Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3231
Views
5
Helpful
4
Replies

Mixed Cisco ISE Platforms in One Distributed Deployment

Go to solution
YediaelHutahaean
Level 1
Level 1

‎05-14-2020 10:40 AM

Hi Everyone,

 

I am curious about this scenario in distributed deployment: is it possible (technically or maybe legally - from TAC perspective maybe) to combine various Cisco ISE platforms in one distributed deployment?

 

The example is something like this:

  • HQ (40,000 endpoints):
    • Node 1:
      • Using SNS-3655
      • Persona: PAN (P) + MnT (P)
    • Node 2:
      • Using SNS-3655
      • Persona: PSN
    • Node 3:
      • Using SNS-3655
      • Persona: PSN
  • Branch 1 (4,000 endpoints):
    • Node 1:
      • Using SNS-3655
      • Persona: PAN (S) + MnT (S)
    • Node 2:
      • Using SNS-3615
      • Persona: PSN
    • Node 3:
      • Using R-ISE-VMS-K9 (VM small)
      • Persona: PSN
  • Branch 2 (4,000 endpoints):
    • Node 1:
      • Using R-ISE-VMS-K9 (VM small)
      • Persona: PSN
    • Node 2:
      • Using R-ISE-VMS-K9 (VM small)
      • Persona: PSN

Also, if you see the example above, in HQ and Branch 1 I use SNS-3655s as PAN+MnT nodes. Is it possible in this case to change it to smaller appliance like SNS-3615? I am still thinking it's possible since in this distributed deployment case, it doesn't handling any RADIUS session so we should need less resources. I could be wrong here, so please advise.

 

Thanks.

 

Best regards,

Yedi

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎05-14-2020 04:13 PM

Hi Yedi,

You can mix physical/virtual appliances as well as hardware models in the same deployment (you should use the same hardware model between PANs and MnTs, however) as long as you stick to the supported maximums and understand the scale limits as per the ISE Performance & Scale guide.

With the breakdown you provided below, you have a Hybrid model (PAN + MnT on the same node), but you are exceeding the support max 5 PSNs. To support the 6 PSNs you have, you need to move to a fully Dedicated model.

You are also exceeding the maximum supported endpoints for a Hybrid model (25,000 for 3655 as PAN+MnT)

 

You might also want to review the Cisco Live BRKSEC-3432 on sizing and scaling ISE.

View solution in original post

4 Replies 4

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎05-14-2020 04:13 PM

Hi Yedi,

You can mix physical/virtual appliances as well as hardware models in the same deployment (you should use the same hardware model between PANs and MnTs, however) as long as you stick to the supported maximums and understand the scale limits as per the ISE Performance & Scale guide.

With the breakdown you provided below, you have a Hybrid model (PAN + MnT on the same node), but you are exceeding the support max 5 PSNs. To support the 6 PSNs you have, you need to move to a fully Dedicated model.

You are also exceeding the maximum supported endpoints for a Hybrid model (25,000 for 3655 as PAN+MnT)

 

You might also want to review the Cisco Live BRKSEC-3432 on sizing and scaling ISE.

Go to solution
YediaelHutahaean
Level 1
Level 1
In response to Greg Gibbs

‎06-16-2020 09:49 AM

Hi Greg,
Thanks a lot for you detailed and clear explanation, it helps me a lot to uncover and correct my missing points related with ISE sizing.
Thanks also for the reference article that really does a great job in summarizing the fundamental points about ISE sizing and deployment.

Cheers,
Yedi
0 Helpful

Go to solution
fathy sukar
Level 1
Level 1
In response to Greg Gibbs

‎09-12-2022 03:02 AM

Hello Greg,

Is there a specific reason why we cant MIX PSNs or MNTs ?

I cant find it documented anywhere,

Thanks

0 Helpful
Customers Also Viewed These Support Documents