Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1405
Views
1
Helpful
3
Replies

ISE PSN performance metrics

Go to solution
skawai
Cisco Employee
Cisco Employee

‎12-24-2017 09:38 AM

Hi Team,

I am looking for performance metrics of ISE PSN.

The customer has plans to deploy WLAN with the following requirements.

How do we calculate the number of PSNs, when using multiple features at the same time?

[Customer requirements]

- WLAN client: 20,000 devices (Mobile phone and PCs)

- WLAN AP (Aironet2800): 2,000 units

- RADIUS Authentication (EAP-TLS)

- Guest Access (PEAP)

- TrustSec policies are distributed to 300 Cat3K Switches

- All WLAN devices must be authenticated within 20 minutes

The following document shows RADIUS authentications per second with PSN only persona. However, it does not take into consideration the load when using TrustSec at the same time.

ISE Performance & Scale

https://communities.cisco.com/docs/DOC-68347

Best Regards,

Shinichi

1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10

‎12-26-2017 07:37 PM

A bit of clarification on performance and scale testing...

Cisco performs a number of different performance and scale tests including but not limited to:

  • Individual feature performance without any other features running (or minimally running)
  • End to end testing for complete flows of specific features.
  • Scale testing for multiple services running concurrently.  Not necessarily every feature is turned on, but we do test with most common features with a degree of complexity to represent a production network and validate for total scale of a deployment.
  • Complex multi-service flow tests to better represent different vertical deployment scenarios.

Although we do verify scale for total deployment and individual PSN scale as called out in the Community page, this does not mean that every endpoint is configured for every possible service at max capacity at the max TPS possible.

In summary, there is nothing you mention in your setup that raises any major concerns in terms of scale. However, I would refer to the TrustSec scaling pages to validate SGT scale for number of nodes, SGACLs, and SXP if applicable.  Whether two 3595s would be sufficient is not totally clear since only partial details provided.  The HLD templates help with sizing since it attempts to take all factors into consideration including distribution of services.

/Craig

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Nidhi
Cisco Employee
Cisco Employee

‎12-24-2017 08:34 PM

Cisco Live BRKSEC-3699 Designing ISE for Scale & High Availability by Craig Hyps

This might give you performance metrics.


Thanks,

Nidhi

0 Helpful

Go to solution
skawai
Cisco Employee
Cisco Employee
In response to Nidhi

‎12-25-2017 09:22 AM

Hi Nidhi,

Thanks for useful documentation. I will use it as a reference.

Shinichi

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10

‎12-26-2017 07:37 PM

A bit of clarification on performance and scale testing...

Cisco performs a number of different performance and scale tests including but not limited to:

  • Individual feature performance without any other features running (or minimally running)
  • End to end testing for complete flows of specific features.
  • Scale testing for multiple services running concurrently.  Not necessarily every feature is turned on, but we do test with most common features with a degree of complexity to represent a production network and validate for total scale of a deployment.
  • Complex multi-service flow tests to better represent different vertical deployment scenarios.

Although we do verify scale for total deployment and individual PSN scale as called out in the Community page, this does not mean that every endpoint is configured for every possible service at max capacity at the max TPS possible.

In summary, there is nothing you mention in your setup that raises any major concerns in terms of scale. However, I would refer to the TrustSec scaling pages to validate SGT scale for number of nodes, SGACLs, and SXP if applicable.  Whether two 3595s would be sufficient is not totally clear since only partial details provided.  The HLD templates help with sizing since it attempts to take all factors into consideration including distribution of services.

/Craig

0 Helpful
Customers Also Viewed These Support Documents