cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

3412
Views
1
Helpful
6
Replies
Guido Salsano
Cisco Employee

ISE - server sizing

Hi All,

I need you to size an installation of ISE to manage 50000 devices via TACACS+,

in term of licenses I understand it's enough to quote 100 end points base license and 1 license for TACACS+

in term of servers I don't know which is the methodology.....

should I consider the device as an end-point? and calculate the numbers of servers for 50K end-points?

other method?

please help me to understand how I should procedure

Thanks in advance

Guido

1 ACCEPTED SOLUTION

Accepted Solutions
Timothy Abbott
Cisco Employee

Hi Guido,

TACACS+ devices administration requires the device to be added to ISE like any other network access device that would perform authentication. Today, ISE will only support up to 30K network access devices so you would need to have two different deployments just for device administration. Future versions of ISE will likely support more network devices. If You can find general sizing guide for TACACS+ with ISE here<https://communities.cisco.com/docs/DOC-63930>.

Regards,

-Tim

View solution in original post

6 REPLIES 6
Timothy Abbott
Cisco Employee

Hi Guido,

TACACS+ devices administration requires the device to be added to ISE like any other network access device that would perform authentication. Today, ISE will only support up to 30K network access devices so you would need to have two different deployments just for device administration. Future versions of ISE will likely support more network devices. If You can find general sizing guide for TACACS+ with ISE here<https://communities.cisco.com/docs/DOC-63930>.

Regards,

-Tim

View solution in original post

kthiruve
Cisco Employee

Hi Guido,

Here is a community page for TACACS+ deployment sizing and ACS vs ISE Comparison that provides guidance on this.

For more information on planning TACACS+ deployment and scale of PSN's, ACS to ISE migration doc is a good reference point.

ISE 2.0 supports 30k network objects, and ISE supports subnets only for network objects not ranges. So if you can subnet these devices to 30k network objects you should be OK. That said, we dont have information upper limit of network devices if you subnet these. It is important to pay attention to the TPS for TACACS+ in deployment sizing guide for command accounting etc and scale your network accordingly.

The scale on the network devices is going to be improved in the upcoming release.

Good luck.

Thanks

Krishnan

Hi Krishnan,

could you please explain me the data about the Device managed with ISE?

the table says 30K network object (no IP-address), my customer should manage 80K (TACACS+) devices, how many ISE instances should they use? 3? or more?

Thanks for the explanation

Guido

Guido,

Since ISE 2.0 can only manage 30K TACACS+ devices (switches, routers, etc), it would take 3 separate ISE deployments to manage 80K network devices. Future updates to ISE will increase TACACS+ scalability. If your customer is currently using ACS to manage more than 30K network devices with TACACS+, it is recommend they continue to do so until ISE can support their environment with one deployment.

Regards,

-Tim

Hi Timothy,

Thanks for the info and suggestions

could you share any info about the roadmap?

when will ISE support more then 30K devices?

Thanks

Guido

Guido,

Unfortunately, roadmap information cannot be shared in this forum.

Regards,

-Tim

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel