cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1358
Views
20
Helpful
6
Replies

ISE Design and Scalability 70K endpoints

Hi all, 

I have to design an ISE deployment for 70000 enpoints. Let's assume that we use the 3595 appliance and we want a full HA system. How many ISE nodes do I need?

The designs guides are not clear to me. They jump from 20000 nodes up to 500000 nodes, but they do not explain how endpoints are increased by each PSN node. Watching Cisco live videos about the topic, it seems like even Cisco have no clue, it's like let's add nodes and see how it goes and if the system poorly performs, let's add more nodes. 

Thanks in advance, 

Help, 

2 Accepted Solutions

Accepted Solutions

Rahul Govindan
VIP Alumni
VIP Alumni

For anything above 20000 endpoints, you would need to have a large deployment - separate Admin, MnT and PSN nodes. For ISE 2.1 and above, each SNS 3595 PSN can support up to 40000 endpoints. With that in mind, you would need:

1) At least 1 dedicated Admin node (2 recommended for HA)

2) At least 1 dedicated Monitoring node (2 recommended for HA)

3) 2 PSN nodes to support a total of 80000 endpoints. Since your requirement number is close to the supported limit, you might want to consider even 3 PSN's so that each node does not reach its peak value.

So I were to build this, I would have a total of seven 3595 nodes (2 Admin, 2 MnT and 3 PSN).

Reference:

http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/install_guide/b_ise_InstallationGuide21/b_ise_InstallationGuide21_chapter_00.html

Hope this helps.

View solution in original post

Rahul is correct.

The key difference from the slide you shared is that scenario has Admin and MnT personae shared on a single appliance. Once you break those out onto separate appliances, the scaling opens up to the per-PSN numbers that Rahul correctly cited.

View solution in original post

6 Replies 6

Rahul Govindan
VIP Alumni
VIP Alumni

For anything above 20000 endpoints, you would need to have a large deployment - separate Admin, MnT and PSN nodes. For ISE 2.1 and above, each SNS 3595 PSN can support up to 40000 endpoints. With that in mind, you would need:

1) At least 1 dedicated Admin node (2 recommended for HA)

2) At least 1 dedicated Monitoring node (2 recommended for HA)

3) 2 PSN nodes to support a total of 80000 endpoints. Since your requirement number is close to the supported limit, you might want to consider even 3 PSN's so that each node does not reach its peak value.

So I were to build this, I would have a total of seven 3595 nodes (2 Admin, 2 MnT and 3 PSN).

Reference:

http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/install_guide/b_ise_InstallationGuide21/b_ise_InstallationGuide21_chapter_00.html

Hope this helps.

Hello, 

thank you for your answer, very helpful. But I still have doubts about how ISE scales. According to Cisco with 

2 x Admin+Monitor+pxGRID
5 x PSNs

Only 20000 users are supported (see file attached). But according to your calculation, we should support much more endpoints, This is what is misleading me.

regards, 

Rahul is correct.

The key difference from the slide you shared is that scenario has Admin and MnT personae shared on a single appliance. Once you break those out onto separate appliances, the scaling opens up to the per-PSN numbers that Rahul correctly cited.

So, once we split up Admin and MnT personas into different appliance, the number of endpoints supported increases linearly with the PSNs? thanks

Yes, it scales pretty much linearly up to the maximum of 500k endpoints.

Even though you can have up to 50 PSNs in a deployment, that's more to support geographic distribution of PSNs in very large deployments than it is to support 50 x 40,000 = 2 million endpoints.

Would it be possible to have 1 admin, 1 monitor, and then 1 admin/monitor backup? I am getting ready for a large deployment and I can deploy 6 servers between 2 DCs.  I have 25,000 base licenses and a TACACs license, and I was going to deploy:

1 admin

1 monitor

1 admin/monitor backup

3 policy nodes

 

I was also wondering:

Is it possible to mix and match servers?

Example

3495 admin node

3595 policy node

 

Thanks,

Alex

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: