Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
622
Views
0
Helpful
3
Replies

ISE Design question - scalability

Go to solution
thilinar8
Level 1
Level 1

‎08-06-2019 11:15 PM

Hi,

 

Hope someone could help me.

 

we are in a process of deploying ISE in our organization. we got over 80 branches worldwide.

 

we will be deploying Large scale deployment. But, due to the Budget constraint, management is looking to cut-down the number of PSNs. But, i need to give solid technical explanations why we need x number of PSNs.

 

Solution:-

ISE PAN (HA)

MNT  -  Single Node

2 Main PSN (HA) - one PSN per Data centre

* latency is less than 300ms for All the branches when

* we have few sites with nearly 100 staff and others vary between 5-50

**************************************************************************

Do we need PSN for each site where number of users are high (close to 100)

 

what are the base requirements to put a PSN in a remote site?

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
howon
Cisco Employee
Cisco Employee

‎08-07-2019 07:05 AM

For 100 sessions, I would not recommend hosting a local PSN. If the concern is around network access during ISE failure, I would suggest looking into designing the network for fail open in case of ISE failure. Although the decision to have local PSN can be based on many factors, such as WAN quality, existence of AD server, # of users and endpoints, but generally would not need to consider one unless there are more than 3k concurrent sessions at a single location. Also, I would suggest that you also make MnT node HA pair.

View solution in original post

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎08-07-2019 03:01 PM - edited ‎08-07-2019 06:24 PM

I have some customers that want ISE nodes at critical facilities, but I would argue that this should be handled a different way. If a site is so critical that it requires a dedicated ISE node, it should have two WAN circuits, two routers, and you should have ISE hosted in two data centers. This way you have survivability via two fault domains.

Authentication latency below 5 seconds is typically fine, users will have many other issues if you link wasn't capable of this. Authentication traffic load is typically quite low. I would avoid placing PSNs at remote sites unless there is an absolute need.

I am with @howon, I would go even further and look at having just two nodes, one in each data center hosting admin, mnt, and psn roles. Two node deployments are able to scale between 7500 and 50,000 active endpoints depending on the ISE version and template deployed.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
howon
Cisco Employee
Cisco Employee

‎08-07-2019 07:05 AM

For 100 sessions, I would not recommend hosting a local PSN. If the concern is around network access during ISE failure, I would suggest looking into designing the network for fail open in case of ISE failure. Although the decision to have local PSN can be based on many factors, such as WAN quality, existence of AD server, # of users and endpoints, but generally would not need to consider one unless there are more than 3k concurrent sessions at a single location. Also, I would suggest that you also make MnT node HA pair.

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎08-07-2019 03:01 PM - edited ‎08-07-2019 06:24 PM

I have some customers that want ISE nodes at critical facilities, but I would argue that this should be handled a different way. If a site is so critical that it requires a dedicated ISE node, it should have two WAN circuits, two routers, and you should have ISE hosted in two data centers. This way you have survivability via two fault domains.

Authentication latency below 5 seconds is typically fine, users will have many other issues if you link wasn't capable of this. Authentication traffic load is typically quite low. I would avoid placing PSNs at remote sites unless there is an absolute need.

I am with @howon, I would go even further and look at having just two nodes, one in each data center hosting admin, mnt, and psn roles. Two node deployments are able to scale between 7500 and 50,000 active endpoints depending on the ISE version and template deployed.

0 Helpful

Go to solution
thilinar8
Level 1
Level 1
In response to Damien Miller

‎08-07-2019 05:39 PM

Hi Howton and Damien,

 

Thanks you so much for your Valuable advise

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents