Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1471
Views
2
Helpful
5
Replies

PSN Limits

Go to solution
Cory Peterson
Level 5
Level 5

‎01-18-2017 10:19 AM

Hello,

I am looking at some of the ISE designs and had a question around the following design.

If I run two PAN/MnT nodes but run primary PAN/secondary MnT on Node 1 and Primary MnT/secondary PAN on Node 2 is there still a limit of 5 PSNs in this deployment type?

Also, is the 5 PSNs a hard limit or just a recommendation?

Thank You

-Cory

1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎01-18-2017 08:54 PM

It's a recommendation based on our testings.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
joeshoj
Cisco Employee
Cisco Employee

‎01-18-2017 03:06 PM

Yes...still a limit...if you want to scale higher, they have to be dedicated.

I believe it is a hard limit, but I haven't tested.

Go to solution
hslai
Cisco Employee
Cisco Employee

‎01-18-2017 08:54 PM

It's a recommendation based on our testings.

0 Helpful

Go to solution
Craig Hyps
Level 10
Level 10
In response to hslai

‎01-19-2017 03:43 PM

So if not crystal clear already...

The 5 PSN limit (when PAN and MNT personas collocated on same ISE node) is not a hard limit in the sense that UI prevents admin from registering additional PSNs, but it is a hard limit in terms of official Cisco support.  All testing is conducting based on supported deployment models.  Mileage may vary, but as Hsing rightly stated, it is our recommendation to stay within supported limits, even though UI may allow unsupported configurations to be deployed.

/Craig

0 Helpful

Go to solution
troy.moyers
Level 1
Level 1
In response to Craig Hyps

‎07-25-2019 11:33 AM

For a small, but distributed deployment (30 sites with less than 500 total "client" nodes), where you want to add PSNs at the remote sites in order to mitigate latency, is it practical to have more than the recommended 5 limit? BTW, the need is to do only TACACS+ AAA.

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni
In response to troy.moyers

‎07-25-2019 01:05 PM

I would keep the ISE PSN's to a minimum for a few reasons. 

1. The latency of authentication is not typically the issue, the issue is the latency between the ISE admin nodes and the PSN's.  We can account for authentication latency, but an ISE PSN should only be 300 ms RTT from the Admin.  
2. When you go to upgrade, every node adds significant time to the work effort.
3. Cost, PSN's are not cheap to buy/deploy/maintain.  
4. To have more than 5 PSN's, you have to leverage a distributed deployment where the Admin and Monitoring personas are on they own dedicated nodes.  This typically means 4 nodes just for PAN/MNT.  

There are some fringe use cases where PSN's in sites can be useful, but I would try to avoid it here.  

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents