I'm in the final stages of sizing for an enterprise/large ISE project, and have already settled on a 2 data center deployment with a pair of physical 3595 PSNs at each site, a single physical 3595 MNT at each site, and a single 3595-scale PAN at each site, to provide failover in the the event that an entire data center goes down for a 50K user deployment. Customer has specifically asked why he shouldn't virtualize his PANs, and wants details of why not if we suggest sticking to physical devices.
Reading http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/install_guide/b_ise_InstallationGuide21/b_ise_InstallationGuide21_… the official answer from Cisco appears to be that as long as a virtual environment is properly validated and has appropriately reserved hardware we can scale up to the same performance as a 3595. Unofficially do we stand by that document, or is there a deployment size beyond which we always recommend physical appliances instead of virtual?
Craig, Hsing, if either of you see this it's the same eval you've been providing awesome assistance with. :-)