Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
880
Views
15
Helpful
5
Replies

ISE Servers

Alex Pfeil
Level 7
Level 7

‎10-27-2017 05:47 AM - edited ‎02-21-2020 10:37 AM

New Identity Services Engine Deployment

Is it possible to mix and match servers?

Example

3495 admin node

3595 policy node

 

Labels:
0 Helpful
5 Replies 5

Rahul Govindan
VIP Alumni
VIP Alumni

‎10-27-2017 06:12 AM

You can have different hardware in a deployment as long as they run the same software version. The sizing depends on the Admin node hardware type. The sizing for different distributed deployments is here:
https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/install_guide/b_ise_InstallationGuide22/b_ise_InstallationGuide22_chapter_00.pdf

Alex Pfeil
Level 7
Level 7
In response to Rahul Govindan

‎10-27-2017 06:29 AM

So,
I could deploy:
2 admin - 3495
2 monitor - 3495
2 policy - 3595
This meets the large deployment model and supports 40,000 clients?
0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni
In response to Alex Pfeil

‎10-27-2017 06:59 AM

Yes. A 3495 Admin node large deployment can scale at 20000 sessions per PSN. So with 2 PSN's, you can get 40000 concurrent sessions for the deployment.
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Alex Pfeil

‎10-27-2017 07:56 AM

Rahul is correct but also note that using both PSNs requires some sort of RADIUS load balancing.

 

Cisco wireless delivered via WLC usually doesn't do this on its own and you would need some sort of Application Delivery controller / load balancer in front of your PSNs (i.e. F5 Big-IP, Citrix Netscaler or such).

 

Cisco wired has some crude round robin load balancing but still a real ADC is recommended.

 

You also need to consider failure scenarios. If you require 2 PSNs for your deployment day to day it's recommended to add a 3rd for availability.

ajc
Level 7
Level 7

‎10-27-2017 07:55 AM - edited ‎10-27-2017 08:06 AM

Based on recent findings and issues in our LARGE distributed environment, you should do the following:

 

1.-All the PAN and MNT Nodes MUST be the same type of device, in our case 3595's to handle the significant amount of data our Wireless network generates. We realized that 3495 as MNT's is NOT good enough for a large deployment (60k+ endusers/concurrent sessions). 

 

2.-Use 3495 preferably as PSN only.

3.-DO NOT, combine 2 personas on the same node 3495/3595 because the performance goes significantly down. (it does not apply to your case).

4.-USE Load balancing to efficiently distribute the load between the PSN's.

 

The most important piece is the version that you would like to run. I would strongly suggest to use 2.3 version.

 

BTW, from your post above if you are using 3595 as PSN's then you have 40K sessions x node so that would cover you without needing another PSN. WHY the Load Balancing mechanism is important??.

 

1.-Round Robin DNS does not work properly when using CWA or WebAuth on the WLC.

2.-Failover mechanism is straightforward when using for example F5 (our case).

 

If you use 3495 as PSN's, then you would need another PSN to be covered in case of failure

 

 

 

Customers Also Viewed These Support Documents