cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

843
Views
5
Helpful
8
Replies
giosif
Cisco Employee

PSN maximum concurrent sessions in a hybrid deployment

Hello,

 

In a hybrid deployment with 3695 as PAN & MnT, a PSN based on the 3655 would support up to 50,000 concurrent sessions, or just 25,000 sessions?

 

Looking at the ISE PSN Performance table on the ISE Performance & Scale page, for the 3655 appliance, it states 25,000 sessions for a hybrid deployment and 50,000 for fully distributed.

So, based on this, one might think the answer to the above question is 25,000 for the one PSN.

However, I am suspecting the intention with the text in the performance & scale page was to say 25,000 sessions for a hybrid deployment with a 3655 based PAN & MnT appliance, not 3695.

Could someone please confirm, though?

 

Thanks!

1 ACCEPTED SOLUTION

Accepted Solutions
Damien Miller
VIP Advisor

A dedicated 3655 PSN will support 50k active endpoints, but a hybrid deployment where the PAN/MNT are built on 3695's nodes will also only support 50K. I will break it in to an example.

2x 3695 PAN - 50k active endpoint max capacity
2x 3655 PSN - 50k active endpoints each, but still capped at 50k active for total deployment.

Each 3655 PSN will still support 50k endpoints, but your upper bounds are determined by the hybrid PAN/MNT in this case. You can support 50K endpoints with n+1 redundancy. In theory you would want to split your load 25k per psn, and when one PSN is down you would still be able to support all 50k endpoints.


If you only run the PSN role on a node, then the dedicated node scaling applies. The over all scale of the deployment is determined by standalone/hybrid/dedicated scaling numbers though. So regardless of how many active endpoints a dedicated PSN supports, if the PAN and MNT are not dedicated, then your scaling is limited by the standalone/hybrid numbers.

View solution in original post

8 REPLIES 8
Damien Miller
VIP Advisor

A dedicated 3655 PSN will support 50k active endpoints, but a hybrid deployment where the PAN/MNT are built on 3695's nodes will also only support 50K. I will break it in to an example.

2x 3695 PAN - 50k active endpoint max capacity
2x 3655 PSN - 50k active endpoints each, but still capped at 50k active for total deployment.

Each 3655 PSN will still support 50k endpoints, but your upper bounds are determined by the hybrid PAN/MNT in this case. You can support 50K endpoints with n+1 redundancy. In theory you would want to split your load 25k per psn, and when one PSN is down you would still be able to support all 50k endpoints.


If you only run the PSN role on a node, then the dedicated node scaling applies. The over all scale of the deployment is determined by standalone/hybrid/dedicated scaling numbers though. So regardless of how many active endpoints a dedicated PSN supports, if the PAN and MNT are not dedicated, then your scaling is limited by the standalone/hybrid numbers.

View solution in original post

Thanks, Damien!

 

I am aware of the upper cap imposed by the PAN & MnT in a hybrid model.

And I understand that, beyond the 1 x 3655 PSN one would add, the total concurrent session limit for the entire deployment remains 50,000 irrespective of how many more PSN's one would introduce (up to 5).

 

What I was after, though, was confirmation for the meaning of 25,000 max concurrent sessions for a 3655 in a hybrid deployment, as mentioned in the ISE performance and scale page.

And, if I read your response correctly, you are confirming this 25,000 limit for the 3655 in a hybrid deployment does not apply for the case when the PAN & MnT node is a 3695 (i.e. the limit for the 3655 is 50,000 in that case).

 

In a hybrid deployment, a 3655 PSN will support 50k active endpoints if it is dedicated, but exceeding the total active endpoint count for the hybrid PAN/MNT is the issue. I think your understanding is clear on this point, just want to clarify for any others that might read it later.

A dedicated PSN picks up a platform template that supports the total active endpoints regardless of the PAN/MNT it is joined to. So a 3655 hybrid deployment, the PSN will still be capable of supporting 50k active endpoints, it would just go against the tested numbers for the shared PAN/MNT. You end up with extra PSN active endpoint capacity that shouldn't be utilized.

Sure.

Thanks again for the clarification, Damien!

 

Jason Kunst
Cisco Employee

I'd recommend looking at http://cs.co/ise-training BRKSEC-3432

Hi Jason,

 

In fact, I did look into that before asking the question here but, unless I missed it, this particular piece of information - i.e. concurrent session limit for 3655 appliance acting as a dedicated PSN when part of a hybrid deployment with 3695 as PAN & MnT - is not mentioned in the presentation.

At the same time, the section on the ISE scale and performance page does seem to present that information explicitly (albeit, incorrectly, as suspected and based on the response from Damien).

 

Nidhi
Cisco Employee

with a hybrid deployment, the number of concurrent session supported in same as what is supported in standalone. 

we clearly mention it in table. 

Can you please a screenshot of what is not clear so that we can fix it ?

 

Thanks,

Nidhi 

giosif
Cisco Employee

Hi Nidhi,

 

As mentioned here already, the issue is the ISE performance and scale page shows only 25,000 max concurrent sessions for a 3655 appliance (as a dedicated PSN), if part of a hybrid deployment (please see below screenshot).

And I think that information is misleading, as the 25,000 sessions limit for this case is not driven by the PSN appliance model (i.e. 3655 appliance, in our case), but by the limit of a hybrid deployment, which is typically 25,000 sessions.

And I say "typically" to mean where the PAN & MnT node in that hybrid deployment is a 3655 appliance.

If the PAN & MnT node were to be a 3695 model, however, the max concurrent sessions for the entire deployment goes up to 50,000 sessions and that could be handled by a single 3655 appliance acting as a dedicated PSN (strictly from a session capacity perspective, and not considering redundancy or authc's per second, etc.).

 

My suggestion is to edit the text associated with that 25,000 to mention the limit comes from the deployment model (i.e. hybrid) and specific appliance model for the PAN & MnT node (i.e. 3655); also, it should mention that, for a hybrid deployment, if the PAN & MnT node is 3695, the appliance sessions limit for the 3655 (again, acting as PSN in that deployment) becomes 50,000.

 

I hope this clarifies the matter.

 

 

screenshot.png

Content for Community-Ad