Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
581
Views
0
Helpful
5
Replies

PAN/MNT hybrid question.

Go to solution
JasonMahan
Level 1
Level 1

‎09-16-2019 09:37 AM

Have some ISE 3595's on the shelf.  (understand these are EOS as of March). 

Need to get them off the shelf and deployed. Believe there's a total of 40K possible endpoints at this time.

Question regarding Hybrid deployment with the PAN+MNT in the same 3595.   

6 X 3595 appliances.   

The thought is to put 3 in each DC (2 Datacenters).

PAN +MNT running on one appliance with two PSNs in each data centers.

Split the load by configuring NADs in an odd / even fashion so that only in a DC failure situation does one deployment have all end points.

 

Is this possible with the PAN+MnT in same appliance? 

Obviously there's no HA, it would be failover from one DC to the other based on field configs on switches using primary and secondary radius configurations. 

If this is possible, what are the drawbacks.  I am concerned about the PAN + MnT in one appliance during any situation where the MnT is handling massive amounts of traffic.

 

If you need more information, please me know.

All thoughts welcome.

 

Thanks,

-Jason

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎09-16-2019 10:03 AM

Your scenario would be fine except that when the Admin/MnT are combined in one appliance, the maximum concurrent sessions supported for the overall deployment is 20K.  In order to scale above 20K, you would need to have dedicated appliances for Admin and MnT.  Scalability numbers are in the link below:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/install_guide/b_ise_InstallationGuide_26/b_ise_InstallationGuide_26_chapter_00.html#id_101614

 

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎09-16-2019 10:03 AM

Your scenario would be fine except that when the Admin/MnT are combined in one appliance, the maximum concurrent sessions supported for the overall deployment is 20K.  In order to scale above 20K, you would need to have dedicated appliances for Admin and MnT.  Scalability numbers are in the link below:

https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/install_guide/b_ise_InstallationGuide_26/b_ise_InstallationGuide_26_chapter_00.html#id_101614

 

0 Helpful

Go to solution
JasonMahan
Level 1
Level 1
In response to Colby LeMaire

‎09-16-2019 10:09 AM

Thank you Colby!

When reading the documentation, I misread it as 20K per PSN not the entire deployment.  Based on the limitation that makes sense.

0 Helpful

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni
In response to JasonMahan

‎09-16-2019 10:11 AM

Yeah, there are maximums for a particular appliance and then separate maximums for the deployment as a whole.  It can be confusing at times.

0 Helpful

Go to solution
JasonMahan
Level 1
Level 1
In response to Colby LeMaire

‎09-16-2019 10:25 AM

So if I read this right, does that mean a single 3595 PSN can support 40K endpoints if I have a separate 3595 as Admin and another 3595 as MnT? If that works we could grow PSNs as budget and time permits. Moving to 3600s over time.
Does that make sense?
0 Helpful

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni
In response to JasonMahan

‎09-16-2019 10:43 AM

That is correct.  The 3595 as a PSN can handle 40K sessions itself assuming the Admin and MnT nodes are on their own separate/dedicated appliances.  So with 6 appliances, you would have 2 for Admin (Pri/Sec), 2 for MnT (Pri/Sec), and 2 for PSN functionality.  In that scenario, the deployment as a whole could handle over 20K sessions but then you run into limitations on each PSN individually and have to add PSNs to scale higher.

0 Helpful
Customers Also Viewed These Support Documents