- ISE Deployment Scale and Limits
- Maximum Network Latency Between Nodes
- ISE Hardware Platforms
- ISE PSN Performance
- ISE TACACS+ Performance
- ISE 2.6 RADIUS Performance
- ISE 2.4 RADIUS Performance
- ISE 2.3 RADIUS Performance
- ISE 2.2 RADIUS Performance
- ISE 2.6 Scenario-Based Performance
- ISE 2.3 Scenario-Based Performance
- ISE 2.4 Passive Identity (Passive ID) and Easy Connect Scaling
- Passive ID / Easy Connect Scaling Per Deployment
- Passive ID / Easy Connect Scaling per PSN dedicated to Passive ID Service
- ISE 2.2 and 2.3 Passive Identity (Passive ID) and Easy Connect Scaling
- Passive ID / EZC Scaling Per Deployment
- Passive ID / Easy Connect Scaling per PSN dedicated to Passive ID Service
- Passive ID - Provider and Consumer Scaling
- ISE 2.4 Platform eXchange Grid (pxGrid v2) Scaling
- pxGrid v2 Scaling per Deployment
- pxGrid v2 Scaling per Dedicated pxGrid Node
- ISE 2.2 Platform eXchange Grid (pxGrid v1) Scaling
- pxGrid v1 Scaling per Deployment
- pxGrid v1 Scaling per Dedicated pxGrid Node
- ISE 2.2/2.3/2.4 Threat-Centric NAC (TC-NAC) Scaling
- TC-NAC Scaling per Deployment
- TC-NAC Scaling per PSN
- ISE TrustSec Scaling
- TrustSec Best Practices
- ISE 2.4 SXP Scaling
- ISE SXP Scaling per Deployment
- ISE SXP Scaling per SXPSN
- ISE 2.2 and 2.3 SXP Scaling
- ISE SXP Scaling per Deployment
- ISE SXP Scaling per SXPSN
- ISE Storage Requirements
- VM Disk Size Minimum Requirement
- MnT Persona Log Storage Requirements
- RADIUS Log Retention (Days):
- TACACS+ log retention( Days)
- ISE ERS Scale
- ISE WAN Bandwidth Calculator
- Sources
ISE Deployment Scale and Limits
ISE Architecture Terminology:
- PAN = Policy Administration Node
- MnT = Monitoring & Troubleshooting Node
- PSN = Policy Services Node
- PXG = Platform Exchange Grid Node
| Attribute | ISE 2.2 Maximums | ISE 2.4 Maximums | ISE 2.6 Maximums |
|---|---|---|---|
| Maximum number of concurrent sessions in a Dedicated deployment (Separate PAN, MnT, and PSN nodes) |
250,000 for 3495 as PAN and 3495 as MnT 500,000 for 3595 as PAN and 3595 as MnT |
34xx not supported 500,000 for 3595 as PAN and 3595 as MnT |
2,000,000 - 3695 as PAN and MnT 500,000 -3595 as PAN and MnT |
| Maximum number of concurrent sessions in a Hybrid deployment (PAN & MnT on a single node and dedicated PSNs) |
5,000 for 3415 as PAN+MnT 10,000 for 3495 as PAN+MnT 7,500 for 3515 as PAN+MnT 20,000 for 3595 as PAN+MnT |
34xx not supported 7,500 for 3515 as PAN+MnT 20,000 for 3595 as PAN+MnT |
10,000 for 3615 as PAN+MnT 25,000 for 3655 as PAN+MnT 50,000 for 3695 as PAN+MnT 7500 for 3515 as PAN+MnT 20,000 for 3595 as PAN+MnT |
| Maximum number of concurrent sessions in a Standalone deployment (PAN, MnT, and PSN personas all on a single node) |
5,000 for 3415 10,000 for 3495 7,500 for 3515 20,000 for 3595 |
34xx not supported 7,500 for 3515 20,000 for 3595 |
10,000 for 3615 25,000 for 3655 50,000 for 3695 7500 for 3515 20,000 for 3595 |
| Maximum number of PSNs in a Dedicated deployment (Separate PAN, MnT and PSN nodes) |
40 for 3495 as PAN | 50 for 3595 as PAN | 50 for 3595 as PAN 50 for 3695 as PAN |
| Maximum number of PSNs in a Hybrid deployment (PAN and MnT on a single node and dedicated PSNs) |
5 | Same | Same |
| Maximum number of pxGrid nodes in a Dedicated deployment (Separate PAN, MnT, PXG, and PSN nodes) |
2 | 4 (All active) | Same |
| Maximum number of pxGrid nodes in a Hybrid deployment (PAN and MnT on single node and Dedicated PSNs) |
2 (either collocate PXG on PAN+MNT node, or else dedicate PXG nodes and reduce PSN count by up to 2 nodes) |
Same | Same |
| Maximum number of NADs | 100,000 | Same | Same |
| Maximum number of Network Device Groups (NDGs) | 10,000 | Same | Same |
| Maximum number of Active Directory Forests (Join Points) |
50 | Same | Same |
| Maximum number of Active Directory controllers (WMI query) |
100 | Same | Same |
| Maximum number of Internal users | 300,000 | Same | Same |
| Maximum number of Internal guests | 1,000,000
Expect latency for admin GUI + user auth >500k guests |
Same | Same |
| Maximum number of User Certificates | 1,000,000 | Same | Same |
| Maximum number of Server Certificates | 1,000 | Same | Same |
| Maximum number of Trusted Certificates | 1,000 | Same | Same |
| Maximum number of user portals (Guest, BYOD, MDM, Cert, Posture..) |
600 | Same | Same |
| Maximum number of Endpoints | 1,500,000 | Same | 2,000,000 |
| Maximum number of Policy Sets | 100 | 200 | Same |
| Maximum number of Authentication Rules | 100 (Simple Policy Mode) 200 (Policy Set Mode) |
N/A (Simple Policy Mode) 1000 (Policy Set Mode) |
Same |
| Maximum number of Authorization Rules | 600 (Simple Policy Mode) 700 (Policy Set Mode) |
N/A (Simple Policy Mode) 3,000 (Policy Set Mode) with 3200 Authz profiles |
Same |
| Maximum number of User Identity Groups | 1,000 | Same | Same |
| Maximum number of Endpoint Identity Groups | 1,000 | Same | Same |
| TrustSec Scaling | See TrustSec scaling section below | See TrustSec scaling section below |
Maximum Network Latency Between Nodes
The maximum network latency (in milliseconds) between the ISE Administration Nodes and any other ISE nodes including the secondary PAN, MnT, and PSN.
| ISE Versions |
Maximum Latency (milliseconds) |
|---|---|
| ISE 2.0 and before | 200ms |
| ISE 2.1 and later | 300ms |
ISE Hardware Platforms
VMs must have the equivalent of the hardware platforms or better.
VM resources must be dedicated to ISE and not shared with other VMs.
| Appliance | SNS-3415 | SNS-3495 | SNS-3515 | SNS-3595 | SNS-3615 | SNS-3655 | SNS-3695 |
|---|---|---|---|---|---|---|---|
| Processor | 1 - Intel Xeon 2.4-GHz E5-2609 | 2 - Intel Xeon 2.4-GHz E5-2609 | 1 – Intel Xeon 2.40 GHz E5-2620 |
1 – Intel Xeon 2.60 GHz E5-2640 |
1 – Intel Xeon 2.10 GHz 4110 |
1 – Intel Xeon 2.10 GHz 4116 |
1 – Intel Xeon 2.10 GHz 4116 |
| Cores per processor | 4 | 4 | 6 | 8 | 8 | 12 | 12 |
| Memory | 16GB | 32GB | 16 GB (2x8GB) | 64 GB (4x16GB) | 32 GB (2x16GB) | 96 GB (6x16GB) | 256 GB (8x32GB) |
| Hard Disk | 1 x 600-GB 10k SAS HDD (600 GB total disk space) |
2 x 600-GB 10k SAS HDDs (600 GB total) |
1 x 600-GB 6Gb SAS 10K RPM | 4 x 600-GB 6Gb SAS 10K RPM | 1 x 600-GB 6Gb SAS 10K RPM | 4 x 600-GB 6Gb SAS 10K RPM | 8 x 600-GB 6Gb SAS 10K RPM |
| Hardware RAID | No | RAID 1 | No | Level 10 Cisco 12G SAS Modular RAID Controller |
No | Level 10 Cisco 12G SAS Modular RAID Controller |
Level 10 Cisco 12G SAS Modular RAID Controller |
| Network Interfaces | 4 x Integrated Gigabit NICs | 4 x Integrated Gigabit NICs | 6 x 1GBase-T | 6 x 1GBase-T | 2 X 10Gbase-T 4 x 1GBase-T |
2 X 10Gbase-T 4 x 1GBase-T |
2 X 10Gbase-T 4 x 1GBase-T |
| Power Supplies | - | Redundant | 1 x 770W | 2 x 770W | 1 x 770W | 2 x 770W | 2 x 770W |
* ISE 2.4 introduces a new Large VM appliance. The current SNS-3595 hardware (or its VM equivalent) will be reclassified as a Medium appliance. Under ISE 2.4, there is currently no Large Hardware-based appliance, only a Large Virtual appliance. The Large VM appliance has identical specifications as the SNS-3595, but with 256GB RAM. The Large 3595-based VM is intended for use as a performance-enhanced MnT node. There is currently no application for its use as a PAN, PSN, or pxGrid node.
*ISE 2.6 introduces 3 new platforms- SNS 3615,SNS-3655 and SNS 3695 supported on hardware and VM equivalent. SNS 35xx series platforms has been announced EoL.
ISE PSN Performance
Authentication values are approximate values. When determining how many PSN is needed for the deployment please use Maximum Concurrent Sessions, RADIUS and TACACS+ authentication rates as your guidelines. Authentication performance for specific use cases is also provided in case it is required to size out the deployment.
| 3415 | 3495 | 3515 | 3595 | 3615 | 3655 | 3695 | |
|---|---|---|---|---|---|---|---|
| ISE Version | ISE 2.0 / 2.1+ | ISE 2.0 / 2.1+ | ISE 2.0.1 / 2.1+ | ISE 2.0.1 / 2.1+ | ISE 2.6 | ISE 2.6 | ISE 2.6 |
| Maximum Concurrent Sessions | 5,000 | 20,000 | 5,000 / 7,500 | 20,000 / 40,000 | 10,000*/10,000 | 25000*/50,000 | 50,000*/100,000 |
* concurrent sessions for hybrid deployment
ISE TACACS+ Performance
Platform performance specs are for a dedicated PSN in transactions per second (TPS).
PAN and MNT nodes are deployed as separate node(s).
| Scenario | Cisco SNS-3415 Appliance | Cisco SNS-3495 Appliance | Cisco SNS-3515 Appliance | Cisco SNS-3595 Appliance |
|---|---|---|---|---|
| ISE Version | ISE 2.0 | ISE 2.0 | ISE 2.1 | ISE 2.1 |
| TACACS+ Function: PAP | 1,400 / second | 2,800 / second | 3,236 / second | 4,884 / second |
| TACACS+ Function: CHAP | 1,500 / second | 2,900 / second | 2,413 / second | 4,961 / second |
| TACACS+ Function: Enable | 700 / second | 1,200 / second | 1631/second | 1,984 / second |
| TACACS+ Function: Session AuthZ | 900 / second | 1,700 / second | 2,191 / second | 3,453 / second |
| TACACS+ Function: Command AuthZ | 900 / second | 1,700 / second | 2,359 / second | 3,467 / second |
| TACACS+ Function: Accounting | 2,900 / second | 4,900 / second | 3,209 / second | 9,128 / second |
ISE 2.6 RADIUS Performance
Performance per platform.
Authentications per second with PSN only persona (Approximate values)
| Authentication Method | Identity Store | Cisco SNS-3595 (auths / second) |
Cisco SNS-3615 (auths / second) |
Cisco SNS-3655 (auths / second) |
Cisco SNS-3695 (auths / second) |
|---|---|---|---|---|---|
| PAP | Internal | 1256 | 1281 | 1478 | 1531 |
| PAP | Active Directory | 443 | 513 | 545 | 571 |
| PAP | LDAP | 1557 | 1463 | 1537 | 1604 |
| PEAP (MSCHAPv2) | Internal | 439 | 467 | 491 | 513 |
| PEAP (MSCHAPv2) | Active Directory | 356 | 373 | 387 | 407 |
| PEAP (GTC) | Internal | 421 | 434 | 461 | 496 |
| PEAP (GTC) | Active Directory | 334 | 371 | 404 | 431 |
| EAP-FAST (MSCHAPv2) | Internal | 557 | 643 | 661 | 703 |
| EAP-FAST (MSCHAPv2) | Active Directory | 417 | 457 | 471 | 489 |
| EAP-FAST (GTC) | Internal | 587 | 612 | 667 | 690 |
| EAP-FAST (GTC) | Active Directory | 401 | 443 | 478 | 504 |
| EAP-FAST (GTC) | LDAP | 615 | 779 | 811 | 867 |
| EAP-TLS | Internal | 247 | 348 | 367 | 388 |
| EAP-TLS | Active Directory | 251 | 335 | 356 | 381 |
| EAP-TLS | LDAP | 281 | 354 | 381 | 404 |
| MAB | Internal | 1101 | 762 | 1199 | 1299 |
| MAB | LDAP | 729 | 731 | 742 | 731 |
ISE 2.4 RADIUS Performance
Performance per platform.
Authentications per second with PSN only persona (Approximate values)
| Authentication Method | Identity Store | Cisco SNS-3515 (auths / second) |
Cisco SNS-3595 (auths / second) |
|---|---|---|---|
| PAP | Internal | 1485 | 1575 |
| PAP | Active Directory | 440 | 465 |
| PAP | LDAP | 1255 | 1340 |
| PEAP (MSCHAPv2) | Internal | 475 | 515 |
| PEAP (MSCHAPv2) | Active Directory | 365 | 385 |
| PEAP (MSCHAPv2) | LDAP | Roadmap | Roadmap |
| PEAP (GTC) | Internal | 435 | 470 |
| PEAP (GTC) | Active Directory | 340 | 365 |
| EAP-FAST (MSCHAPv2) | Internal | 485 | 515 |
| EAP-FAST (MSCHAPv2) | Active Directory | 410 | 445 |
| EAP-FAST (GTC) | Internal | 495 | 555 |
| EAP-FAST (GTC) | Active Directory | 430 | 450 |
| EAP-FAST (GTC) | LDAP | 545 | 585 |
| EAP-TLS | Internal | 310 | 310 |
| EAP-TLS | Active Directory | 310 | 315 |
| EAP-TLS | LDAP | 315 | 320 |
| MAB | Internal | 780 | 1245 |
| MAB | LDAP | 700 | 800 |
ISE 2.3 RADIUS Performance
Performance per platform.
Authentications per second with PSN only persona (Approximate values)
| Authentication Method | Identity Store | Cisco SNS-3515 (auths / second) |
Cisco SNS-3595 (auths / second) |
|---|---|---|---|
| PAP | Internal | 1630 | 2060 |
| PAP | Active Directory | 355 | 530 |
| PAP | LDAP | 585 | 1575 |
| PEAP (MSCHAPv2) | Internal | 375 | 575 |
| PEAP (MSCHAPv2) | Active Directory | 265 | 470 |
| PEAP (MSCHAPv2) | LDAP | Roadmap | Roadmap |
| EAP-FAST (MSCHAPv2) | Internal | 535 | 735 |
| EAP-FAST (MSCHAPv2) | Active Directory | 335 | 530 |
| EAP-FAST (GTC) | Internal | 445 | 1030 |
| EAP-FAST (GTC) | Active Directory | 410 (p2) | 510 |
| EAP-FAST (GTC) | LDAP | 305 (p2) | 775 |
| EAP-TLS | Internal | 190 | 330 |
| EAP-TLS | Active Directory | 200 | 320 |
| EAP-TLS | LDAP | 185 | 320 |
ISE 2.2 RADIUS Performance
Performance per platform.
Authentications per second with PSN only persona (Approximate values)
| Authentication Method | Identity Store | Cisco SNS-3415 (auths / second) |
Cisco SNS-3495 (auths / second) |
Cisco SNS-3515 (auths / second) |
Cisco SNS-3595 (auths / second) |
|---|---|---|---|---|---|
| PAP | Internal | 555 | 1575 | 2185 | |
| PAP | Active Directory | 365 | 530 | 510 | |
| PAP | LDAP | 730 | 1980 | 2810 | |
| PEAP (MSCHAPv2) | Internal | 165 | 360 | 570 | |
| PEAP (MSCHAPv2) | Active Directory | 150 | 400 | 485 | |
| PEAP (MSCHAPv2) | LDAP | Roadmap | Roadmap | Roadmap | Roadmap |
| EAP-FAST (MSCHAPv2) | Internal | 265 | 560 | 750 | |
| EAP-FAST (MSCHAPv2) | Active Directory | 235 | 505 | 525 | |
| EAP-FAST (GTC) | Internal | 260 | 505 | 1060 | |
| EAP-FAST (GTC) | Active Directory | 220 | 470 | 520 | |
| EAP-FAST (GTC) | LDAP | 285 | 600 | 1155 | |
| EAP-TLS | Internal | 330 | 335 | 335 | |
| EAP-TLS | AD | 300 | 325 | 325 | |
| EAP-TLS | LDAP | 310 | 320 | 320 |
NA = Not Available
EAP-TLS: 2k key size, Session-Resume set to OFF
PEAP: Fast Reconnect and Session-Resume on the client and ISE - OFF
ISE 2.6 Scenario-Based Performance
| Scenario | SNS-3515 (auths / second) |
SNS-3595 (auths / second) |
SNS-3615 (auths / second) |
SNS-3655 (auths / second) |
SNS-3695 (auths / second) |
|---|---|---|---|---|---|
| Posture Authentication | 47 | 70 | 51 | 83 | |
| Guest Hostspot Authentications | 152 | 192 | 168 | 225 | 270 |
| Guest Sponsored Authentications | 93 | 126 | 111 | 184 | 189 |
| BYOD onboarding single SSID (ios) | ISE CA : 22.33 External CA: 21.78 | ISE CA: 23.3 External CA: 22.54 |
ISE CA: 22.58 External CA: 23.56 |
||
| BYOD onboarding dual SSID (ios) | ISE CA : 23.62 External CA :24.24 | ISE CA: 31.35 External CA: 31.69 | ISE CA: 22.68 External CA: 30.17 |
||
| BYOD onboarding single SSID (android) | ISE CA:21 External CA: 22.31 |
ISE CA:22.35 External CA: 21.92 |
ISE CA: 21.57 External CA: 21.69 |
||
| BYOD onboarding dual SSID ( android) | ISE CA: 22.07 External CA: 21.54 |
ISE CA: 22.88 External CA: 22.3 |
ISE CA: 22.07 External CA:22.14 |
||
| MDM ((simulated - not impeded by MDM Server API performance) | |||||
| Internal CA certificate Issuance |
ISE 2.3 Scenario-Based Performance
| Scenario | Cisco SNS-3515 Appliance (auths / second) |
Cisco SNS-3595 Appliance (auths / second) |
|---|---|---|
| Posture Authentications | - | 50 |
| Guest Hotspot Authentications | 90 | 220 |
| Guest Sponsored User Authentications | 60 | 170 |
| Bulk Guest Creation via ERS API | - | 375 |
| BYOD Onboarding Single SSID (iOS) | ISE CA: 16 / External CA:13 | ISE CA: 20 / External CA:29 |
| BYOD Onboarding Dual SSID (iOS) | ISE CA: 19 / External CA:16 | ISE CA: 19 / External CA:26 |
| BYOD Onboarding Single SSID (Android) | ISE CA: 18 / External CA:19 | ISE CA: 19 / External CA:26 |
| BYOD Onboarding Dual SSID (Android) | ISE CA: 21 / External CA:21 | ISE CA: 20 / External CA:35 |
| MDM (simulated - not impeded by MDM Server API performance) | 250 | 340 |
| Internal CA Certificate Issuance | 43 | 45 |
ISE 2.4 Passive Identity (Passive ID) and Easy Connect Scaling
Passive ID / Easy Connect Scaling Per Deployment
| Passive Identity & Easy Connect Scaling by Deployment Size |
Scaling with Mixed RADIUS and Passive Identity / Easy Connect Services | ||||||
|---|---|---|---|---|---|---|---|
| Deployment model | Platform | Max Dedicated PSNs |
Max RADIUS sessions per Deployment | Max Passive ID sessions per Deployment | Max Merged & Easy Connect Sessions* (Shared PSNs) |
Max Merged & Easy Connect Sessions* (Dedicated PSNs) |
|
| Standalone | 3515 | 0 | 7,500 | 100,000 | 1,000 | N/A | |
| 3595 | 0 | 20,000 | 300,000 | 2,000 | N/A | ||
| Medium
PAN+MNT on same node |
3515 as PAN+MNT | 5 | 7,500 | 100,000 | 1,000 | 5,000 | |
| 3595 as PAN+MNT | 5 | 20,000 | 500,000 | 2,000 | 10,000 | ||
| Dedicated PAN, MNT, PXG and PSN nodes | 3595 as PAN and MNT | 50 | 500,000 | 500,000 | 500,000 | 500,000 | |
| 3595 as PAN and Large MNT | 50 | 500,000 | 1M | 500,000 | 500,000 | ||
Passive ID / Easy Connect Scaling per PSN dedicated to Passive ID Service
| Platform | Max Passive ID sessions per PSN | Max Merged & Easy Connect Sessions * per PSN |
|---|---|---|
| 3515 | 100,000 | 7,500 |
| 3595 | 500,000 | 40,000 |
* Subset of Max RADIUS/Max Passive Sessions
ISE 2.2 and 2.3 Passive Identity (Passive ID) and Easy Connect Scaling
Passive ID / EZC Scaling Per Deployment
| Passive Identity & Easy Connect Scaling by Deployment Size | Scaling with Mixed RADIUS and Passive Identity / Easy Connect Services | ||||||
|---|---|---|---|---|---|---|---|
| Deployment model | Platform | Max Dedicated PSNs |
Max RADIUS sessions per Deployment | Max Passive ID sessions per Deployment | Max Merged & Easy Connect Sessions* (Shared PSNs) |
Max Merged & Easy Connect Sessions* (Dedicated PSNs) |
|
| Standalone | 3415 | 0 | 5,000 | 50,000 | 500 | N/A | |
| 3495 | 0 | 10,000 | 100,000 | 1,000 | N/A | ||
| 3515 | 0 | 7,500 | 100,000 | 1,000 | N/A | ||
| 3595 | 0 | 20,000 | 300,000 | 2,000 | N/A | ||
| Medium PAN+MNT on same node Dedicated PSNs |
3415 as PAN+MNT | 5 | 5,000 | 50,000 | 500 | 2,500 | |
| 3495 as PAN+MNT | 5 | 10,000 | 100,000 | 1,000 | 5,000 | ||
| 3515 as PAN+MNT | 5 | 7,500 | 100,000 | 1,000 | 5,000 | ||
| 3595 as PAN+MNT | 5 | 20,000 | 300,000 | 2,000 | 10,000 | ||
| Dedicated PAN, MNT, PXG and PSN nodes | 3495 as PAN and MNT | 40 | 250,000 | 100,000 | N/A | 25,000 | |
| 3595 as PAN and MNT | 50 | 500,000 | 300,000 | N/A | 50,000 | ||
Passive ID / Easy Connect Scaling per PSN dedicated to Passive ID Service
| Platform | Max Passive ID sessions per PSN |
Max Merged & Easy Connect Sessions * per PSN |
|---|---|---|
| 3415 | 50,000 | 5,000 |
| 3495 | 100,000 | 25,000 |
| 3515 | 100,000 | 7,500 |
| 3595 | 300,000 | 40,000 |
* Subset of Max RADIUS/Max Passive Sessions
Passive ID - Provider and Consumer Scaling
| Scenario | 3515/3595 Virtual Appliance |
|---|---|
| Max AD Domain Controllers supported via WMI or ISE AD Agent | 100 |
| Max AD Agents (assuming 1:1 agent to DC) | 100 |
| Recommended # DCs per Agent (agent on DC) | 1 |
| Recommended # DCs per Agent (agent on member server) | 10 |
| Recommended # PSNs enabled for WMI (Passive ID service) | 2 |
| Max REST API Providers | 50 |
| Max REST API EPS | 1,000 |
| Max Syslog Providers | 70 |
| Max Syslog EPS | 400 |
| Max Endpoints Probed per Interval | 100,000 |
| Max pxGrid Subscribers | 20 |
ISE 2.4 Platform eXchange Grid (pxGrid v2) Scaling
pxGrid v2 Scaling per Deployment
| Deployment Type | Platform | Max PSNs | Max PXGs | Max pxGrid Subscribers: Shared PAN+MNT+PXG | Max pxGrid Subscribers: Dedicated PSN/PXG |
|---|---|---|---|---|---|
| Standalone All personas on same node
2 nodes redundant |
3515 | 0 | 0 | 20 | N/A |
| 3595 | 0 | 0 | 30 | N/A | |
| Medium
PAN+MnT+PXG on same node and dedicated PSNs |
3515 as PAN+MNT/PXG | 5* | 2* | 140 | 400 |
| 3595 as PAN+MNT/PXG | 5* | 2* | 160 | 400 | |
| 3595 as PAN+MNT/PXG | 5* | 3* | 160 | 600 | |
| Dedicated All personas on dedicated nodes
Minimum 6 nodes redundant |
3595 as PAN and MNT | 50 | 4 | N/A | 800 |
| 3595 as PAN and Large MNT | 50 | 4 | N/A | 800 |
* Max PSN + PXG Nodes = 5
pxGrid v2 Scaling per Dedicated pxGrid Node
Maximum publish rate is gated by the Total Deployment Size
| Platform | Max Subscribers per pxGrid node |
|---|---|
| 3515 | 200 |
| 3595 | 200 |
| 3615 | 220 |
| 3655 | 230 |
| 3695 | 250 |
ISE 2.2 Platform eXchange Grid (pxGrid v1) Scaling
pxGrid v1 Scaling per Deployment
| Deployment Type | Platform | Max PSNs | Max PXGs | Max pxGrid Subscribers: Shared PAN+MNT+PXG | Max pxGrid Subscribers: Dedicated PSN/PXG |
|---|---|---|---|---|---|
| Standalone All personas on same node
2 nodes redundant |
3415 | 0 | 0 | 2 | N/A |
| 3495 | 0 | 0 | 2 | N/A | |
| 3515 | 0 | 0 | 2 | N/A | |
| 3595 | 0 | 0 | 2 | N/A | |
| Medium
PAN+MnT+PXG on same node and dedicated PSNs |
3415 as PAN+MNT/PXG | 5* | 2* | 5 | 15 |
| 3495 as PAN+MNT/PXG | 5* | 2* | 5 | 15 | |
| 3515 as PAN+MNT/PXG | 5* | 2* | 5 | 15 | |
| 3595 as PAN+MNT/PXG | 5* | 2* | 5 | 15 | |
| Dedicated All personas on dedicated nodes
Minimum 6 nodes redundant |
3495 as PAN and MNT | 40 | 2 | N/A | 25 |
| 3595 as PAN and MNT | 50 | 2 | N/A | 25 |
* Max PSN + PXG Nodes = 5
pxGrid v1 Scaling per Dedicated pxGrid Node
Maximum publish rate is gated by the Total Deployment Size
| Platform | Max Subscribers per pxGrid node |
|---|---|
| 3415 | 10 |
| 3495 | 20 |
| 3515 | 15 |
| 3595 | 25 |
ISE 2.2/2.3/2.4 Threat-Centric NAC (TC-NAC) Scaling
TC-NAC Scaling per Deployment
Deployment Type |
Platform |
TC-NAC enabled on RADIUS PSN | Dedicated PSN for TC-NAC | ||||
|---|---|---|---|---|---|---|---|
| Max TC-NAC Adapters | Max VAF (TPM) | Max IRF (TPS) | Max TC-NAC Adapters | Max VAF (TPM) | Max IRF(TPS) | ||
| Standalone All personas on same node
2 nodes redundant |
3415 | 1 | 5 | 5 | N/A | N/A | N/A |
| 3495 | 1 | 5 | 5 | N/A | N/A | N/A | |
| 3515 | 1 | 5 | 5 | N/A | N/A | N/A | |
| 3595 | 1 | 5 | 5 | N/A | N/A | N/A | |
| Medium PAN+MnT on same node and dedicated PSNs Minimum 4 nodes redundant |
3415 as PAN+MNT | 1 | 5 | 10 | 3 | 40 | 80 |
| 3495 as PAN+MNT | 2 | 10 | 20 | 5 | 40 | 80 | |
| 3515 as PAN+MNT | 1 | 5 | 10 | 3 | 40 | 80 | |
| 3595 as PAN+MNT | 2 | 10 | 20 | 5 | 40 | 80 | |
| Dedicated All personas on dedicated nodes
Minimum 6 nodes redundant |
3495 as PAN and MNT | N/A | N/A | N/A | 5 | 40 | 80 |
| 3595 as PAN and MNT | N/A | N/A | N/A | 5 | 40 | 80 | |
* Max 1 TC-NAC node supported per deployment in ISE 2.1/2.2
TC-NAC Scaling per PSN
| Scaling per PSN | Platform | Max TC-NAC Adapters | Max VAF TPM | Max IRF TPS |
|---|---|---|---|---|
| Dedicated TC-NAC nodes Gated by Total Deployment Scale |
3415 | 3 | 40 | 80 |
| 3495 | 5 | 40 | 80 | |
| 3515 | 3 | 40 | 80 | |
| 3595 | 5 | 40 | 80 |
ISE TrustSec Scaling
| Attribute | Maximums (ISE 2.2) |
Maximums (ISE 2.4) |
Maximums (ISE 2.6) |
|---|---|---|---|
| TrustSec Security Group Tags (SGTs) |
4,000 | 10,000 | 10,000 |
| TrustSec Security Group ACLs (SGACLs) | 1,000 | 1,000 | 1,000 |
| TrustSec IP-SGT Static Bindings (over SSH) | 10,000 | 10,000 | 10,000 |
| NADs with TrustSec CoA in Standalone Deployment (see Best Practice below) | 100 | 100 |
TrustSec Best Practices
SXP Nodes (SXPSNs)
Take note of the following that is documented in the ISE Admin Guides:
Multiple Matrices
ISE 2.2+ supports multiple matrices and assigning NADs to each matrix. When moving NADs between the matrix, maximum number of NADs ISE can move to other matrix at one time is 50. If more than 50 NADs needs to be moved, then repeat the steps with less than 50 NADs at a time.
ISE CoA Handling
For ISE 2.2 and 2.3:
The CoA messages sent for update-cts-environment-data, update-sgt and update-rbacl, are originated from the PAN.
When CoA’s are transmitted, ISE uses a separate CPU thread for each NAD, increasing the CPU load and Memory consumed on the PAN.
When CoA messages are received by network devices, the consequence is RADIUS requests sent to ISE to download updated data.
The recommendation for large installations is to use a Dedicated deployment (Separate PAN, MnT, and PSN nodes). The CoA operation dictates that if nodes are not deployed on separate instances then for a large number of network devices (over 100 NADs), at least use a Hybrid deployment with dedicated PSNs. Then network devices can be configured to send RADIUS requests to a PSN to download updates so the CPU and Memory utilization and subsequent latency of the PAN is not increased further whilst dealing with the CoA messages.
For ISE 2.4:
By default, the CoA messages sent for update-cts-environment-data, update-sgt and update-rbacl, are originated from the PAN. So, without changing the default behaviour, the same recommendation can be provided as per ISE 2.2 and 2.3 above.
It is further recommended to change the default behaviour by sending CoA’s from local PSN’s rather than the PAN to reduce load on the PAN and distribute CoA generation around the ISE nodes. This is a new feature in ISE 2.4 and is configured in the Advanced TrustSec Settings under the Network Device.
ISE 2.4 SXP Scaling
ISE SXP Scaling per Deployment
| Deployment Type | Platform | Max PSNs | Max ISE SXP Bindings (Shared SXP & RADIUS PSNs) |
Max ISE SXP Bindings (Dedicated RADIUS & SXPSNs) |
Max ISE SXP Peers |
|---|---|---|---|---|---|
| Standalone All personas on same node,
2 nodes redundant |
3515 | 0 | 3,500 | N/A | 20 |
| 3595 | 0 | 10,000 | N/A | 30 | |
| Uniified PAN+MnT on same node and dedicated PSNs
Minimum 4 nodes redundant |
3515 as PAN+MNT | 5 | 3,750 | 7,500 | 200 |
| 3595 as PAN+MNT | 5 | 10,000 | 20,000 | 200 | |
| Dedicated All personas on dedicated nodes
Minimum 6 nodes redundant |
3595 as PAN and MNT | 50 | N/A | 350,000 (1 pair) 500,000 (2 pair) |
200 (1 pair) |
| 3595 as PAN and Large MNT | 50 | N/A | 350,000 (1 pair) 700,000 (2 pair) 1,050,000 (3 pair) 1,400,000 (4 pair) |
200 (1 pair) 400 (2 pair) 600 (3 pair) 800 (4 pair) |
* Max 4 SXPSN pairs supported in ISE 2.4
ISE SXP Scaling per SXPSN
| Scaling per SXPSN | Platform | Max ISE SXP Bindings | Max ISE SXP Peers |
|---|---|---|---|
| Dedicated SXPSN nodes Gated by Total Deployment Scale |
3515 | 200,000 | 200 |
| 3595 | 350,000 | 200 |
ISE 2.2 and 2.3 SXP Scaling
ISE SXP Scaling per Deployment
| Deployment Type | Platform | Max PSNs | Max ISE SXP Bindings (Shared SXP & RADIUS PSNs) |
Max ISE SXP Bindings (Dedicated RADIUS & SXPSNs) |
Max ISE SXP Peers |
|---|---|---|---|---|---|
| Standalone All personas on same node, 2 nodes redundant |
3415 | 0 | 2,500 | N/A | 10 |
| 3495 | 0 | 5,000 | N/A | 20 | |
| 3515 | 0 | 3,750 | N/A | 15 | |
| 3595 | 0 | 10,000 | N/A | 25 | |
| Uniified PAN+MnT on same node and dedicated PSNs Minimum 4 nodes redundant |
3415 as PAN+MNT | 5 | 2,500 | 5,000 | 100 |
| 3495 as PAN+MNT | 5 | 5,000 | 10,000 | 100 | |
| 3515 as PAN+MNT | 5 | 3,750 | 7,500 | 100 | |
| 3595 as PAN+MNT | 5 | 10,000 | 20,000 | 100 | |
| Dedicated All personas on dedicated nodes Minimum 6 nodes redundant |
3495 as PAN and MNT | 40 | N/A | 150,000 (1 pair) 250,000 (2 pair) |
100 (1 pair) 200 (2 pair) |
| 3595 as PAN and MNT | 50 | N/A | 250,000 (1 pair) 500,000 (2 pair) |
100 (1 pair) 200 (2 pair) |
* Max 2 SXPSN pairs supported in ISE 2.2/2.3
ISE SXP Scaling per SXPSN
| Scaling per SXPSN | Platform | Max ISE SXP Bindings | Max ISE SXP Peers |
|---|---|---|---|
| Dedicated SXPSN nodes Gated by Total Deployment Scale |
3415 | 100,000 | 100 |
| 3495 | 150,000 | 100 | |
| 3515 | 150,000 | 100 | |
| 3595 | 250,000 | 100 |
ISE Storage Requirements
VM Disk Size Minimum Requirement
| Persona | Minimum Disk Size (GB) |
|---|---|
| Standalone* (all personas on single node) | 200+ GB |
| PAN Only | |
| MnT Only* | |
| PSN Only | |
| PXG Only | |
| PAN + MnT* | |
| PAN + MnT* + PXG |
* Minimum 600GB required for any node running MnT persona
MnT Persona Log Storage Requirements
ISE MnT Log sizing calculator for TACACS+ and RADIUS
RADIUS Log Retention (Days):
Days of log retention - assuming collection filter is enabled - for various MnT Disk Sizes.
ISE 2.0/2.1 (30% disk allocation):
| Total Endpoints | 200 GB (days) |
400 GB (days) |
600 GB (days) |
1024 GB (days) |
2048 GB (days) |
|---|---|---|---|---|---|
| 10,000 | 126 | 252 | 378 | 645 | 1,289 |
| 20,000 | 63 | 126 | 189 | 323 | 645 |
| 30,000 | 42 | 84 | 126 | 215 | 430 |
| 40,000 | 32 | 63 | 95 | 162 | 323 |
| 50,000 | 26 | 51 | 76 | 129 | 258 |
| 100,000 | 13 | 26 | 38 | 65 | 129 |
| 150,000 | 9 | 17 | 26 | 43 | 86 |
| 200,000 | 7 | 13 | 19 | 33 | 65 |
| 250,000 | 6 | 11 | 16 | 26 | 52 |
ISE 2.2 (60% disk allocation)
| Total Endpoints | 200 GB (days) |
400 GB (days) |
600 GB (days) |
1024 GB (days) |
2048 GB (days) |
|---|---|---|---|---|---|
| 5,000 | 504 | 1007 | 1510 | 2577 | 5154 |
| 10,000 | 252 | 504 | 755 | 1289 | 2577 |
| 25,000 | 101 | 202 | 302 | 516 | 1031 |
| 50,000 | 51 | 101 | 151 | 258 | 516 |
| 100,000 | 26 | 51 | 76 | 129 | 258 |
| 150,000 | 17 | 34 | 51 | 86 | 172 |
| 200,000 | 13 | 26 | 38 | 65 | 129 |
| 250,000 | 11 | 21 | 31 | 52 | 104 |
| 500,000 | 6 | 11 | 16 | 26 | 52 |
TACACS+ log retention( Days)
Scripted device admin model:
- Number of sessions per day: 4
- Number of commands: 10
- Message Size /session (KB) = 5kB + Number of commands/session *3kB
- Automated access(single script) log size calculation = n Number of devices * 4 Sessions * Message size
- E.g. : Log Size for 30k Network devices = 4GB/day
ISE 2.0/2.1 (20% Disk Allocation):
| Number of Network Devices in the deployment |
MnT Disk Size (GB) | ||||
|---|---|---|---|---|---|
| 200 | 400 | 600 | 1024 | 2048 | |
| 500 | 480 | 959 | 1439 | 2455 | 4909 |
| 1000 | 240 | 480 | 720 | 1228 | 2455 |
| 5000 | 48 | 96 | 144 | 246 | 491 |
| 10000 | 24 | 48 | 72 | 123 | 246 |
| 20000 | 12 | 24 | 36 | 62 | 123 |
| 30000 | 8 | 16 | 24 | 41 | 82 |
| 50000 | 5 | 10 | 15 | 25 | 50 |
ISE 2.2 (60% disk allocation):
| # Network Devices | 200 GB (days) |
400 GB (days) |
600 GB (days) |
1024 GB (days) |
2048 GB (days) |
|---|---|---|---|---|---|
| 100 | 12,583 | 25,166 | 37,749 | 64,425 | 128,850 |
| 500 | 2,517 | 5,034 | 7,550 | 12,885 | 25,770 |
| 1,000 | 1,259 | 2,517 | 3,775 | 6,443 | 12,885 |
| 5,000 | 252 | 504 | 755 | 1,289 | 2,577 |
| 10,000 | 126 | 252 | 378 | 645 | 1,289 |
| 25,000 | 51 | 101 | 151 | 258 | 516 |
| 50,000 | 26 | 51 | 76 | 129 | 258 |
| 75,000 | 17 | 34 | 51 | 86 | 172 |
| 100,000 | 13 | 26 | 38 | 65 | 129 |
Human admin - Device admin model
- Number of sessions: 50
- Number of Commands/session: 10
- Message Size /session (KB) = 5kB + Number of commands/session *3kB
- Manual access log size calculation = 50 Sessions * N Admins * Message size
- E.g. : Log Size for 50 admins = 85.4MB/ day
ISE 2.0/2.1 (20% Disk Allocation):
| Number of Admins\ Disk Size(GB) | MnT Disk Size (GB) | ||||
|---|---|---|---|---|---|
| 200 | 400 | 600 | 1024 | 2048 | |
| 5 | 3835 | 7670 | 11505 | 19635 | 39269 |
| 10 | 1918 | 3835 | 5753 | 9818 | 19635 |
| 20 | 959 | 1918 | 2877 | 4909 | 9818 |
| 30 | 640 | 1279 | 1918 | 3273 | 6545 |
| 40 | 480 | 959 | 1439 | 2455 | 4909 |
| 50 | 384 | 767 | 1151 | 1964 | 3927 |
ISE ERS Scale
Units are transactions per seconds (TPS)
| Concurrent ERS Connections | 2.4= 10 | 2.6= 30 |
| Operation | 2.4 (3515) | 2.4 (3595) | 2.6 (3515) | 2.6 (3595) | 2.6 (3615) |
2.6 (3655) | 2.6 (3695) |
| EP Bulk create | 361 (250K) | 362 (250K) | 351 (200K) | 533 (200K) | 351 (200K) | 581 (200K) | 598 (200K) |
| EP Bulk Delete | 377 (250K) | 399 (250K) | 346 (200K) | 275 (200K) | 297 (200K) | 279 (200K) | 281 (200K) |
| EP Bulk Deregister | 300 (250K) | 376 (250K) | 314 (200K) | 375 (200K) | 340 (200K) | 328 (200K) | 330 (200K) |
| EP Bulk Register | 315 (250K) | 377 (250K) | 357 (200K) | 377 (200K) | 297 (200K) | 245 (200K) | 260 (200K) |
| EP Bulk Update | 366 (250K) | 364 (250K) | 247 (200K) | 364 (200K) | 327 (200K) | 283 (200K) | 285 (200K) |
| Guest Bulk Create 50k |
314 | 388 | 277 | 350 | 387 | 349 | 351 |
| Guest Bulk Delete | 122 | 188 | 119 | 188 | 122 | 141 | 192 |
| Guest Bulk Reinstate | 125 | 177 | 93 | 177 | 121 | 132 | 179 |
| Guest Bulk Suspend | 105 | 149 | 109 | 149 | 109 | 102 | 166 |
| Guest Bulk Update |
76 | 90 | 76 | 90 | 83 | 53 | 55 |
| SGT Bulk Create 1k |
9 | 14 | 13 | 14 | 11 | 13 | 15 |
ISE WAN Bandwidth Calculator
This calculator can be used to find out how much bandwidth needs to be reserved for ISE operation across WAN links.
ISE Latency and Bandwidth Calculators
The ISE 1.2 version of the tool is still valid for 2.1 release.
Sources
- ISE Training (check out BRKSEC-3432)
- Cisco Identity Services Engine - Install and Upgrade Guides - Cisco
- Cisco Secure Network Server Data Sheet - Cisco
- ISE High Level Design (HLD)
- ISE Load Balancing
- ISE Latency and Bandwidth Calculators
