cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
399
Views
10
Helpful
2
Replies
Highlighted
Contributor

ISE Large Deployment Question

Would it be possible to have 1 admin, 1 monitor, and then 1 admin/monitor backup? I am getting ready for a large deployment and I can deploy 6 servers between 2 DCs.  I have 25,000 base licenses and a TACACs license, and I was going to deploy:

1 admin

1 monitor

1 admin/monitor backup

3 policy nodes

 

Thanks,

Alex

2 REPLIES 2
VIP Advocate

Re: ISE Large Deployment Question

This does not fall under Cisco's recommended deployment model. For 25000 users, you would have to have dedicated Admin and Monitoring node, even for backups. I believe your proposed model may even work, but wont be supported by Cisco.

If you can increase the node to 7 as below, this would be ideal:

1 admin

1 monitor

1 admin backup

1 monitoring backup

3 policy nodes (upto 40)

If you go with shared Admin/MnT nodes, the max scale you can get is 20000 Radius sessions.

Network deployment is provided here: https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/install_guide/b_ise_InstallationGuide22/b_ise_InstallationGuide22_chapter_00.pdf
ajc Frequent Contributor
Frequent Contributor

Re: ISE Large Deployment Question

Based on my own experience with a very large deployment (+12 ISE devices / +60K concurrent sessions / 300K+ devices profiled).

 

1.-DO NOT combine secondary PAN & MTN on the same Node

2.-DO NOT use 3495 for PAN or MNT. I would strongly suggest to go with 3595 so you would not have to invest again in the short term when you realize the 3495 is not enough for the amount of data.

3.-USE version 2.3 which has significant bugs already fixed.

4.-USE individual Nodes for each persona including secondary roles

5.-3 POLICY Nodes should be good enough for 25K endusers because 3495 PSN's can handle 20K x node.

6.-CONSIDER an F5 or similar solution for loadbalancing the traffic AND smooth failover. Round Robin DNS when using CWA or Webauth does not work properly. WLC does not have an actual load balancing mechanism.

 

hoping this helps.