This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I have a medium sized ISE deployment (12K endpoints – RADIUS , 800 devices – TACACS+, and pxGrid w/Splunk) across 18 sites in Canada and US, but because of server hardware standard/requirements we have to use 3595 appliances. We are going to have 4 PSNs to support (2 in primary & secondary data center) 2 at largest remote sites, each data center will be handling 3K endpoints, so I am trying find metrics to justify having TACACS+ and pxGrid services on those PSNs, versus adding two additional 3595’s. dedicated to pxGrid or pxGrid + TACACS+ services. Gone through Cisco reference material and only guidance I can find is pxGrid should be on its own appliances. Cisco Live Vegas BRKSEC-3699 had some great metrics and info on scaling everything in ISE – except pxGrid. Any info would be appreciated.
This is an evolving topic as not a lot of pxGrid deployments are out there yet.
You correctly characterized the published guidance regarding using dedicated appliances.
However, even where such is the case I don't think anyone would advise 3595 appliances for those nodes unless you had many pxGrid subscribers and/or were using a lot of machine-driven services such as orchestration requiring frequent TACACS queries.
So much depends on the fine points of your deployment and how you are using pxGrid and TACACS device admin features, I'd recommend you reach out to your partner or Cisco SE for detailed design assistance.
Thank you for your feedback. I agree SNS-3595 is over kill. However I have firm hardware standards for corporate server/appliance deployments (RAID w/FWBC and dual power supplies). I haven't gotten specifics from Cisco directly, put pursuing that as well.
For what it's worth, list price of a 3515 (no RAID or dual PS) is around US$17k. The high end 3595 is around US$33k list price. So almost twice the cost. (You do get 4x the memory and higher end 6-core CPU as well)
I'd argue to the standards powers that be that the inter-server redundancy makes up for the lack of intra-server redundancy. I used to enforce standards as chair of an Engineering Review board but was open to variance if the sponsor had a compelling argument.
There is some new guidance that will be published soon in the customer-facing documentation.
You can run pxGrid services on a multiple persona node. If the node is PAN + MnT + PSN you should have no more than 2 pxGrid subscribers. For a PAN + MnT (no PSN), you can accommodate at least 4 subscribers. Dedicate persona nodes vary according to the hardware model.
There are a lot more details but that's what I remembered off the top pf my head from a quick look at the new chart.