Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
406
Views
0
Helpful
2
Replies

ISE Scaling Dedicated to Hybrid

igaffine
Level 1
Level 1

‎09-23-2019 11:47 AM

Hi Community, 

 

Thanks for reading, hope you can help. We currently have an ISE deployment using virtual appliances in a dedicated node deployment (PAN, MnT, PSN, PxGrid and SXP) and currently considering pros and cons of going physical.

 

With the introduction of SNS-3695 I have been looking into whether it would be possible to reduce the footprint of our deployment and go with a hybrid design and run PAN, MnT and PxGrid resiliently on a pair of SNS-3695s. This would allow 5 nodes (SNS-3655) to be used for PSNs, but I have SXP nodes to think about and another issue in that we use a pair for PSNs for internal PKI (EAP-TLS) and looking to deploy another pair of PSNs for external 'public' PKI for guest/BYOD services. This would make a total of 6 nodes if we had dedicated SXP nodes, which does not fit the 5 node limit. Just wondered if anyone might have a suggestion? 

 

I see in the scaling guide that SXP should be on dedicated nodes (and it is at the moment), but also notes on sharing SXP across RADIUS PSNs. I assume you just select two nodes to be the SXP pairs.

 

The solution needs to support 30,000 clients (10,000 guests) and be resilient.

 

To avoid going to a dedicated deployment, I could run the external PKI as a separate standalone (PAN, MnT & PSN) on a pair of resilient SNS-3655 nodes, to reduce the size of the deployment.

 

Design options:

 

Large

2x SNS-3655 PAN

2x SNS-3695 MnT

2x SNS-3655 PSN internal PKI

2x SNS-3655 PSN external PKI

2x SNS-3655 SXP

2x SNS-3655 PXG

 

Hybrid

2x SNS-3695 PAN, MnT, PXG

2x SNS-3655 PSN internal PKI

2x SNS-3655 SXP

 

plus

 

Guest

2x SNS-3655/3695 standalone (PAN, MnT, PSN external PKI)

 

We have internal and external PSNs as a result of having two separate CAs (one public) and use 802.1x for BYOD devices, and we don't want these devices having a internal CA cert installed. Assuming dual EAP certs is still not supported on the same PSN?

 

Appreciate your thoughts.

 

Kind regards,

 

Ian

0 Helpful
2 Replies 2

igaffine
Level 1
Level 1

‎09-24-2019 09:26 AM

Hi Community, 

 

Further investigation has discovered that our current deployment has 7 PxGrid subscribers, all capability version 1. This would make sense as it is an ISE 2.2 deployment. The main subscriber is Stealthwatch. As a hybrid deployment only supports 5 subs when PAN, MnT & PxGrid on same node, it is looking more likely that our deployment should be dedicated. In addition to our SXP bindings are nearing 60% of the 10,000 limit of hybrid, again pushing us down the dedicated route.

 

That said, has anyone deployed a dedicated deployment, with an ISE node as a combined PxGrid + SXP node. Do the dedicated stats still apply, but I assume not and we have to reduce the numbers in some way.

 

Some final stats:

Concurrent users: 20,000 (could grow to 40,000)

SXP peers: 15 (grow to 30)

SXP Binding: 6,000 (grow to 10,000)

PxGrid Subscribers: 7 @ version 1.0 (assuming will become version 2.0 at software update)

 

Appreciate your thoughts.

 

Kind regards,

 

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to igaffine

‎09-29-2019 09:11 AM

The stats for dedicated pxGrid are for an ISE node with the PXG persona only.

If you are unable to meet that, just start off with whatever you may and monitor the performance.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents