Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1152
Views
0
Helpful
3
Replies

ISE Scalability

sameesin
Cisco Employee
Cisco Employee

‎07-11-2018 07:22 AM

Hi,

As per the scalability giude, if I have a dedicated 3595 as PAN and a dedicated 3595 as MnT, then I can have a maximum concurrent session of 500,000. But for a 3595 as PSN, maximum concurrent session is 40,000. So does it mean that if I have multiple PSNs, then the maximum that I can have is 500,000.

And if so, then does this mean that my maximum concurrent session will depend upon the model that I am using for PSN.

Can I have a 3515 as PAN and a 3595 as a PSN attached to it?

Just trying to get some clarity.

0 Helpful
3 Replies 3

howon
Cisco Employee
Cisco Employee

‎07-11-2018 01:11 PM

Maximum concurrent session for the deployment is based on the PAN and MnT. You can get 500,000 concurrent endpoints in a deployment if the PAN and MnT is on 3595 or VM equivalent. Once you satisfy this number then each of the PSN (3595)  you add to the deployment can support 40,000 concurrent endpoints per box.

Although you can have 3515 as PAN and 3595 as a PSN but you will lose out as 3515 used as PAN can only support 7500 concurrent endpoint for the whole deployment.

0 Helpful

kvenkata1
Cisco Employee
Cisco Employee

‎07-11-2018 01:25 PM

ISE Performance & Scale

This is our one source of truth for ISE performance & scale.

In the first table, if you are referring to row 1 - Yes, 500,000 is the max concurrent sessions in a dedicated deployment. The 40,000 sessions number is per 3595 PSN. See ISE PSN performance table (table 3 from top)

Your max concurrent sessions will depend on your deployment type (standalone, hybrid or dedicated) and the type of hardware.

Between 3515 & 3595, I would choose 3595 as the PAN & 3515 as the PSN.

- Krish

0 Helpful

Damien Miller
VIP Alumni
VIP Alumni
In response to kvenkata1

‎07-11-2018 05:10 PM

For clarity sake, if you are aiming for 40k active sessions per 3595 PSN, then you would need 4 nodes dedicated for Admin and Monitoring.  The roles must be split out in what the design and scaling guide refers to as dedicated nodes. 

2 x 3595 Admin nodes

2 x 3595 Monitoring nodes

The next discussion that stems from this question would be if you want to design for 40,000 Active sessions per PSN.  It's my opinion that scaling numbers should always be taken with a grain of salt.  In a perfect world and under the ideal test conditions you might be able to attain scaling numbers.  Something I have come to notice over time is that scaling numbers are often led with a marketing mentality.  In the real world things don't always go to plan. I'm not beating up ISE specifically, this happens with all products, manufactures, and industries.

You always have to be conscious of what could happen.  If you design for 40k per PSN and have some misbehaving endpoints and network devices that slip through the cracks, what impact will it have.  If you want to do maintenance or lose a PSN, will you have the capacity to float through until it can be corrected?  Always needs to be considered during the design phase. 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents