Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4395
Views
5
Helpful
2
Replies

ISE: Recommended Values for Connection Limit, Rate limit and Syn-flood

Go to solution
Nikhil Jadhav
Level 1
Level 1

‎11-21-2021 04:40 PM

Hello Everyone,

 

I am working with a customer to ensure ISE is configured with the best practices.

Can anyone please help me out with the recommended values for Connection Limit, Rate Limit and SYN-Flood? 

Also, Is there a way to calculate Average TCP, UDP, ICMP packets received by ISE?

 

Thank you,

 

 

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
thomas
Cisco Employee
Cisco Employee

‎12-04-2021 04:06 PM

> Can anyone please help me out with the recommended values for Connection Limit, Rate Limit and SYN-Flood?

We do not have any specific guidance. ISE is a AAA server with TACACS and RADIUS request-response protocols. Rates are environment and scenario-dependent (university wireless at the top of the hour vs wired manufacturing IOT). TACACS rates can be slow with human users and insane with automation.  RADIUS supports many EAP tunnels and methods, each with their own performance rates.

 

> Also, Is there a way to calculate Average TCP, UDP, ICMP packets received by ISE?

Use a sniffer or run a packet capture on your ISE nodes?  Operations > Troubleshoot > Diagnostic Tools > General Tools > TCP

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Arne Bier
VIP
VIP

‎11-23-2021 05:09 PM - edited ‎11-23-2021 05:16 PM

Hi @Nikhil Jadhav 

 

Great question. 

I would recommend running a TCP dump on the PSNs at busy-hour and then analysing the results in wireshark (filter on TCP syn packets).

Or run a report on ISE to see how many requests you're getting per node per second. 

I guess the danger in setting these values is that you could end up making the service worse if the values are too low.

If you think about it, a PSN that is hosting a web portal is probably a good candidate for SYN flood protection. It would be quite a busy node that is processing 100 SYN packets per second. You could start with that and then use a tool like jMeter to try and hammer the PSN with a SYN flood to test that your config works ... in a lab of course

 

As for the connection limits for UDP etc - not sure if I would set those.

A some what useless guide here ..

 

Go to solution
thomas
Cisco Employee
Cisco Employee

‎12-04-2021 04:06 PM

> Can anyone please help me out with the recommended values for Connection Limit, Rate Limit and SYN-Flood?

We do not have any specific guidance. ISE is a AAA server with TACACS and RADIUS request-response protocols. Rates are environment and scenario-dependent (university wireless at the top of the hour vs wired manufacturing IOT). TACACS rates can be slow with human users and insane with automation.  RADIUS supports many EAP tunnels and methods, each with their own performance rates.

 

> Also, Is there a way to calculate Average TCP, UDP, ICMP packets received by ISE?

Use a sniffer or run a packet capture on your ISE nodes?  Operations > Troubleshoot > Diagnostic Tools > General Tools > TCP

0 Helpful
Customers Also Viewed These Support Documents