Solved: Large ISE deployment questions.

dohicks@cisco.com · ‎04-18-2016

Im working with a customer that has ~80,000 endpoints around the world that wants to deploy ISE. I need some help understanding what the best recommendations for them, specifically around numbers of PSN nodes, and node placement.

When I ran this through the ISE sizing tool, it came back with needing 9 nodes, 2 admin, 2 monitoring, and 5 PSN nodes.

1. If the customer has 4 major geographic locations/datacenters (Florida, New York, AMEA, and Asia) would I want to place additional PSN nodes at each of these major datacenter to authenticate users as close to their actual location as possible? I believe I would want to size nodes based on users at each location and deploy at least enough nodes in each geography to handle the number of users and ensure HA. Is that correct?

2. How about admin and M&T nodes? If the customer wants high availability based on the two US datacenter, would I place one of each in each datacenter, or what would be the correct way to deploy these for HA?

Charlie Moreton · ‎04-19-2016

Douglas,

1. If the customer has 4 major geographic locations/datacenters (Florida, New York, AMEA, and Asia) would I want to place additional PSN nodes at each of these major datacenter to authenticate users as close to their actual location as possible? I believe I would want to size nodes based on users at each location and deploy at least enough nodes in each geography to handle the number of users and ensure HA. Is that correct?

You can place a PSN at each of these locations. Remember that the latency must be below 200ms from the PSN back to the Admin Node(s).

Your other concern is the population density at each of these sites. How many endpoints will be at each site? In a deployment of this size (~80,000) you should use the SNS-3495 hardware specs as guidance:

The SNS-3495s used as PSNs can service up to 20,000 concurrent connections as opposed to 5,000 in the SNS-3415:

How are the locations connected? Depending on the topology, the PSN at Florida could authenticate users from New York, the same from AMEA and Asia with the use of Node Groups.

2. How about admin and M&T nodes? If the customer wants high availability based on the two US datacenter, would I place one of each in each datacenter, or what would be the correct way to deploy these for HA?

You can have a maximum of 2 Admin and 2 MnT Nodes is a deployment. Primary Admin at one DC, Secondary at another. Primary MnT can be located in the same DC as the Secondary Admin, which would put the Secondary MnT in the DC with the Primary Admin.

I hope this answers your questions.

Charles Moreton

View solution in original post

Jim Thomas · ‎04-18-2016

I would advise to take your time with this architecture design. I have seen many deployments go sideways because it wasnt deployed correctly from the start. You will need to think about load balancing or not as well. The MnT are already in an active/active state and the admins are in an active/standby state.

Jim Thomas Cisco Security Course Director Global Knowledge CCIE Security #16674

Timothy Abbott · ‎04-19-2016

Douglas,

When you start getting north of 50K endpoints you are well into a distributed deployment model which is what the sizing tool gave you. In this model, using a 3495 physical appliance or VM equivalent, each PSN can handle up to 20K endpoints. The sizing tool recommended 5 PSN which will cover 80K endpoints with one extra node for redundancy. As previously stated, Primary and Secondary Admin nodes are in an active / stanby configuration while the MnT nodes are active / active.

Since the customer has 4 geographically dispersed locations, it is recommended that you have a solid understanding of endpoint count in each region. Using your example, does New York have a higher endpoint density than Asia or Florida more than AMEA? Ranking these sites in terms of endpoint concentration will dictate the number of PSNs need at a particular location. You will also want to consider WAN speeds as there are latency minimums that you must adhere to with distributed deployments.

Regards,

-Tim

Charlie Moreton · ‎04-19-2016

Douglas,

1. If the customer has 4 major geographic locations/datacenters (Florida, New York, AMEA, and Asia) would I want to place additional PSN nodes at each of these major datacenter to authenticate users as close to their actual location as possible? I believe I would want to size nodes based on users at each location and deploy at least enough nodes in each geography to handle the number of users and ensure HA. Is that correct?

You can place a PSN at each of these locations. Remember that the latency must be below 200ms from the PSN back to the Admin Node(s).

Your other concern is the population density at each of these sites. How many endpoints will be at each site? In a deployment of this size (~80,000) you should use the SNS-3495 hardware specs as guidance:

The SNS-3495s used as PSNs can service up to 20,000 concurrent connections as opposed to 5,000 in the SNS-3415:

How are the locations connected? Depending on the topology, the PSN at Florida could authenticate users from New York, the same from AMEA and Asia with the use of Node Groups.

2. How about admin and M&T nodes? If the customer wants high availability based on the two US datacenter, would I place one of each in each datacenter, or what would be the correct way to deploy these for HA?

You can have a maximum of 2 Admin and 2 MnT Nodes is a deployment. Primary Admin at one DC, Secondary at another. Primary MnT can be located in the same DC as the Secondary Admin, which would put the Secondary MnT in the DC with the Primary Admin.

I hope this answers your questions.

Charles Moreton