Warning! The maximum supported latency between ISE 1.x/2.0 nodes is set at 200ms. ISE 2.1+ raises guidance to maximum 300ms roundtrip latency between PSN nodes and the PAN. However, there is no substitute for good design to optimize data replication and reduce impact due to latency.
The ISE Bandwidth Calculator has two worksheets:
Single-Site Calculator - Used to determine bandwidth required between a remote location with distributed ISE nodes and single head-end data center that contains the Primary Administration and Monitoring nodes.
Multi-Site Calculator – Used to show overall bandwidth required between all remote locations with ISE nodes to one or two head-end data centers that contain the Administration and Monitoring nodes. Aggregate bandwidth at head-end sites is also shown along with graphical depiction
Bandwidth Calculator Assumptions
ISE Auth Suppression enabled
Profiling Whitelist Filter enabled
One node group per location
For Single-Site calculation, primary PAN and MnT nodes are deployed in primary Data Center to which bandwidth is calculated; For Multi-Site calculation, primary PAN is deployed in primary DC.
Mobile endpoints authenticate/reauthenticate as frequently as 10/hr and refresh IP 1/hr
Non-Mobile endpoints authenticate/reauthenticate no more than once per Reauth Interval and refresh IP address no more than once per DHCP renewal (1/2 Lease Period)
Bandwidth required for NAD or Guest Activity logging is not included. These logging activities are highly variable and should be treated separately based on deployment requirements.
Bandwidth required for general RADIUS auth and accounting traffic is not included. RADIUS traffic is generally less significant but actual requirement is highly contingent on multiple factors including total active endpoints, reauth intervals, and the authentication protocols used.
Deployments where all ISE nodes are deployed in one location are not considered by this calculator. All nodes deployed in the same location are assumed to be connected by high-speed LAN links (Gigabit Ethernet or higher)
Max round-trip latency between any two ISE nodes is currently set at 200ms.
Mobile versus Non-Mobile Endpoint
For the purposes of this bandwidth calculator, Mobile and Non-Mobile Endpoints have the following characteristics:
Mobile Endpoints: Authenticate/reauthenticate as frequently as ten times per hour and refresh IP address as frequently as once per hour. Typical devices that fall under this category include wireless tablets, smart phones, and notebooks that are used to provide continuous network access while user is mobile.
Non-Mobile Endpoints: Authenticate/reauthenticate no more than once per Reauth Interval and refresh IP address no more than once per DHCP renew period (1/2 Lease). Typical devices that fall under this category include stationary network devices, desktops, and even wireless laptops that tend to stay in the same location for extended periods.
Hi,after upgrade of FMC and firepower versions from 126.96.36.199 to v6.3.0 there is a health warning regarding FMC saying Security intelligence - module1 and module2 is out of date for the IP and URL list.I checked this troubleshoot guide https://www.cis...
We are happy to share changes to the Cisco Threat Grid support experience! Our customers have spoken, and we have listened! You want a single, streamlined, easy to access tool to open, view, and update your cases across Cisco Services. That tool is Cisco’...
Dear Support CiscoHi build LAN to LAN VPN from draytek 2925 to Cisco ASA 5525-x using ipsec IKEV1The WAN IP address of CISCO ASA is 188.8.131.52, while LAN IP address is 172.16.17.0 /255.255.255.0The WAN1 IP address of Draytek 2925 is 184.108.40.206; while LAN I...
Hi Team, I kindly ask for your assistance, we had and i say had Ironport WSA S170 and it died, so i grabbed one off ebay to replace it but the one we have off ebay to my surprise actually still have the configurations on it and obviously we dont know...
I'm testing ISE BYOD with iphone/android phone and everything works fine but see some difference below.
For testing purpose, I have 2 AuthZ policy only. (Single SSID, No Certificate provisioning)
Policy1: If BYOD registered device => Internet On...