Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
184
Views
0
Helpful
3
Replies

ISE Sizing and Scalability Question

Go to solution
packet2020
Level 1
Level 1

‎06-03-2024 05:09 AM - edited ‎06-03-2024 05:10 AM

Hi All,

I'm currently working on an ISE 3.2 Medium Deployment design that will comprise of 2 x SNS 3795 appliances operating as combind PAN + MnT + pxGrid nodes and 4 x SNS 3755 appliances operating as PSN nodes.

I want to confirm the maxium scalability of this design against the following ISE Performance and Scalbility document, however I'm not sure if I'm interpretting the info correctly.

https://www.cisco.com/c/en/us/td/docs/security/ise/performance_and_scalability/b_ise_perf_and_scale.html

Based on this guide, the maxium concurrent sessions that a Medium deployment can support using the SNS 3795 as cominbed PAN + MnT + pxGrid node is 150,000. Although the 4 x SNS 3755 PSNs each support 100,000 concurrent active sessions, the maximum possible conncurrent sessions is dictated by the PAN/MnT/PxGrid deployment which is 150k in this example, is that correct?

Also for the PSNs, what is meant by "Shared PSN (Cisco ISE node has multiple Personas)"? Is this only applicable if pxGrid is also running on the PSN or does it included services such as Device Admin and SXP?

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ahollifield
VIP
VIP

‎06-03-2024 05:18 AM - edited ‎06-03-2024 05:25 AM

You are correct.  ISE scale is limited based on the type of deployment, size of PAN/MnT, and size of the PSNs.  If you need more than 150,000 you need to break out the PAN and MnT into their own nodes.  Shared PSN mean combined with other roles at the "top level" checkboxes on the deployment screen.  So PAN, MnT, or pxGrid; it does not apply to the various services within the PSN section.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
ahollifield
VIP
VIP

‎06-03-2024 05:18 AM - edited ‎06-03-2024 05:25 AM

You are correct.  ISE scale is limited based on the type of deployment, size of PAN/MnT, and size of the PSNs.  If you need more than 150,000 you need to break out the PAN and MnT into their own nodes.  Shared PSN mean combined with other roles at the "top level" checkboxes on the deployment screen.  So PAN, MnT, or pxGrid; it does not apply to the various services within the PSN section.

0 Helpful

Go to solution
packet2020
Level 1
Level 1

‎06-07-2024 12:04 AM - edited ‎06-07-2024 02:10 AM

Actually another question on this

If we need more than 150,000 concurrent sessions and break out the PAN and MnT into their own nodes as you stated, so adding two additional nodes to the deployment, what do we do with the pxGrid persona? Can pxGrid be colocated on the dedicated PAN, MnT, or PSN nodes and still be a valid deployment to still support above 150k scale, or will dedicated pxGrid nodes be required as well?

For example, will this be a valid deployment if we split out the PAN and MnT nodes and enable pxGrid on the PSNs?

PAN Primary
PAN Secondary
MnT Primary
MnT Secondary
PSN1 + pxGrid
PSN2 + pxGrid
PSN3
PSN4

0 Helpful

Go to solution
ahollifield
VIP
VIP
In response to packet2020

‎06-07-2024 02:54 AM

No, dedicated pxGrid node is required in a large deployment.
0 Helpful
Customers Also Viewed These Support Documents