20GB, Disk 400GB]

with 2 small VM licenses and 1 medium VM license.

ISE Version: 2.7.0.356. patch 2

 

According to the Cisco documentation this is not a supported scenario.
Once you install a PSN outside of the node running admin and/or MNT then its a distributed hybrid model and policy services needs to be disabled on any node running admin and/or MNT.

Also this is a medium deployment and per node we should have at least
CPU 24, RAM 96G, Disk Capacity 600G.

 

But all 3 nodes work properly and I have No license warning.


Can we add one more PSN(small VM license) with hw options identical to Node 3 and what deployment model should be used?

 

Thank you

18 Replies 18

@Eugen Bitca 

As you've only got 5000 maximum sessions, use nodes 3 and 4 as dedicated PSN and use nodes 1 & 2 as Primary PAN/MnT and Secondary PAN/MnT.

 

Where did you get those VM specs from? For ISE 2.7 it's 16CPU and 32GB RAM for small.

300GB should suffice for a dedicated PSN node.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/InstallGuide27/b_ise_InstallationGuide27/b_ise_InstallationGuide27_chapter_01.html

 

https://www.cisco.com/c/en/us/td/docs/security/ise/performance_and_scalability/b_ise_perf_and_scale.html

hi Rob,

 

If I understand correctly, in a 4-nodes deployment I can have Node 1 as Primary PAN/MnT, Node 2 as a Secondary PAN/MnT, and Node 3 & 4 dedicated PSN and for all 4 nodes we may have small VM licenses(qty 4) with hw specs per each node 16CPU and 32GB RAM.

 

I was thinking because it is more than 2 Nodes then it is Medium Deployment which require to have medium VM licences with hw specs CPU 24, RAM 96.

 

 

Thank you

Hi @Eugen Bitca ,

 have you considered the possibility of having 2x Small Deployment Clusters?

Cluster A and Cluster B (all Nodes SNS 3615

 Node 1: PPAN, PMnT and PSN

 Node 2: SPAN, SMnT and PSN

Note: for details of SNS 3615 ... please take a look at: Performance and Scalability Guide for ISE.

 

Hope this helps !!!

Hi,

 

Having 2x small deployment cluster means having 2x licenses(base, plus..) per each deployment.

 

In the existing deployment:

Node 1 - Running Admin(Primary) + MnT (Secondary) + PSN [CPU 14, RAM 24GB, Disk 600GB]
Node 2 - Running Admin(Secondary) + MnT (Primary) + PSN [CPU 14, RAM 24GB, Disk 600GB]
Node 3 - PSN [CPU 14, RAM 20GB, Disk 400GB]

with 2 small VM licenses and 1 medium VM license.

 

as per design it is a medium deployment(more than 2 nodes) but hw specs are for small deployment, and this mix work perfectly, i have no problem at all, so seems that in a medium deployment there is no need to have medium VM licenses.

 

 

Thank you

 

Hi @Eugen Bitca ,

 if you use Smart Licensing then both Clusters are able to get "one pool of licenses".

 

Hope this helps !!!

ComputerRick
Cisco Employee
Cisco Employee

I'm not sure where in the documentation that you found that your deployment would not be supported.  Per the 2.7 Admin Guide (linked below) it states "Depending on your performance needs, you can scale your deployment. Each Cisco ISE node in a deployment can assume any of the following personas: Administration, Policy Service, and Monitoring."  You should keep in mind that the Admin and Monitoring nodes do have additional workloads, so you should consider that when configuring Network Access Devices and the order of RADIUS or TACACS servers.

 

You can absolutely have 2 nodes with all three personas and still add a couple dedicated PSNs as needed.

 

Also, licensing is based on the VM Sizing or resources allocated, not the deployment overall.  A small VM can absolutely be used in a deployment of 20+ ISE nodes.  Typically, you should scale the VM resources based on the persona and number of sessions that it'll be authenticating.

 

Hope this clears it up for you.  Please mark the correct solution.

 

Admin Guide:  https://www.cisco.com/c/en/us/td/docs/security/ise/2-7/admin_guide/b_ise_27_admin_guide/b_ISE_admin_27_overview.html

Hi,

 

"You can absolutely have 2 nodes with all three personas and still add a couple dedicated PSNs as needed."

This is what I was looking for, it is clear now.

So I can add one more PSN to the existing deployment with small VM license.

 

Thank you very much.

 

 

I apologise that you seem to be getting differing information, but I can assure you that running 2x nodes with all 3 personas (PAN, MnT, PSN) plus additional dedicated PSN nodes (even if only one additional PSN) is NOT a design/architecture that has been validated by the ISE developer/BU teams and is therefore against Cisco best practice. If you run into performance issues in the future and need to seek support by TAC, they will very likely request that you change your architecture to a validated one for support.

The current guidance from the BU is documented in the https://cs.co/ise-scale guide.

It is possible to use the 'small' platform based on the SNS-3615 in a Hybrid model, but it would depend on the maximum number of concurrent sessions you need to support.

You can find much more detailed information on scaling ISE (directly from the BU) in the Cisco Live presentation for

Hi Greg,

 

In a 4-nodes deployment:

Node 1 as Primary PAN/MnT,

Node 2 as a Secondary PAN/MnT

Node 3 & 4 dedicated PSN

 

Maximum number of concurrent sessions - 5000.

 

Can we have small VM licenses(qty 4) with hw specs per each node 16CPU and 32GB RAM(SNS-3615)?

Do a medium deployment require medium VM licenses?

 

 

Thank you

@Greg Gibbs - It may not be a validated design, but does function.  In reaching out to fellow TAC engineers, we'd follow the evidence if there's an issue, prior to denying support based solely on a 3 node design.

I also reached out to the BU and discussed it, there are no issues with a design that includes 3 nodes.

That being said, there is certainly consideration based on load and sessions, as well as the sizing.  Cisco Best Practice is a guideline, that for specific use cases often requires modification.

I was the security engineer for a health organization spread out over a chain of islands.  We had a standalone deployment, with the Adm/MnT nodes in our 2 data centers.  We had a couple of smaller sites that would often lose network access due to weather, being connected by microwave.  Putting PSNs at those sites was recommended and supported by Cisco, so that we could maintain security without compromising access.  When that site lost network access, the PSN could still perform dot1x using a local DC.  To be clear, we didn't exceed the Small Deployment session guidelines at any point.

 

I would be aware that adding one or two PSNs is fine, but as sessions and endpoints increase, you keep in mind moving to a medium deployment.

I should ask this:  Are you adding a PSN to increase total number of sessions, for geographic reasons, or something else?
I would caution that if you are adding PSNs to increase the max sessions, that it will likely need a design review.  If you're doing it for something else, like geographic or redundancy, like in my post below, then it would be less likely to have performance issues.

Hi,

 

We want to add a PSN not to increase number of session(max.5000) but for redundancy, we have WAN divided into 2 geographical area so I would like to have a PSN in each one.

 

Thank you

Do you only have 2 locations and having the 2 standalone nodes, 1 at each isn't sufficient?  Also, max sessions for 2 small VMs should be 10k.
As I mentioned above, putting a dedicated PSN at a remote site is a great use case for redundancy.  In my situation, I used small vms and it was more than capable.

 

Based on the limited info you've shared, it does seem like it would be a good idea for you to something like what we've been discussing.

I have attached the topology of ISE deployment.