Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
923
Views
5
Helpful
8
Replies

ISE 1.2 and maximum PSNs supported in my Persona config

Go to solution
luceroc
Level 4
Level 4

‎01-26-2015 04:59 PM - edited ‎03-10-2019 10:22 PM

Hello folks,  I am putting together a medium to large distributed ISE deployment and wondered if anybody could tell me what the maximum number of PSNs are allowed under this configuration.   I was reading thru an older training document with version 1.1 and it suggested only 5, which is why I am wondering if the specs changed on 1.2 but I cannot find them anywhere handy.

 

I have a large VM running the PRIMARY admin persona which also is secondary for my reporting & monitoring in my main data center.

In another state (connected with 10G) is another large VM acting as my secondary admin persona with primary monitoring & reporting.

Across multiple states I want to have multiple PSNs across the geographical layouts of each state but I am not sure if I can scale enough PSNs with my current version of 1.2 and my persona config listed above.    I have a need for about 12 to 15 PSNs.

Wondering if I need two more VMs to break out my monitoring as one node in DC1 and secondary monitoring in DC2 in order to get more PSN scalability.

Any help would be greatly appreciated.

-Thanks

 

 

Labels:
Preview file
42 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎01-26-2015 10:05 PM

As Marvin suggested, I would look into using 1.3 at this point unless you have some specific concerns with that version and really want to stay with 1.2. With that being said, here are my recommendations/comments:

- Both v1.2 and v1.3 can actually scale up to 40 PSN nodes

- If any of your PSN nodes are going to be placed in the same location and are layer 2 adjacent I would recommend putting them in a node group and behind a load balancer. If you don't have a load balancer, I would still put them in a node group. At the moment a node group can have up to 10 PSNs

- If you are going to have 10-15 PSN nodes then you should dedicate 2 nodes for specifically for the monitoring persona

- The maximum roundtrip delay between any nodes cannot exceed 200ms

For more info you can always reference the "Network Deployment" section in the hardware installation guide for ISE:

v1.3

http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/installation_guide/b_ise_InstallationGuide13/b_ise_InstallationGuide12_chapter_00.html

v1.2

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/installation_guide/ise_ig/ise_deploy.html

 

Thank you for rating helpful posts!

View solution in original post

0 Helpful
8 Replies 8

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎01-26-2015 10:05 PM

As Marvin suggested, I would look into using 1.3 at this point unless you have some specific concerns with that version and really want to stay with 1.2. With that being said, here are my recommendations/comments:

- Both v1.2 and v1.3 can actually scale up to 40 PSN nodes

- If any of your PSN nodes are going to be placed in the same location and are layer 2 adjacent I would recommend putting them in a node group and behind a load balancer. If you don't have a load balancer, I would still put them in a node group. At the moment a node group can have up to 10 PSNs

- If you are going to have 10-15 PSN nodes then you should dedicate 2 nodes for specifically for the monitoring persona

- The maximum roundtrip delay between any nodes cannot exceed 200ms

For more info you can always reference the "Network Deployment" section in the hardware installation guide for ISE:

v1.3

http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/installation_guide/b_ise_InstallationGuide13/b_ise_InstallationGuide12_chapter_00.html

v1.2

http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/installation_guide/ise_ig/ise_deploy.html

 

Thank you for rating helpful posts!

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-27-2015 03:45 AM

Yes, you can scale up to 40 PSNs since ISE 1.2.

Why would you build out with the old model 3300 series appliances though?

You'd also be much better served with ISE 1.3 going forward.

 

(Edited 1/27/2015 - corrected PSN count correctly provided by Neno.)

Go to solution
cciesec2011
Level 3
Level 3
In response to Marvin Rhoads

‎01-27-2015 03:45 AM

I just had a meeting with my Cisco SE and he informed to stay off ISE 1.3 until at least six months from now when most of the bugs have been resolved with patch 5 or patch 6.  ISE 1.3 is currently on patch 1.

 

I don't think any sane person would be deploying or upgrading to ISE 1.3 right now.  Too many unknowns

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to cciesec2011

‎01-27-2015 07:25 AM

I've done 3 production deployments with 1.3 and haven't observed any issues so far. It's been out for almost three months and Patch 1 has a relatively short list of bug fixes.

0 Helpful

Go to solution
luceroc
Level 4
Level 4
In response to Marvin Rhoads

‎01-27-2015 08:57 AM

Thank you Marvin/Neno and others! 

Marvin, I purchased the 3300 series a while back and have been waiting to find time to deploy, I know we should have acted sooner but things were changing in the 1.0 to 1.1 versions and then priorities were shuffled. So we have these already deployed around the enterprise just waiting for final configurations. 

However I will most likely need to purchase VM licenses for any additional PSNs that I will need to deploy.  Here's where I will probably go with a newer SKU. 

I'll review the differences between 1.2 and 1.3 and will probably make a case to upgrade unless there's some snag in my 3300 series and 1.3.

Thanks for the great and timely assistance.

Regards,

Charlie

 

 

0 Helpful

Go to solution
Venkatesh Attuluri
Cisco Employee
Cisco Employee

‎01-27-2015 05:01 AM

what is the concurrent end point count ?

0 Helpful

Go to solution
luceroc
Level 4
Level 4
In response to Venkatesh Attuluri

‎01-27-2015 08:29 AM

Endpoint count will be around 20k.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents