Solved: SNS-3655 support 100,000 NADs for TACACs

jcardana · ‎11-28-2019

Hi,

please, can you help me to clarify if the SNS-3655 only to support TACACs can support 100,000 NADs or the number of NADs is limited to end points that is 25,000 in standalone mode?

Thanks,

Joao Cardana

Jason Kunst · ‎12-02-2019

@Damien Miller wrote:
Since ISE 2.2 we have supported 100,000 NADs on all appliance / virtual deployments. But this is not the scaling that needs to be looked at. The 25,000 number you mention is active sessions, whereas the 100,000 number is the number of network devices (NADs) imported or defined in the system. We do also support up to 100k adtive session per 3695 PSN, but that doesn't appear to be what you are after necessarily since you are asking about NADs. So active session don't equal NADs is all.

When scaling TACACS you still want to abide by the performance guidelines for authentications per second. The challenge now is that the TACACS performance section within the posted performance and scale guide has no numbers for the 36x5 appliances. Adding to that, the numbers are for a full dedicated deployment.

So adding a data point for you since there isn't much information for hybrid. With 20k NADs, 6x 3595 node hybrid deployment, radius/tacacs device admin only. I saw 600k authentications per day. The average TPS is under 2 on each PSN, and load is nearly non existent with less than 10% CPU on all nodes. More automated scripts running would increase the auth/acct, especially if they were written to run in parallel.

Also check out http://cs.co/ise-training BRKSEC-3432 it has some slides and tables

View solution in original post

Damien Miller · ‎11-28-2019

Since ISE 2.2 we have supported 100,000 NADs on all appliance / virtual deployments. But this is not the scaling that needs to be looked at. The 25,000 number you mention is active sessions, whereas the 100,000 number is the number of network devices (NADs) imported or defined in the system. We do also support up to 100k adtive session per 3695 PSN, but that doesn't appear to be what you are after necessarily since you are asking about NADs. So active session don't equal NADs is all.

When scaling TACACS you still want to abide by the performance guidelines for authentications per second. The challenge now is that the TACACS performance section within the posted performance and scale guide has no numbers for the 36x5 appliances. Adding to that, the numbers are for a full dedicated deployment.

So adding a data point for you since there isn't much information for hybrid. With 20k NADs, 6x 3595 node hybrid deployment, radius/tacacs device admin only. I saw 600k authentications per day. The average TPS is under 2 on each PSN, and load is nearly non existent with less than 10% CPU on all nodes. More automated scripts running would increase the auth/acct, especially if they were written to run in parallel.

jcardana · ‎11-28-2019

Hi,

please, let me share more information about this deployment, this is a migration from ACS to ISE only TACACS+ support.

1) The current deployment has near 20,000 NADs in database

2) 50 authentications per second. ------>>>>> Total Peak

3) 30 commands per second. ------>>>>> Total Peak

4) 2xPower Supplies are mandatory

5) Right now the ACS is running only in 2xVMs in Standalone Mode.

What do you think about to use 2xSNS-3655 Active/Standby in standalone mode, in order to address growing plans for the future.

Thanks,,

Joao Cardana

Jason Kunst · ‎12-02-2019

@Damien Miller wrote:
Since ISE 2.2 we have supported 100,000 NADs on all appliance / virtual deployments. But this is not the scaling that needs to be looked at. The 25,000 number you mention is active sessions, whereas the 100,000 number is the number of network devices (NADs) imported or defined in the system. We do also support up to 100k adtive session per 3695 PSN, but that doesn't appear to be what you are after necessarily since you are asking about NADs. So active session don't equal NADs is all.

When scaling TACACS you still want to abide by the performance guidelines for authentications per second. The challenge now is that the TACACS performance section within the posted performance and scale guide has no numbers for the 36x5 appliances. Adding to that, the numbers are for a full dedicated deployment.

So adding a data point for you since there isn't much information for hybrid. With 20k NADs, 6x 3595 node hybrid deployment, radius/tacacs device admin only. I saw 600k authentications per day. The average TPS is under 2 on each PSN, and load is nearly non existent with less than 10% CPU on all nodes. More automated scripts running would increase the auth/acct, especially if they were written to run in parallel.

Also check out http://cs.co/ise-training BRKSEC-3432 it has some slides and tables