07-30-2019 07:39 AM - edited 07-30-2019 07:52 AM
Hi Expert,
I am seeking the best practice of ISE design.
1. From ISE design guide, the maximum number of PSN nodes are 5 when PAN&MnT is on a single node and PSN is on dedicated node. How about if PSN role is on the primary/secondary PAN&MnT node in the distributed deployment, how many dedicate PSN nodes could have in this kind of cube? Is it possible to design like
Node1: Pri PAN&MnT+PSN
Node2: Sec PAN&MnT+PSN
Node3-7: 5 dedicated PSNs
OR
Node1: Pri PAN&MnT+PSN
Node2: Sec PAN&MnT+PSN
Node3-5: 3 dedicated PSNs
2. I have a customer that there are 20 PSN nodes needed in one distributed deployment. So from design guide, we need separate PAN and MNT on dedicated ise nodes and could have up to 50 dedicated PSNs supported. Which appliance or equivalent VM should I choose for PAN and MNT node if I only need 20 dedicated PSNs? I only see 3595 and 3695 as PAN in the guide. What is the recommendation of appliance or equivalent VM of PAN/MNT in a separate PAN, MnT and PSN nodes design if the number of PSNs node is not near 50?
07-30-2019 07:58 AM
1- None. if you run PAN+ MnT+ PSN in same appliance. you cannot add more PSNs.
If you have a setup like node 1- PAN+MnT , node 2- PSN, in this case you can add 5 PSNs.
2- For 20 dedicated PSNs , you need a distributed deployment with personas running on seperate Nodes.
the sizing of the deployment depends on the number of concurrent sessions in teh deployment.
I suggest starting with ciscoLive session BRKSEC-3432 from SanDiego 2019 to understand teh best practices
Thanks,
Nidhi
07-30-2019 08:13 PM
Thanks, Nidhi.
I went through BRKSEC-3432 and no answer was found for my second question. I just wanted to confirm that whether we have to choose 3595 and 3695 as PAN and MnT when we only need maybe 10 or 20 dedicated PSNs.
07-30-2019 08:22 PM
07-30-2019 09:21 PM - edited 07-30-2019 09:42 PM
Thank, Damien.
I found this in 2.6 installation guide.
But it is not the same for 2.4 which mentioned 3695 PAN supports maximum of 500K, not 2,000,000 like 2.6.
Also hope the team could update ISE Performance & Scale page soon to clear the confusion when making ISE design.
07-30-2019 11:42 PM
Hi Nidhi,
1- Actually, we could do this without any warnings. All of PSNs are working. Are there any problems?
I think this deployment can be used for use case that dedicated PSNs are primary role and the PSNs of PAN+ MnT+ PSN node are backup role.
2- Does ISE deployment type depends on the number of PSN nodes rather than the number of RADIUS sessions?
How about the case below:
If our customer has total 10 x locations(2 x DC and 8 x remote offices).
They would like to deploy ISE at each site,and the latency between DCs and remote sites is lower than 100ms.
They only have around 50-100 user sessions at each site, total 1000 sessions.
What deployment type will you propose and why ? Please take more attention to the total sessions in this case is only 1000.
07-30-2019 08:01 AM
There are only 4 supported ISE deployment models:
Once you move to #3 or #4 you cannot run PSN functionality on the PAN/M&Ts and still be running a supported model.
07-30-2019 08:08 PM
Thanks, Paul.
But how about my second question? Design guide only mentioned separate PAN and MnT on 3695 and 3595 could support up to 50 dedicated PSNs. Does it mean only 3595 and 3695 are supported in this kind of design? Or if we only need 10 or 20 dedicated PSNs, we could use 3615 or 3655 as PAN and MNT?
07-30-2019 10:59 PM
Of course it will work. From my point of view, there's no hard enforcement for these type of stuff.
The only thing which is enforced from my point of view is, that there are max. 2 PAN and 2 MNT nodes and that's it.
I guess even the max. sessions outlined in these papers are no hard limit.
The values are the validated and supported scenarios by Cisco.
The problem is, that there are no estimations of how many sessions, PSN nodes and endpoints are supported on a full distributed deployment using small appliances.
Again: I'm pretty sure it will work (heck, it works with tiny dimensioned VMs in my lab :) ). However if there are no reliable scale numbers and there is no support by Cisco I would only use the outlined designs from the Cisco documentation.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide