Solved: Re: Mixed Cisco ISE Platforms in One Distributed Deployment

YediaelHutahaean · ‎05-14-2020

Hi Everyone,

I am curious about this scenario in distributed deployment: is it possible (technically or maybe legally - from TAC perspective maybe) to combine various Cisco ISE platforms in one distributed deployment?

The example is something like this:

HQ (40,000 endpoints):
- Node 1:
  - Using SNS-3655
  - Persona: PAN (P) + MnT (P)
- Node 2:
  - Using SNS-3655
  - Persona: PSN
- Node 3:
  - Using SNS-3655
  - Persona: PSN
Branch 1 (4,000 endpoints):
- Node 1:
  - Using SNS-3655
  - Persona: PAN (S) + MnT (S)
- Node 2:
  - Using SNS-3615
  - Persona: PSN
- Node 3:
  - Using R-ISE-VMS-K9 (VM small)
  - Persona: PSN
Branch 2 (4,000 endpoints):
- Node 1:
  - Using R-ISE-VMS-K9 (VM small)
  - Persona: PSN
- Node 2:
  - Using R-ISE-VMS-K9 (VM small)
  - Persona: PSN

Also, if you see the example above, in HQ and Branch 1 I use SNS-3655s as PAN+MnT nodes. Is it possible in this case to change it to smaller appliance like SNS-3615? I am still thinking it's possible since in this distributed deployment case, it doesn't handling any RADIUS session so we should need less resources. I could be wrong here, so please advise.

Thanks.

Best regards,

Yedi

Greg Gibbs · ‎05-14-2020

Hi Yedi,

You can mix physical/virtual appliances as well as hardware models in the same deployment (you should use the same hardware model between PANs and MnTs, however) as long as you stick to the supported maximums and understand the scale limits as per the ISE Performance & Scale guide.

With the breakdown you provided below, you have a Hybrid model (PAN + MnT on the same node), but you are exceeding the support max 5 PSNs. To support the 6 PSNs you have, you need to move to a fully Dedicated model.

You are also exceeding the maximum supported endpoints for a Hybrid model (25,000 for 3655 as PAN+MnT)

You might also want to review the Cisco Live BRKSEC-3432 on sizing and scaling ISE.

View solution in original post

Greg Gibbs · ‎05-14-2020

Hi Yedi,

You can mix physical/virtual appliances as well as hardware models in the same deployment (you should use the same hardware model between PANs and MnTs, however) as long as you stick to the supported maximums and understand the scale limits as per the ISE Performance & Scale guide.

With the breakdown you provided below, you have a Hybrid model (PAN + MnT on the same node), but you are exceeding the support max 5 PSNs. To support the 6 PSNs you have, you need to move to a fully Dedicated model.

You are also exceeding the maximum supported endpoints for a Hybrid model (25,000 for 3655 as PAN+MnT)

You might also want to review the Cisco Live BRKSEC-3432 on sizing and scaling ISE.

YediaelHutahaean · ‎06-16-2020

Hi Greg,
Thanks a lot for you detailed and clear explanation, it helps me a lot to uncover and correct my missing points related with ISE sizing.
Thanks also for the reference article that really does a great job in summarizing the fundamental points about ISE sizing and deployment.

Cheers,
Yedi

fathy sukar · ‎09-12-2022

Hello Greg,

Is there a specific reason why we cant MIX PSNs or MNTs ?

I cant find it documented anywhere,

Thanks

ahollifield · ‎09-12-2022

It is not a Cisco supported design: https://www.cisco.com/c/en/us/td/docs/security/ise/performance_and_scalability/b_ise_perf_and_scale.html