Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2383
Views
20
Helpful
6
Replies

ISE Deployment sizing question

Go to solution
ChristopherCraddock66504
Level 1
Level 1

‎11-02-2021 11:14 AM

Dear Community,

I have a question about the ISE deployment sizing. We rolled out ISE in a fully distributed model (2x Admin Node, 2x Monitoring Node, 2x Policy Node). Each node is fully independent, no sharing of personas on any node. Now, we rolled out the Nodes in VMWare using the following templates:

 

Admin Nodes: Small Template based on SNS 3615 (8 Cores, 32GB RAM, 600GB Disk)

Monitoring Nodes: Medium Template based on SNS 3655 (24 Cores, 96GB RAM, 1.17TB Disk)

Policy Nodes: Large Template based on SNS 3695 (24 Cores, 256GB RAM, 1.17TB Disk)

 

Our Systems team is wanting to scale back the resources of the Monitoring and Policy nodes to that of a Small deployment (8 Cores, 32 GB RAM), they state that the resource usage is very low compared to whats been allocated and were wasting resources. Especially the RAM on the Policy nodes. 

 

My questions are these:

 

-Will ISE complain if we try to scale these resources back, given that we deployed the Nodes with a given template in the beginning?

-How does the VM Licesning work if we do scale the resources back? Will we still need to be licensed based off the node template (Small, Medium, Large) we used to stand up the VM's in the beginning?

-Should we consider redeploying everything using the Small or Medium sizes instead?

 

Thank you. 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to ChristopherCraddock66504

‎11-02-2021 11:39 AM

@ChristopherCraddock66504 yes a small VM spec would suffice for such a deployment of your size. You cannot decrease the size of the disk afaik, so you should redeploy a new VM. Deregister the existing PSN nodes and re-provision the VMs as small, then register the new node to the cluster.

 

 

View solution in original post

6 Replies 6

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎11-02-2021 11:20 AM

When the ISE new deployment, it will use Low resource as per i know, but as it start getting more data, it is very CPU and resource intense.  as per the cisco  for better performance do not decrease the resource ( that come after they done very high testing and uer experience).

 

I can understand infra point of view why waste resources. but i will look for another 30-90days and take decision. how many device in the deployment.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
Rob Ingram
VIP
VIP

‎11-02-2021 11:21 AM - edited ‎11-02-2021 11:22 AM

@ChristopherCraddock66504 how many concurrent endpoints is your ISE cluster supporting? That number will determine the spec/resources of the nodes.


Refer to the scale and performance guide for more information.

https://www.cisco.com/c/en/us/td/docs/security/ise/performance_and_scalability/b_ise_perf_and_scale.html

https://www.cisco.com/c/en/us/td/docs/security/ise/3-0/install_guide/b_ise_InstallationGuide30/b_ise_InstallationGuide30_chapter_1.html

 

A PSN would not require that much disk space, you can download a specific Vmware OVA file recommended for a PSN node with a 300GB disk.

Go to solution
ChristopherCraddock66504
Level 1
Level 1

‎11-02-2021 11:28 AM

Thanks so much for the very fast replies! right now we are only using ISE for TACACS and Radius auth for VPN users. TACACS is supporting around 670 devices. We have less than 200 VPN users right now. We do plan on rolling out 802.1x for our wireless clients (probably <1500) in the future but we don't know when that will be. 

 

Thank you. 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to ChristopherCraddock66504

‎11-02-2021 11:39 AM

@ChristopherCraddock66504 yes a small VM spec would suffice for such a deployment of your size. You cannot decrease the size of the disk afaik, so you should redeploy a new VM. Deregister the existing PSN nodes and re-provision the VMs as small, then register the new node to the cluster.

 

 

Go to solution
ChristopherCraddock66504
Level 1
Level 1
In response to Rob Ingram

‎11-02-2021 11:49 AM - edited ‎11-02-2021 11:50 AM

Rob, thank you. A couple more questions if I may:

 

-Can we leave the disk space as is but reduce the RAM/CPU of the existing nodes without having to redeploy?

-In regards to the Admin node, can that always be a "small" deployment? I am having trouble finding the differences in capability of the Admin Node based on deployment size. Is it the # of PSN's supported?

 

Thank you. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card