cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4376
Views
110
Helpful
18
Replies

ISE Deployment

Eugen Bitca
Level 1
Level 1

Hi,

 

We have the following ISE deployment with maximum number of session 5000:

Node 1 - Running Admin(Primary) + MnT (Secondary) + PSN [CPU 14, RAM 24GB, Disk 600GB]
Node 2 - Running Admin(Secondary) + MnT (Primary) + PSN [CPU 14, RAM 24GB, Disk 600GB]
Node 3 - PSN [CPU 14, RAM 20GB, Disk 400GB]

with 2 small VM licenses and 1 medium VM license.

ISE Version: 2.7.0.356. patch 2

 

According to the Cisco documentation this is not a supported scenario.
Once you install a PSN outside of the node running admin and/or MNT then its a distributed hybrid model and policy services needs to be disabled on any node running admin and/or MNT.

Also this is a medium deployment and per node we should have at least
CPU 24, RAM 96G, Disk Capacity 600G.

 

But all 3 nodes work properly and I have No license warning.


Can we add one more PSN(small VM license) with hw options identical to Node 3 and what deployment model should be used?

 

Thank you

18 Replies 18

That is a great example.  Are you using Active Directory for users?  If so, you'll need an AD server (or any other external ID source) at the remote site to ensure functionality if your WAN link goes down.  Otherwise, the PSN would fail authentications.

As Greg said above, if there are performance issues, it may require a design review.
Do you have users authenticating directly against the ISE nodes in the DC, just keep the session limits in mind, there is heavy IO on the Admin & Monitoring nodes, so if you have a lot of devices, removing the Policy Service from those and adding a PSN in the DC might be needed at some point.

Yes, AD on each site, as for the sessions, in DC - 1000 sessions, and 2000 sessions for each WAN region.

 

Thank you

Hi @Eugen Bitca ,

 putting all together, please consider the following options:

1) 2x Small Deployment Clusters using Smart Licensing ("one pool of licenses")?

Cluster A (all Nodes SNS 3615):

 Node 1: PPAN, PMnT and PSN1

 Node 2: SPAN, SMnT and PSN2

Cluster B (all Nodes SNS 3615):

 Node 1: PPAN, PMnT and PSN1

 Node 2: SPAN, SMnT and PSN2

2) 1x Hybrid Deployment (all Nodes SNS 3615

Cluster  (all Nodes SNS 3615 - max concurrent session of 10K):

 Node 1: PPANPMnT

 Node 2: SPAN & SMnT

 Node 3: PSN1

 Node 4: PSN2

Note: for details of the design ... please take a look at: Performance and Scalability Guide for ISE.

 

Hope this helps !!!

ComputerRick
Cisco Employee
Cisco Employee

You should be able to have a 4th node, if you can increase the specs to the 2.7 small VM, which should be 16 CPU/32 GB.

Be aware, this isn't Cisco Best Practice.  That being said, you are well within the number of endpoints for a standalone deployment.  There are also scenarios where best practice doesn't meet the cu needs and can be tailored.

 

The biggest factor to consider here is that the Admin and Monitoring nodes are transactionally heavy and there is extra IO to the hard disks.  If you're within the standalone endpoints and session maximums, you should be able to add a PSN.  Just keep in mind that there is a performance concern.

 

I would not split the deployment for several reasons, but if you do encounter performance issues or if the Admin node seems to be struggling or sluggish, you may need to change the personas on the nodes to distribute it out a little more.  This can also manifest with logs or reports taking a long time to generate.

 

HTH and please mark the solution.