Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2599
Views
2
Helpful
6
Replies

Max number of Network devices for TACACS+ in ISE

Go to solution
yongwli
Cisco Employee
Cisco Employee

‎08-30-2017 09:23 PM

Hi Team,

As we know, max number of network devices is 100K.

Two questions:

1. This number is a number based on performance experienced or it's a limitation in ISE software?

2. If defining 1 network device with IP range, IE /24 subnet, it exhausts 1 entry or 254 entries?

Thanks

DL

1 Accepted Solution

Accepted Solutions

Go to solution
Craig Hyps
Level 10
Level 10
In response to yongwli

‎08-31-2017 10:46 AM

To clarify, a subnet range does not consume or equate to one NAD per IP.  Only NADs that connect to ISE will have a cache entry.  100k is what we have validated in QA testing.  This is not a hard limit, but certainly would not plan on exceeding.  If know deployment will exceed, then recommend design for split clusters.  Also recommend reach out to account team to submit requirements for higher scale so we know which customers actually require > 100k NADs.

/Craig

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Charlie Moreton
Cisco Employee
Cisco Employee

‎08-31-2017 04:42 AM

1. This number is a number based on performance experienced or it's a limitation in ISE software?

     - Database Limitation

2. If defining 1 network device with IP range, IE /24 subnet, it exhausts 1 entry or 254 entries?

     - This counts as a single 'Device'

Go to solution
yongwli
Cisco Employee
Cisco Employee
In response to Charlie Moreton

‎08-31-2017 09:11 AM

Thanks a lot!

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10
In response to yongwli

‎08-31-2017 10:46 AM

To clarify, a subnet range does not consume or equate to one NAD per IP.  Only NADs that connect to ISE will have a cache entry.  100k is what we have validated in QA testing.  This is not a hard limit, but certainly would not plan on exceeding.  If know deployment will exceed, then recommend design for split clusters.  Also recommend reach out to account team to submit requirements for higher scale so we know which customers actually require > 100k NADs.

/Craig

0 Helpful

Go to solution
yongwli
Cisco Employee
Cisco Employee
In response to Craig Hyps

‎09-01-2017 02:35 AM

Hi Craig,

we have asked customer to do cluster split, does single PSN have a recommend number of network device? Then we could know how to split.

Thanks

DL

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10
In response to yongwli

‎09-01-2017 01:01 PM

Sizing is based on transaction rate, not # NADs.

0 Helpful

Go to solution
kthiruve
Cisco Employee
Cisco Employee
In response to yongwli

‎09-01-2017 01:53 PM

Hi DL,

ISE supports upto 100 K Network device entries per deployment. This includes PAN, MnT and x number of PSN’s.

Question is if you want to calculate number of PSN’s this is based on TACACS+ TPS.

If the customer has ACS and is not oversubscribed you can easily replace an authenticating ACS server with an ISE PSN.

For more information on designing ISE deployment please see the how to guide that I just updated yesterday. It will walk you step by step how to design ISE deployment for TACACS+ with tables etc.

https://communities.cisco.com/docs/DOC-63880

You can also look at Craig’s breakout session on Scaling in 2016

https://communities.cisco.com/docs/DOC-63882

Thanks

Krishnan

0 Helpful
Customers Also Viewed These Support Documents