Hi Team,
We have a customer with large ISE deployment with around 300K end points. The cluster has 47 PSN's and is running ISE 1.4.
Customer has started observing alarms on ISE with profiler queue size limit being reached for around 6-7 PSNs. Currently radius and dhcp probes are enabled on ISE. DHCP helper address is configured only for voice and printer SVIs and not for any of the data vlans. Distribution of PSNs on switches were done to distribute the AAA load equally (manual configuration and no LB).
Customer recently faced a issue where a MAC address was spoofed. As part of mitigation, we want to enable dhcp probe on data vlans also and increase the visibility. However, since we already see the profiler queue size limit alarm, we are wary of enabling dhcp profiling on data vlans which could increase the profiler load by large factor.
Is there a work around to this alarm? Is there a way to calculate the profiler load on PSNs so that we can point the dhcp probes to go to PSNs with lesser profile load? Since the sizing of the cluster was done considering the size of the network, are we supposed to hit such a limit on profiler queue.
Any help is appreciated.
