Solved: ISE sizing recommendations for performance for distributed deployment

net87 · ‎04-27-2021

We are sizing a 100k+ endpoints /active sessions, I reviewed performance scale document but it seems to be confusing so can someone clarify below

Current usage for one centralized deployment

===================================

1) 2x3695 ( PAN )

2) 2x3695 ( MNT)

3) 2x3655 ( PSN ) behind F5 running pxgrid service as well

4) 2x3655 ( PSN) behind F5 ( will keep it in disabled state as cold standby for disaster)

5) 18x ISE 3615 ( Local PSNs in remote sites ), which are kind of dedicated with no F5 and connected via WAN links but replicated from main admin node

Technically I will have 2 active PSNs in main DC behind F5 , the other 2 PSNs which I will keep in disabled state is in Cold standby but in DR and part of same deployment

1) Does Pxgrid service shared on one PSN is fine or I need to run it on both PSNs ( it is only for DNAC purpose)

2)We plan to use TACACS+ so if I will share TACACS+ with Radius + pxgrid will there be any concern wth ISE 3655 or there is a separate 3615 node is enough.

3) Since TACACS+ license is per PSN based so I think for any other node in DR I would need to buy dedicated TACACS+ license

Regards,

Meh

Marcelo Morais · ‎04-27-2021

Hi @net87,

please take a look at: ISE Performance & Scale., search for:

1. Latency between Nodes (300 ms)

2. Maximum Active Sessions for each PSN: 3655 (25,000 for Medium & 50,000 for Large) & 3695 (50,000 for Medium & 100,000 for Large)

3. Maximum PSN Nodes for Large (50) and Medium (5 or 6) Deployment

4. Maximum pxGrid Nodes for Large (4) or Medium (2) Deployment

5. Mnt Persona Log Storage Requirements

please take a look at: ISE Ordering Guide, search for:

1. Device Administration (TACACS+): "...You must have Device Administration license for each of the Policy Service Nodes that you enable TACACS+ service on..."

Note: you can choose version 2.7 (the Suggested Release) or 3.0 (will be a Suggested Release soon)

Hope this helps !!!

View solution in original post

Marcelo Morais · ‎04-27-2021

Hi @net87,

please take a look at: ISE Performance & Scale., search for:

1. Latency between Nodes (300 ms)

2. Maximum Active Sessions for each PSN: 3655 (25,000 for Medium & 50,000 for Large) & 3695 (50,000 for Medium & 100,000 for Large)

3. Maximum PSN Nodes for Large (50) and Medium (5 or 6) Deployment

4. Maximum pxGrid Nodes for Large (4) or Medium (2) Deployment

5. Mnt Persona Log Storage Requirements

please take a look at: ISE Ordering Guide, search for:

1. Device Administration (TACACS+): "...You must have Device Administration license for each of the Policy Service Nodes that you enable TACACS+ service on..."

Note: you can choose version 2.7 (the Suggested Release) or 3.0 (will be a Suggested Release soon)

Hope this helps !!!

net87 · ‎04-28-2021

Thanks Marcelo,

The document is useful, what is the performance impact if we run pxgrid service on PSN. I will end up using 2 ISE PSNs to cater majority of the traffic and rest all traffic within the same deployment will be dispersed to local ISE PSNs so will it be considered medium or large deployment.

Total ISE PSNs = 20+ but main DC will have 2 ISE PSNs and rest all ISE PSNs will be kind of dedicated to small branches so as per cisco will it be counted as large or medium deployment.

Regards,

Meh

Marcelo Morais · ‎04-28-2021

Hi @net87

you can enable PXG:on PAN+MNT Node or in Dedicate Nodes (in this case, reducing PSN count).

In a Large/Dedicated Deployment, all ISE Personas are fully distributed, running on separate VM or Appliance Nodes.

In a Medium/Hybrid Deployment, PAN + MnT + PXG running on same Node and PSNs on Dedicated Nodes.

Hope this helps !!!

net87 · ‎04-28-2021

Thanks Marcelo,

So in a large scale deployment it is mandatory to have a dedicated appliance, is it like if I share the persona like Pxgrid on one of the PSN then that PSN ISE 3655 it would only support 25000 sessions even though it is categorized as large scale.

Regards,

Meh

Marcelo Morais · ‎04-28-2021

Hi,

yes, for a Large Deployment you must have Dedicated Nodes.

Note: for a Large Deployment the Maximum PSNs+pxGrid Nodes is 50 ... if you have 4x pxGrid, then the maximum number of PSNs would be 46.

Hope this helps !!!

Massimo Baschieri · ‎04-29-2021

"must" means "it's not going to work" "it's going to get you in trouble" or simply violates cisco deployment rules?

In other word, if I want to temporary enable pxgrid on PAN nodes for a large deployment, waiting to have enough resources on virtual environment in order to deploy dedicated nodes, is it going to work?

Marcelo Morais · ‎04-29-2021

Hi Massimo,

IMO, whenever (temporary) I do not follow a "best practice/recommendation", I understand that "odd things can happen".

Hope this helps !!!

Massimo Baschieri · ‎04-29-2021

I understand your point, but it's hard to persuade the customer when the same role can be taken from a PAN node in a standalone deplyment and the current PANs performances are around 2% cpu and 30% memory