cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
410
Views
0
Helpful
1
Replies

Some scalability questions from a customer

martucci
Cisco Employee
Cisco Employee

Hello, 

First I thought I posted a discussion with some of the following questions earlier in the week, but I cannot find it anymore, so apologies if they are duplicate.

 

A customer is starting a PoC for ISE, but looking for a word wide implementation, and has some questions in preparation for it.

 

 

 

  1. performance values for retrieving authorization information from LDAP. We consider using LDAP as replacement for AD for authorization purposes (for domain users and domain computers) and we can only find authentication performance in available documentation, not authorization
  2. if we replace internal endpoint database with ODBC database, we would need to know (documentation provided by Francesca shows examples for user attributes retrieval only)
    1. performance values  for retrieving authentication and authorization attributes from ODBC
    2. possibility to retrieve endpoint attribute and use it in authorization profile for:
  • for VLAN assignment
  • for matching site code in the endpoint record with site code of NAD, where the authentication is coming from
  1. we believe we have read that in complex deployments Policy nodes can be manually configured by TAC so that each of the policy nodes at site will join different domain controller to overcome an issue where all policy nodes authenticate and authorize users at the same AD controller which will become overloaded. Is it right? Is there such possibility?
  2. scalability of the SW-Version attribute in the NAD record. The reason is that we need to store location code to each NAD and if we do it by NDG then the limit is ~20.000 NDGs and we have ~40.000 locations. That is why we selected SW Version attribute, one of few that can be used in authorization rules as matching attribute. How many distinct values can be stored there?
  3. is it possible to extend NAD attributes somehow (dictionary?) and use these attributes in the authorization policies as matching attributes? If so, how they scale?
  4. performance/scalability values for API
  5. NMAP scalability values. Is there a way to control the number of NMAP scans that ISE will launch, and how can we be use it will not create issues in ISE or the network if we enable that probe?

 Thanks in advance

1 Accepted Solution
1 Reply 1