cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

120
Views
0
Helpful
2
Replies
Highlighted
Cisco Employee

Small/Basic distributed deployment with 3 datacenters

Hi,

"ISE Performance & Scale" and the new "ISE-best practices" documents both require when using a 2 PAN/ MnT nodes setup a maximum of 5 PSNs and 20K active sessions (on 3595 as PAN+MnT).

For a world-wide support design with 3 zones (each 2 PSNs, so total = 6), that requires to use a fully distribution model with separate PAN / MnT nodes, even if the number of maximum sessions remains quite low (around 5K).

Can we reasonably deploy a cluster with 6 PSNs if the number of active sessions is far below what a 3595 can handle as a PAN+MnT server ?

The customer is asking why we need so many management appliances to handle a mere 5k sessions.

Thanks in advance,

jean-francois

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Contributor

jean-francois


I too had to justify the need.  Your 3 locations need 2 PAN's / MnT just to have basic redundancy, and dual MnT will allow you to load balance the AAA functions across the 2 nodes.  As for your other sites, if they are across weaker WAN circuits, then you would need / want to have nodes to perform the same functions at that location and so on.  Best practice is to separate the functions of ISE, but of course you CAN have a deployment where you have all the roles enabled on each server, but the performance will definitely take a hit.  Just don't call TAC to complain about latency and resource usage if you dont follow the recommended deployment model,

Realistically, I have 2 VM's one is the primary PAN and secondary Monitoring and secondary PxGrid, the other is secondary PAN and primary Monitoring and primary PxGrid.  What i can't do is have true PAN failover, which takes 2 primary nodes and 1 secondary.  Would I like to have done it differently? Yes, but sometimes budgeted projects get trimmed down.


HTH-


Vince

View solution in original post

2 REPLIES 2
Highlighted
Cisco Employee

This has been answered several times before on the reasons why

Please see

https://www.google.com/search?q=ise5psn&oq=ise5psn&aqs=chrome..69i57j69i64.3094j0j7&sourceid=chrome&ie=UTF-8

Highlighted
Contributor

jean-francois


I too had to justify the need.  Your 3 locations need 2 PAN's / MnT just to have basic redundancy, and dual MnT will allow you to load balance the AAA functions across the 2 nodes.  As for your other sites, if they are across weaker WAN circuits, then you would need / want to have nodes to perform the same functions at that location and so on.  Best practice is to separate the functions of ISE, but of course you CAN have a deployment where you have all the roles enabled on each server, but the performance will definitely take a hit.  Just don't call TAC to complain about latency and resource usage if you dont follow the recommended deployment model,

Realistically, I have 2 VM's one is the primary PAN and secondary Monitoring and secondary PxGrid, the other is secondary PAN and primary Monitoring and primary PxGrid.  What i can't do is have true PAN failover, which takes 2 primary nodes and 1 secondary.  Would I like to have done it differently? Yes, but sometimes budgeted projects get trimmed down.


HTH-


Vince

View solution in original post