Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1362
Views
20
Helpful
6
Replies

ISE Design and Scalability 70K endpoints

Go to solution
Enrique Roques Gomez
Level 1
Level 1

‎03-14-2017 10:56 AM - edited ‎03-11-2019 12:32 AM

Hi all, 

I have to design an ISE deployment for 70000 enpoints. Let's assume that we use the 3595 appliance and we want a full HA system. How many ISE nodes do I need?

The designs guides are not clear to me. They jump from 20000 nodes up to 500000 nodes, but they do not explain how endpoints are increased by each PSN node. Watching Cisco live videos about the topic, it seems like even Cisco have no clue, it's like let's add nodes and see how it goes and if the system poorly performs, let's add more nodes. 

Thanks in advance, 

Help, 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎03-14-2017 11:31 AM

For anything above 20000 endpoints, you would need to have a large deployment - separate Admin, MnT and PSN nodes. For ISE 2.1 and above, each SNS 3595 PSN can support up to 40000 endpoints. With that in mind, you would need:

1) At least 1 dedicated Admin node (2 recommended for HA)

2) At least 1 dedicated Monitoring node (2 recommended for HA)

3) 2 PSN nodes to support a total of 80000 endpoints. Since your requirement number is close to the supported limit, you might want to consider even 3 PSN's so that each node does not reach its peak value.

So I were to build this, I would have a total of seven 3595 nodes (2 Admin, 2 MnT and 3 PSN).

Reference:

http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/install_guide/b_ise_InstallationGuide21/b_ise_InstallationGuide21_chapter_00.html

Hope this helps.

View solution in original post

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Enrique Roques Gomez

‎03-16-2017 06:56 AM

Rahul is correct.

The key difference from the slide you shared is that scenario has Admin and MnT personae shared on a single appliance. Once you break those out onto separate appliances, the scaling opens up to the per-PSN numbers that Rahul correctly cited.

View solution in original post

6 Replies 6

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎03-14-2017 11:31 AM

For anything above 20000 endpoints, you would need to have a large deployment - separate Admin, MnT and PSN nodes. For ISE 2.1 and above, each SNS 3595 PSN can support up to 40000 endpoints. With that in mind, you would need:

1) At least 1 dedicated Admin node (2 recommended for HA)

2) At least 1 dedicated Monitoring node (2 recommended for HA)

3) 2 PSN nodes to support a total of 80000 endpoints. Since your requirement number is close to the supported limit, you might want to consider even 3 PSN's so that each node does not reach its peak value.

So I were to build this, I would have a total of seven 3595 nodes (2 Admin, 2 MnT and 3 PSN).

Reference:

http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/install_guide/b_ise_InstallationGuide21/b_ise_InstallationGuide21_chapter_00.html

Hope this helps.

Go to solution
Enrique Roques Gomez
Level 1
Level 1
In response to Rahul Govindan

‎03-16-2017 05:54 AM

Hello, 

thank you for your answer, very helpful. But I still have doubts about how ISE scales. According to Cisco with 

2 x Admin+Monitor+pxGRID
5 x PSNs

Only 20000 users are supported (see file attached). But according to your calculation, we should support much more endpoints, This is what is misleading me.

regards, 

Preview file
85 KB
0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Enrique Roques Gomez

‎03-16-2017 06:56 AM

Rahul is correct.

The key difference from the slide you shared is that scenario has Admin and MnT personae shared on a single appliance. Once you break those out onto separate appliances, the scaling opens up to the per-PSN numbers that Rahul correctly cited.

Go to solution
Enrique Roques Gomez
Level 1
Level 1
In response to Marvin Rhoads

‎03-16-2017 07:37 AM

So, once we split up Admin and MnT personas into different appliance, the number of endpoints supported increases linearly with the PSNs? thanks

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Enrique Roques Gomez

‎03-16-2017 09:01 AM

Yes, it scales pretty much linearly up to the maximum of 500k endpoints.

Even though you can have up to 50 PSNs in a deployment, that's more to support geographic distribution of PSNs in very large deployments than it is to support 50 x 40,000 = 2 million endpoints.

Go to solution
Alex Pfeil
Level 7
Level 7
In response to Rahul Govindan

‎10-26-2017 01:45 PM

Would it be possible to have 1 admin, 1 monitor, and then 1 admin/monitor backup? I am getting ready for a large deployment and I can deploy 6 servers between 2 DCs.  I have 25,000 base licenses and a TACACs license, and I was going to deploy:

1 admin

1 monitor

1 admin/monitor backup

3 policy nodes

 

I was also wondering:

Is it possible to mix and match servers?

Example

3495 admin node

3595 policy node

 

Thanks,

Alex

0 Helpful
Customers Also Viewed These Support Documents