ISE TACACS+ Performance Tables and Sizing clarification

jorgquin · ‎01-31-2020

Team

I have been digging around but still cannot clarify the doubt I have between this 2 tables:

From https://community.cisco.com/t5/security-documents/ise-performance-amp-scale/ta-p/3642148

ISE TACACS+ Performance

Platform performance specs are for a dedicated PSN in transactions per second (TPS).

PAN and MNT nodes are deployed as separate node(s).

Scenario	Cisco SNS-3415 Appliance	Cisco SNS-3495 Appliance	Cisco SNS-3515 Appliance	Cisco SNS-3595 Appliance
ISE Version	ISE 2.0	ISE 2.0	ISE 2.1	ISE 2.1
TACACS+ Function: PAP	1,400 / second	2,800 / second	3,236 / second	4,884 / second
TACACS+ Function: CHAP	1,500 / second	2,900 / second	2,413 / second	4,961 / second
TACACS+ Function: Enable	700 / second	1,200 / second	1631/second	1,984 / second
TACACS+ Function: Session AuthZ	900 / second	1,700 / second	2,191 / second	3,453 / second
TACACS+ Function: Command AuthZ	900 / second	1,700 / second	2,359 / second	3,467 / second
TACACS+ Function: Accounting	2,900 / second	4,900 / second	3,209 / second	9,128 / second

And this one (latest update from Cisco Live)

My understanding is the following:

1. Table 1 seems to be the raw per function TACACS+ max numbers (looking like a stress test to get the maximum per each function)

2. Table 2 from what I understand seems to be the TPS calculation which seems to have 2 formulas:

2.1 When migrating from ACS to ISE using = authentication+authorization+account aggregate to a time frame (formula = authentication (pass+fail)+authorization+account/(8)*(60)*(60))

2.2 When Sizing a new ISE deployment for device admin =

Example from https://community.cisco.com/t5/security-documents/cisco-ise-device-administration-prescriptive-deployment-guide/ta-p/3738365 #_Transactions_per_session = #_network_devices x (3 + 2 x Number of commands executed).

#_transactions_per_day = 10,000 x (3 + 2x10) = 230k logs/session = 920k logs for 4 sessions.

Peak TPS = 920k / (20*60sec) = 767 TPS

My doubt is as follows:

1. Is my assumption correct?

2. If my assumption is correct, what is the main use case for table 1? (considering as well that is outdated)

Warm regards,

Jorge

Damien Miller · ‎01-31-2020

What I have found is that no matter how good I think my estimates and math are on this, real load always seems to be way lower. As a production data point for you, I recently I moved a 20k NAD ACS deployment to ISE. It does 12 TPS at peak with automated tools running as well.

Your math has one issue on calculating TPS. 920k is the total TPS for the day, so dividing it by (24hr x 3600sec) 86,400 seconds gives you daily average TPS. I typically try to focus more on peak than average, the issue with daily averaging in the calculation is that it assumes all load is constant throughout the day. 920k/86400 is an average of ~11 TPS over the course of a day.

If there is already a TACACS/RADIUS server to base this off, getting peak TPS is easier because you can just look at the logs. If not, I tend to err on the side of caution and assume that the calculated load happens over 12 hours instead of 24.

jorgquin · ‎02-03-2020

Hey Damien

Thanks for your input.

I agree with you as well on the load that it is more useful to get a 8 to 12 hours period average rather than 24.

Interesting fact is that the calculations are not done by myself but by the ISE PM team, so seems that formula needs more clarification what would be the correct use

But my doubt still exists in regards the tables we have available, in the means of what is the use case for table 1

For table 2, I do believe we need some clarification in how the TPS are calculated