Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
876
Views
5
Helpful
4
Replies

ISE Design queries

Go to solution
dngore
Cisco Employee
Cisco Employee

‎12-12-2019 08:39 PM - edited ‎12-12-2019 08:52 PM

Hi Team,

Want to check below design possibility for 25K users (will increase 20% - 30% in future)

  • PAN-MNT on single 3695 node ( as per guide, it can support 50K in hybrid deployment)
  • Two 3655 as PSN (can handle 25K sessions per PSN in hybrid deployment)

Will above sizing with mix of 3695 and 3655 work?

 

Second query: Can existing license (base, plus & Apex) from two ha ISE node setup can be re-hosted on new ISE setup (hybrid)?

1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to dngore

‎12-12-2019 09:07 PM

They are, traditional PAK licenses can be rehosted by the individual that fulfilled them on the licensing portal in a self service fashion. If that individual is no longer available, then TAC is able to assist with migrating the licenses.

An ideal alternative would be to get the licences converted to the customers smart license account if they are not already. This way multiple ISE deployments are able to leverage the same license pool at the same time. The exception being VM and TACACS node licenses where you need 1:1 based on deployed usage. It avoid the requirement to rehost / migrate licenses in the future.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎12-12-2019 08:54 PM - edited ‎12-12-2019 08:55 PM

One slight correction on this. When you are running in a hybrid design, the dedicated PSNs will have the capacity of a true dedicated node but the deployment is limited by the shared PAN/MNT nodes.

So the 2x 3695's running PAN/MNT are providing you with a total 50k active endpoint capacity as you mentioned. The 2x 3655 PSNs actually have capacity to handle all endpoint auth on a single node, 50k per, giving you 100% HA in a N+1 fashion.

You don't want to exceed 50k scaling, but each PSN can handle a full 50K each. This would be a suitable design providing capacity for patching and node failure scenarios. You would ideally balance endpoint auth 50% and 50% to balance load 25k per PSN.

If this if scoping 4 physical SNS appliances then it's a good solution. If you are looking at hosting this virtual, there is another solution that could be viable. Most VM teams don't like 256 GB VMs. Running 2x 3695 and 2x 3655 requires 706 GB of memory. Running a full dedicated deployment requires 576 GB memory, but more 48,000 more Mhz CPU, and a bit more disk. It really depends what the customer can support.

2x 3655 PAN
2x 3655 MNT
2x 3655 PSN

0 Helpful

Go to solution
dngore
Cisco Employee
Cisco Employee
In response to Damien Miller

‎12-12-2019 09:02 PM

Thx a lot Damien for quick reply. I got on sizing part.

 

How about re-hosting license from one setup to another? I think it is possible. Is it correct?

 

 

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to dngore

‎12-12-2019 09:07 PM

They are, traditional PAK licenses can be rehosted by the individual that fulfilled them on the licensing portal in a self service fashion. If that individual is no longer available, then TAC is able to assist with migrating the licenses.

An ideal alternative would be to get the licences converted to the customers smart license account if they are not already. This way multiple ISE deployments are able to leverage the same license pool at the same time. The exception being VM and TACACS node licenses where you need 1:1 based on deployed usage. It avoid the requirement to rehost / migrate licenses in the future.
0 Helpful

Go to solution
dngore
Cisco Employee
Cisco Employee
In response to Damien Miller

‎12-12-2019 09:57 PM

Thx a lot for this helpful reply.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents