03-14-2017 10:56 AM - edited 03-11-2019 12:32 AM
Hi all,
I have to design an ISE deployment for 70000 enpoints. Let's assume that we use the 3595 appliance and we want a full HA system. How many ISE nodes do I need?
The designs guides are not clear to me. They jump from 20000 nodes up to 500000 nodes, but they do not explain how endpoints are increased by each PSN node. Watching Cisco live videos about the topic, it seems like even Cisco have no clue, it's like let's add nodes and see how it goes and if the system poorly performs, let's add more nodes.
Thanks in advance,
Help,
Solved! Go to Solution.
03-14-2017 11:31 AM
For anything above 20000 endpoints, you would need to have a large deployment - separate Admin, MnT and PSN nodes. For ISE 2.1 and above, each SNS 3595 PSN can support up to 40000 endpoints. With that in mind, you would need:
1) At least 1 dedicated Admin node (2 recommended for HA)
2) At least 1 dedicated Monitoring node (2 recommended for HA)
3) 2 PSN nodes to support a total of 80000 endpoints. Since your requirement number is close to the supported limit, you might want to consider even 3 PSN's so that each node does not reach its peak value.
So I were to build this, I would have a total of seven 3595 nodes (2 Admin, 2 MnT and 3 PSN).
Reference:
http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/install_guide/b_ise_InstallationGuide21/b_ise_InstallationGuide21_chapter_00.html
Hope this helps.
03-16-2017 06:56 AM
Rahul is correct.
The key difference from the slide you shared is that scenario has Admin and MnT personae shared on a single appliance. Once you break those out onto separate appliances, the scaling opens up to the per-PSN numbers that Rahul correctly cited.
03-14-2017 11:31 AM
For anything above 20000 endpoints, you would need to have a large deployment - separate Admin, MnT and PSN nodes. For ISE 2.1 and above, each SNS 3595 PSN can support up to 40000 endpoints. With that in mind, you would need:
1) At least 1 dedicated Admin node (2 recommended for HA)
2) At least 1 dedicated Monitoring node (2 recommended for HA)
3) 2 PSN nodes to support a total of 80000 endpoints. Since your requirement number is close to the supported limit, you might want to consider even 3 PSN's so that each node does not reach its peak value.
So I were to build this, I would have a total of seven 3595 nodes (2 Admin, 2 MnT and 3 PSN).
Reference:
http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/install_guide/b_ise_InstallationGuide21/b_ise_InstallationGuide21_chapter_00.html
Hope this helps.
03-16-2017 05:54 AM
Hello,
thank you for your answer, very helpful. But I still have doubts about how ISE scales. According to Cisco with
2 x Admin+Monitor+pxGRID
5 x PSNs
Only 20000 users are supported (see file attached). But according to your calculation, we should support much more endpoints, This is what is misleading me.
regards,
03-16-2017 06:56 AM
Rahul is correct.
The key difference from the slide you shared is that scenario has Admin and MnT personae shared on a single appliance. Once you break those out onto separate appliances, the scaling opens up to the per-PSN numbers that Rahul correctly cited.
03-16-2017 07:37 AM
So, once we split up Admin and MnT personas into different appliance, the number of endpoints supported increases linearly with the PSNs? thanks
03-16-2017 09:01 AM
Yes, it scales pretty much linearly up to the maximum of 500k endpoints.
Even though you can have up to 50 PSNs in a deployment, that's more to support geographic distribution of PSNs in very large deployments than it is to support 50 x 40,000 = 2 million endpoints.
10-26-2017 01:45 PM
Would it be possible to have 1 admin, 1 monitor, and then 1 admin/monitor backup? I am getting ready for a large deployment and I can deploy 6 servers between 2 DCs. I have 25,000 base licenses and a TACACs license, and I was going to deploy:
1 admin
1 monitor
1 admin/monitor backup
3 policy nodes
I was also wondering:
Is it possible to mix and match servers?
Example
3495 admin node
3595 policy node
Thanks,
Alex
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide