PAN | MNT | PSN | PXG |
Policy Administration Node | Monitoring & Troubleshooting Node | Policy Services Node | Platform Exchange Grid Node |
The single plane of glass for ISE administration and configuration operations. | The reporting and logging node that collects syslogs from ISE nodes | Runs the RADIUS / TACACS+ services that handle profiling, policy decisions, and host portals | Controls and facilitates pxGrid publishing and subscriptions of topics |
ISE Lab, Evaluation, POC |
Small / Standalone Deployment | Medium / Hybrid Deployment | Large / Dedicated Deployment |
All ISE personas (PAN + MNT + PSN + PXG) on the same appliance or VM instance. Not recommended for production without a second node for high availability. | All ISE personas (PAN + MNT + PSN + PXG) on the same appliance or VM instances. Two (2) standalone nodes - one as primary and one as secondary - are used for redundancy. |
PAN + MnT + PXG running on same node; one as primary and one as secondary for redundancy. PSNs on dedicated nodes. Nodes may be VMs or appliances. Supports <=6 PSNs (ISE 3.0+) Supports dedicated PXG nodes but counts against 6 PSN maximum. |
All ISE personas are fully distributed, running on separate VM or appliance nodes. Supports <= 4 PXG nodes. Supports <= 50 (PSN + PXG) nodes |
Attribute | ISE 2.2 Maximums | ISE 2.4 Maximums | ISE 2.6+ Maximums |
---|---|---|---|
Maximum Active Sessions: Large / Dedicated Deployment |
3595 PAN, MnT: 500,000 3495 PAN, MnT: 250,000 |
3595 PAN, MnT: 500,000 34xx: not supported |
3695 PAN, MnT: 2,000,000 3595 PAN, MnT: 2,000,000 |
Maximum Active Sessions: Medium / Hybrid Deployment |
3595 PAN+MnT: 20,000 3515 PAN+MnT: 7,500 3495 PAN+MnT: 10,000 3415 PAN+MnT: 5,000 |
3595 PAN+MnT: 20,000 3515 PAN+MnT: 7,500 34xx: not supported |
3695 PAN+MnT: 50,000 3655 PAN+MnT: 25,000 3615 PAN+MnT: 10,000 3595 PAN+MnT: 20,000 3515 PAN+MnT: 7,500 |
Maximum Active Sessions: Small / Standalone Deployment |
3595: 20,000 3515: 7,500 3495: 10,000 3415: 5,000 |
3515: 7,500 3595: 20,000 34xx: not supported |
3695: 50,000 3655: 25,000 3615: 10,000 3595: 20,000 3515: 7500 |
Maximum PSN Nodes : Large / Dedicated Deployment |
3495 PAN: 40 | 3595 PAN: 50 | 3695 PAN: 50 3595 PAN: 50 |
Maximum PSN Nodes: Medium Deployment |
5 | 5 |
5-ISE2.6/2.7 6-ISE3.0 |
Maximum pxGrid (PXG) Nodes: Large / Dedicated deployment |
2 | 4 (All active) | 4 |
Maximum pxGrid (PXG) Nodes: Medium / Hybrid deployment (PXG on PAN+MNT node or dedicate PXG nodes reducing PSN count) |
2 | 2 | 2 |
Maximum Network Devices | 100,000 | 100,000 | 100,000 |
Maximum Network Device Groups (NDGs) | 10,000 | 10,000 | 10,000 |
Maximum Active Directory Forests (Join Points) |
50 | 50 | 50 |
Maximum Active Directory controllers (WMI query) |
100 | 100 | 100 |
Maximum Internal users | 300,000 | 300,000 | 300,000 |
Maximum Internal guests Expect latency for admin GUI and user auth with >500,000 guests |
1,000,000 | 1,000,000 | 1,000,000 |
Maximum User Certificates | 1,000,000 | 1,000,000 | 1,000,000 |
Maximum Server Certificates | 1,000 | 1,000 | 1,000 |
Maximum Trusted Certificates | 1,000 | 1,000 | 1,000 |
Maximum User Portals (Guest, BYOD, MDM, Cert, Posture..) |
600 | 600 | 600 |
Maximum Endpoints | 1,500,000 | 1,500,000 | 2,000,000 |
Maximum Policy Sets | 100 | 200 | 200 |
Maximum Authentication Rules | Simple Policy Mode: 100 Policy Set Mode: 200 |
Policy Set Mode: 1000 | Policy Set Mode: 1000 |
Maximum Authorization Rules | Simple Policy Mode: 600 Policy Set Mode: 700 |
Policy Set Mode: 3,000 (3200 Authz profiles) |
Policy Set Mode: 3,000 (3200 Authz profiles) |
Maximum User Identity Groups | 1,000 | 1,000 | 1,000 |
Maximum Endpoint Identity Groups | 1,000 | 1,000 | 1,000 |
TrustSec Scaling | See TrustSec scaling section below | See TrustSec scaling section below |
* It is not recommended to have more than 600 authorization rules in a single policy set. The numbers shown here were tested with 200 policy sets with 15 authorizations rules per set.
The maximum network latency (in milliseconds) between the primary PAN and any other ISE nodes including the secondary PAN, MnT, and PSNs.
ISE Versions |
Maximum Latency (milliseconds) |
---|---|
ISE 2.0 and before | 200ms |
ISE 2.1 and later | 300ms |
VMs must have the equivalent of the hardware platforms or better.
VM resources must be dedicated to ISE and not shared with other VMs.
Appliance | SNS-3415 | SNS-3495 | SNS-3515 | SNS-3595 | SNS-3615 | SNS-3655 | SNS-3695 |
---|---|---|---|---|---|---|---|
Processor | 1 x Intel Xeon 2.4-GHz E5-2609 | 2 x Intel Xeon 2.4-GHz E5-2609 | 1 x Intel Xeon 2.40 GHz E5-2620 |
1 x Intel Xeon 2.60 GHz E5-2640 |
1 x Intel Xeon 2.10 GHz 4110 |
1 x Intel Xeon 2.10 GHz 4116 |
1 x Intel Xeon 2.10 GHz 4116 |
Cores per processor | 4 | 4 | 6 | 8 | 8 | 12 | 12 |
Memory | 16GB | 32GB | 16 GB (2x8GB) | 64 GB (4x16GB) | 32 GB (2x16GB) | 96 GB (6x16GB) | 256 GB (8x32GB) |
Hard Disk | 1 x 600-GB 10k SAS HDD (600 GB total disk space) |
2 x 600-GB 10k SAS HDDs (600 GB total) |
1 x 600-GB 6Gb SAS 10K RPM | 4 x 600-GB 6Gb SAS 10K RPM | 1 x 600-GB 6Gb SAS 10K RPM | 4 x 600-GB 6Gb SAS 10K RPM | 8 x 600-GB 6Gb SAS 10K RPM |
Hardware RAID | No | RAID 1 | No | Level 10 Cisco 12G SAS Modular RAID Controller |
No | Level 10 Cisco 12G SAS Modular RAID Controller |
Level 10 Cisco 12G SAS Modular RAID Controller |
Network Interfaces | 4 x Integrated Gigabit NICs | 4 x Integrated Gigabit NICs | 6 x 1GBase-T | 6 x 1GBase-T | 2 X 10Gbase-T 4 x 1GBase-T |
2 X 10Gbase-T 4 x 1GBase-T |
2 X 10Gbase-T 4 x 1GBase-T |
Power Supplies | - | Redundant | 1 x 770W | 2 x 770W | 1 x 770W | 2 x 770W | 2 x 770W |
CPU allocation for VM: Two times the core as the physical appliance.
* ISE 2.4 introduces a new Large VM appliance. The current SNS-3595 hardware (or its VM equivalent) will be reclassified as a Medium appliance. Under ISE 2.4, there is currently no Large Hardware-based appliance, only a Large Virtual appliance. The Large VM appliance has identical specifications as the SNS-3595, but with 256GB RAM. The Large 3595-based VM is intended for use as a performance-enhanced MnT node. There is currently no application for its use as a PAN, PSN, or pxGrid node.
*ISE 2.6 introduces 3 new platforms- SNS 3615,SNS-3655 and SNS 3695 supported on hardware and VM equivalent. SNS 35xx series platforms has been announced EoL.
Authentication values are approximate values. When determining how many PSN is needed for the deployment please use Maximum Active Sessions, RADIUS and TACACS+ authentication rates as your guidelines. Authentication performance for specific use cases is also provided in case it is required to size out the deployment.
3415 | 3495 | 3515 | 3595 | 3615 | 3655 | 3695 | |
---|---|---|---|---|---|---|---|
ISE Version(s) | ISE 2.0 ISE 2.1+ |
ISE 2.0 ISE 2.1+ |
ISE 2.0.1 ISE 2.1+ |
ISE 2.0.1 ISE 2.1+ |
ISE 2.6 and later |
ISE 2.6 and later |
ISE 2.6 and later |
Maximum Active Sessions per PSN: Large / Dedicated Deployment |
5,000 | 20,000 | 7,500 | 40,000 | 10,000 | 50,000 | 100,000 |
Maximum Active Sessions per PSN: Medium / Hybrid Deployment |
5,000 | 20,000 | 5,000 | 20,000 | 10,000 | 25000 | 50,000 |
* concurrent sessions for hybrid deployment
Platform performance specs are for a dedicated PSN in transactions per second (TPS).
PAN and MNT nodes are deployed as separate node(s).
Scenario | Cisco SNS-3415 Appliance | Cisco SNS-3495 Appliance | Cisco SNS-3515 Appliance | Cisco SNS-3595 Appliance | Cisco SNS-3615 Appliance | Cisco SNS-3655 Appliance | Cisco SNS-3695 Appliance |
---|---|---|---|---|---|---|---|
ISE Version | ISE 2.0 | ISE 2.0 | ISE 2.6 | ISE 2.6 | ISE 2.6 | ISE 2.6 | ISE 2.6 |
TACACS+ Function: PAP | 1,400 | 2,800 | 1,364 | 1,412 | 1,644 | 3,299 | 3,301 |
TACACS+ Function: CHAP | 1,500 | 2,900 | 1,312 | 1,389 | 1,289 | 2,075 | 2,099 |
TACACS+ Function: Enable | 700 | 1,200 | 1,116 | 1,126 | 1,145 | 1,145 | 1,148 |
TACACS+ Function: Session AuthZ | 900 | 1,700 | 1,356 | 1,488 | 1,482 | 3,259 | 3,281 |
TACACS+ Function: Command AuthZ | 900 | 1,700 | 1,412 | 1,711 | 1,511 | 1,655 | 1,680 |
TACACS+ Function: Accounting | 2,900 | 4,900 | 4,128 | 4,435 | 4,484 | 8,539 | 8,589 |
Performance per platform.
Authentications per second with PSN only persona (Approximate values)
Authentication Method | Identity Store | Cisco SNS-3595 (auths / second) |
Cisco SNS-3615 (auths / second) |
Cisco SNS-3655 (auths / second) |
Cisco SNS-3695 (auths / second) |
---|---|---|---|---|---|
PAP | Internal | 1256 | 1281 | 1478 | 1531 |
PAP | Active Directory | 443 | 513 | 545 | 571 |
PAP | LDAP | 1557 | 1463 | 1537 | 1604 |
PEAP (MSCHAPv2) | Internal | 439 | 467 | 491 | 513 |
PEAP (MSCHAPv2) | Active Directory | 356 | 373 | 387 | 407 |
PEAP (GTC) | Internal | 421 | 434 | 461 | 496 |
PEAP (GTC) | Active Directory | 334 | 371 | 404 | 431 |
EAP-FAST (MSCHAPv2) | Internal | 557 | 643 | 661 | 703 |
EAP-FAST (MSCHAPv2) | Active Directory | 417 | 457 | 471 | 489 |
EAP-FAST (GTC) | Internal | 587 | 612 | 667 | 690 |
EAP-FAST (GTC) | Active Directory | 401 | 443 | 478 | 504 |
EAP-FAST (GTC) | LDAP | 615 | 779 | 811 | 867 |
EAP-TLS | Internal | 247 | 348 | 367 | 388 |
EAP-TLS | Active Directory | 251 | 335 | 356 | 381 |
EAP-TLS | LDAP | 281 | 354 | 381 | 404 |
MAB | Internal | 1101 | 762 | 1199 | 1299 |
MAB | LDAP | 729 | 731 | 742 | 731 |
Performance per platform.
Authentications per second with PSN only persona (Approximate values)
Authentication Method | Identity Store | Cisco SNS-3515 (auths / second) |
Cisco SNS-3595 (auths / second) |
---|---|---|---|
PAP | Internal | 1485 | 1575 |
PAP | Active Directory | 440 | 465 |
PAP | LDAP | 1255 | 1340 |
PEAP (MSCHAPv2) | Internal | 475 | 515 |
PEAP (MSCHAPv2) | Active Directory | 365 | 385 |
PEAP (MSCHAPv2) | LDAP | Roadmap | Roadmap |
PEAP (GTC) | Internal | 435 | 470 |
PEAP (GTC) | Active Directory | 340 | 365 |
EAP-FAST (MSCHAPv2) | Internal | 485 | 515 |
EAP-FAST (MSCHAPv2) | Active Directory | 410 | 445 |
EAP-FAST (GTC) | Internal | 495 | 555 |
EAP-FAST (GTC) | Active Directory | 430 | 450 |
EAP-FAST (GTC) | LDAP | 545 | 585 |
EAP-TLS | Internal | 310 | 310 |
EAP-TLS | Active Directory | 310 | 315 |
EAP-TLS | LDAP | 315 | 320 |
MAB | Internal | 780 | 1245 |
MAB | LDAP | 700 | 800 |
Performance per platform.
Authentications per second with PSN only persona (Approximate values)
Authentication Method | Identity Store | Cisco SNS-3515 (auths / second) |
Cisco SNS-3595 (auths / second) |
---|---|---|---|
PAP | Internal | 1630 | 2060 |
PAP | Active Directory | 355 | 530 |
PAP | LDAP | 585 | 1575 |
PEAP (MSCHAPv2) | Internal | 375 | 575 |
PEAP (MSCHAPv2) | Active Directory | 265 | 470 |
PEAP (MSCHAPv2) | LDAP | Roadmap | Roadmap |
EAP-FAST (MSCHAPv2) | Internal | 535 | 735 |
EAP-FAST (MSCHAPv2) | Active Directory | 335 | 530 |
EAP-FAST (GTC) | Internal | 445 | 1030 |
EAP-FAST (GTC) | Active Directory | 410 (p2) | 510 |
EAP-FAST (GTC) | LDAP | 305 (p2) | 775 |
EAP-TLS | Internal | 190 | 330 |
EAP-TLS | Active Directory | 200 | 320 |
EAP-TLS | LDAP | 185 | 320 |
Performance per platform.
Authentications per second with PSN only persona (Approximate values)
Authentication Method | Identity Store | Cisco SNS-3415 (auths / second) |
Cisco SNS-3495 (auths / second) |
Cisco SNS-3515 (auths / second) |
Cisco SNS-3595 (auths / second) |
---|---|---|---|---|---|
PAP | Internal | 555 | 1575 | 2185 | |
PAP | Active Directory | 365 | 530 | 510 | |
PAP | LDAP | 730 | 1980 | 2810 | |
PEAP (MSCHAPv2) | Internal | 165 | 360 | 570 | |
PEAP (MSCHAPv2) | Active Directory | 150 | 400 | 485 | |
PEAP (MSCHAPv2) | LDAP | Roadmap | Roadmap | Roadmap | Roadmap |
EAP-FAST (MSCHAPv2) | Internal | 265 | 560 | 750 | |
EAP-FAST (MSCHAPv2) | Active Directory | 235 | 505 | 525 | |
EAP-FAST (GTC) | Internal | 260 | 505 | 1060 | |
EAP-FAST (GTC) | Active Directory | 220 | 470 | 520 | |
EAP-FAST (GTC) | LDAP | 285 | 600 | 1155 | |
EAP-TLS | Internal | 330 | 335 | 335 | |
EAP-TLS | AD | 300 | 325 | 325 | |
EAP-TLS | LDAP | 310 | 320 | 320 |
NA = Not Available
EAP-TLS: 2k key size, Session-Resume set to OFF
PEAP: Fast Reconnect and Session-Resume on the client and ISE - OFF
Scenario | SNS-3515 (auths / second) |
SNS-3595 (auths / second) |
SNS-3615 (auths / second) |
SNS-3655 (auths / second) |
SNS-3695 (auths / second) |
---|---|---|---|---|---|
Posture Authentication | 47 | 70 | 51 | 83 | |
Guest Hostspot Authentications | 152 | 192 | 168 | 225 | 270 |
Guest Sponsored Authentications | 93 | 126 | 111 | 184 | 189 |
BYOD onboarding single SSID (iOS) | ISE CA : 22.33 External CA: 21.78 |
ISE CA: 23.3 External CA: 22.54 |
ISE CA: 22.58 External CA: 23.56 |
||
BYOD onboarding dual SSID (iOS) | ISE CA : 23.62 External CA :24.24 |
ISE CA: 31.35 External CA: 31.69 |
ISE CA: 22.68 External CA: 30.17 |
||
BYOD onboarding single SSID (Android) | ISE CA:21 External CA: 22.31 |
ISE CA:22.35 External CA: 21.92 |
ISE CA: 21.57 External CA: 21.69 |
||
BYOD onboarding dual SSID (Android) | ISE CA: 22.07 External CA: 21.54 |
ISE CA: 22.88 External CA: 22.3 |
ISE CA: 22.07 External CA:22.14 |
||
MDM simulated - not impeded by MDM Server API performance |
|||||
Internal CA certificate Issuance |
Scenario | Cisco SNS-3515 Appliance (auths / second) |
Cisco SNS-3595 Appliance (auths / second) |
---|---|---|
Posture Authentications | - | 50 |
Guest Hotspot Authentications | 90 | 220 |
Guest Sponsored User Authentications | 60 | 170 |
Bulk Guest Creation via ERS API | - | 375 |
BYOD Onboarding Single SSID (iOS) | ISE CA: 16 External CA:13 |
ISE CA: 20 External CA:29 |
BYOD Onboarding Dual SSID (iOS) | ISE CA: 19 External CA:16 |
ISE CA: 19 External CA:26 |
BYOD Onboarding Single SSID (Android) | ISE CA: 18 External CA:19 |
ISE CA: 19 External CA:26 |
BYOD Onboarding Dual SSID (Android) | ISE CA: 21 External CA:21 |
ISE CA: 20 External CA:35 |
MDM simulated - not impeded by MDM Server API performance |
250 | 340 |
Internal CA Certificate Issuance | 43 | 45 |
Passive Identity & Easy Connect Scaling by Deployment Size |
Scaling with Mixed RADIUS and Passive Identity / Easy Connect Services | |||||
---|---|---|---|---|---|---|
Deployment model | Platform | Max Dedicated PSNs |
Max RADIUS sessions per Deployment | Max Passive ID sessions per Deployment | Max Merged & Easy Connect Sessions* (Shared PSNs) |
Max Merged & Easy Connect Sessions* (Dedicated PSNs) |
Standalone | 3515 | 0 | 7,500 | 100,000 | 1,000 | N/A |
3595 | 0 | 20,000 | 300,000 | 2,000 | N/A | |
Medium
PAN+MNT on same node |
PAN+MNT: 3515 | 5 | 7,500 | 100,000 | 1,000 | 5,000 |
PAN+MNT: 3595 | 5 | 20,000 | 500,000 | 2,000 | 10,000 | |
Dedicated PAN, MNT, PXG and PSN nodes | PAN and MNT: 3595 | 50 | 500,000 | 500,000 | 500,000 | 500,000 |
PAN and Large MNT: 3595 | 50 | 500,000 | 1M | 500,000 | 500,000 |
Platform | Max Passive ID sessions per PSN | Max Merged & Easy Connect Sessions * per PSN |
---|---|---|
3515 | 100,000 | 7,500 |
3595 | 500,000 | 40,000 |
* Subset of Max RADIUS/Max Passive Sessions
Passive Identity & Easy Connect Scaling by Deployment Size | Scaling with Mixed RADIUS and Passive Identity / Easy Connect Services | ||||||
---|---|---|---|---|---|---|---|
Deployment Type | Platform | Max Dedicated PSNs |
Max RADIUS sessions per Deployment | Max Passive ID sessions per Deployment | Max Merged & Easy Connect Sessions* (Shared PSNs) |
Max Merged & Easy Connect Sessions* (Dedicated PSNs) |
|
Small / Standalone | 3415 | 0 | 5,000 | 50,000 | 500 | N/A | |
3495 | 0 | 10,000 | 100,000 | 1,000 | N/A | ||
3515 | 0 | 7,500 | 100,000 | 1,000 | N/A | ||
3595 | 0 | 20,000 | 300,000 | 2,000 | N/A | ||
Medium / Hybrid | PAN+MNT: 3415 | 5 | 5,000 | 50,000 | 500 | 2,500 | |
PAN+MNT: 3495 | 5 | 10,000 | 100,000 | 1,000 | 5,000 | ||
PAN+MNT: 3515 | 5 | 7,500 | 100,000 | 1,000 | 5,000 | ||
PAN+MNT: 3595 | 5 | 20,000 | 300,000 | 2,000 | 10,000 | ||
Large / Dedicated |
PAN and MNT: 3495 | 40 | 250,000 | 100,000 | N/A | 25,000 | |
PAN and MNT: 3595 | 50 | 500,000 | 300,000 | N/A | 50,000 |
Platform | Max Passive ID sessions per PSN |
Max Merged & Easy Connect Sessions * per PSN |
---|---|---|
3415 | 50,000 | 5,000 |
3495 | 100,000 | 25,000 |
3515 | 100,000 | 7,500 |
3595 | 300,000 | 40,000 |
* Subset of Max RADIUS/Max Passive Sessions
Scenario | 3515/3595 Virtual Appliance |
---|---|
Max AD Domain Controllers supported via WMI or ISE AD Agent | 100 |
Max AD Agents (assuming 1:1 agent to DC) | 100 |
Recommended # DCs per Agent (agent on DC) | 1 |
Recommended # DCs per Agent (agent on member server) | 10 |
Recommended # PSNs enabled for WMI (Passive ID service) | 2 |
Max REST API Providers | 50 |
Max REST API EPS | 1,000 |
Max Syslog Providers | 70 |
Max Syslog EPS | 400 |
Max Endpoints Probed per Interval | 100,000 |
Max pxGrid Subscribers | 20 |
pxGrid v2 support added in ISE 2.3 but requires v2 Subscribers/Publishers. Each pxGrid v2 node can be Active. |
Deployment Type | Platform | <= ISE 2.4 Max PSN + PXG nodes | Max PXGs | Max pxGrid Subscribers: Shared PAN+MNT+PXG | Max pxGrid Subscribers: Dedicated PSN/PXG |
---|---|---|---|---|---|
Small / Standalone |
3515 | 0 | 0 | 20 | N/A |
3595 | 0 | 0 | 30 | N/A | |
Medium / Hybrid PAN+MnT+PXG on same node and dedicated PSNs |
PAN+MNT+PXG: 3515 | 5 | 2 | 140 | 400 |
PAN+MNT+PXG: 3595 | 5 | 2 | 160 | 400 | |
PAN+MNT+PXG: 3595 | 5 | 3 | 160 | 600 | |
Large / Dedicated |
PAN and MNT: 3595 | 50 | 4 | N/A | 800 |
PAN and Large MNT: 3595 | 50 | 4 | N/A | 800 |
Maximum publish rate is gated by the Total Deployment Size
Platform | Max Subscribers per pxGrid node |
---|---|
3515 | 200 |
3595 | 200 |
3615 | 220 |
3655 | 230 |
3695 | 250 |
Deployment Type | Platform | Max PSN + PXG nodes |
Max PXGs |
Max pxGrid Subscribers: Shared PAN+MNT+PXG |
Max pxGrid Subscribers: Dedicated PSN/PXG |
---|---|---|---|---|---|
Small / Standalone
|
3415 | 0 | 0 | 2 | N/A |
3495 | 0 | 0 | 2 | N/A | |
3515 | 0 | 0 | 2 | N/A | |
3595 | 0 | 0 | 2 | N/A | |
Medium / Hybrid |
3415 as PAN+MNT/PXG | 5 | 2 | 5 | 15 |
3495 as PAN+MNT/PXG | 5 | 2 | 5 | 15 | |
3515 as PAN+MNT/PXG | 5 | 2 | 5 | 15 | |
3595 as PAN+MNT/PXG | 5 | 2 | 5 | 15 | |
Large / Dedicated
|
3495 as PAN and MNT | 40 | 2 | N/A | 25 |
3595 as PAN and MNT | 50 | 2 | N/A | 25 |
Maximum publish rate is gated by the Total Deployment Size
Platform | Max Subscribers per pxGrid node |
---|---|
3415 | 10 |
3495 | 20 |
3515 | 15 |
3595 | 25 |
Note: 34x5 appliance is not supported after ISE 2.3. |
Deployment Type |
Platform |
TC-NAC enabled on RADIUS PSN | Dedicated PSN for TC-NAC | ||||
---|---|---|---|---|---|---|---|
Max TC-NAC Adapters | Max VAF (TPM) | Max IRF (TPS) | Max TC-NAC Adapters | Max VAF (TPM) | Max IRF(TPS) | ||
Small / Standalone | 3415 | 1 | 5 | 5 | N/A | N/A | N/A |
3495 | 1 | 5 | 5 | N/A | N/A | N/A | |
3515 | 1 | 5 | 5 | N/A | N/A | N/A | |
3595 | 1 | 5 | 5 | N/A | N/A | N/A | |
Medium/ Hybrid | PAN+MNT: 3415 | 1 | 5 | 10 | 3 | 40 | 80 |
PAN+MNT: 3495 | 2 | 10 | 20 | 5 | 40 | 80 | |
PAN+MNT: 3515 | 1 | 5 | 10 | 3 | 40 | 80 | |
PAN+MNT: 3595 | 2 | 10 | 20 | 5 | 40 | 80 | |
Large / Dedicated | PAN and MNT: 3495 | N/A | N/A | N/A | 5 | 40 | 80 |
PAN and MNT: 3595 | N/A | N/A | N/A | 5 | 40 | 80 |
* Max 1 TC-NAC node supported per deployment in ISE 2.1/2.2
Scaling per PSN | Platform | Max TC-NAC Adapters | Max VAF TPM | Max IRF TPS |
---|---|---|---|---|
Dedicated TC-NAC nodes Gated by Total Deployment Scale |
3415 | 3 | 40 | 80 |
3495 | 5 | 40 | 80 | |
3515 | 3 | 40 | 80 | |
3595 | 5 | 40 | 80 |
Attribute |
ISE 2.2 |
ISE 2.4 | ISE 2.6 |
---|---|---|---|
Maximum TrustSec Security Group Tags (SGTs) | 4,000 | 10,000 | 10,000 |
Maximum TrustSec Security Group ACLs (SGACLs) | 1,000 | 1,000 | 1,000 |
Maximum TrustSec IP-SGT Static Bindings (over SSH) | 10,000 | 10,000 | 10,000 |
Maximum NADs with TrustSec CoA in Standalone Deployment See Best Practice below |
100 | 100 |
SXP Nodes (SXPSNs)
Take note of the following that is documented in the ISE Admin Guides:
Note: We recommend that you run the SXP service on a standalone node. |
Multiple Matrices
ISE 2.2+ supports multiple matrices and assigning NADs to each matrix. When moving NADs between the matrix, maximum number of NADs ISE can move to other matrix at one time is 50. If more than 50 NADs needs to be moved, then repeat the steps with less than 50 NADs at a time.
ISE CoA Handling
For ISE 2.2 and 2.3:
The CoA messages sent for update-cts-environment-data, update-sgt and update-rbacl, are originated from the PAN.
When CoA’s are transmitted, ISE uses a separate CPU thread for each NAD, increasing the CPU load and Memory consumed on the PAN.
When CoA messages are received by network devices, the consequence is RADIUS requests sent to ISE to download updated data.
The recommendation for large installations is to use a Dedicated deployment (Separate PAN, MnT, and PSN nodes). The CoA operation dictates that if nodes are not deployed on separate instances then for a large number of network devices (over 100 NADs), at least use a Hybrid deployment with dedicated PSNs. Then network devices can be configured to send RADIUS requests to a PSN to download updates so the CPU and Memory utilization and subsequent latency of the PAN is not increased further whilst dealing with the CoA messages.
For ISE 2.4:
By default, the CoA messages sent for update-cts-environment-data, update-sgt and update-rbacl, are originated from the PAN. So, without changing the default behaviour, the same recommendation can be provided as per ISE 2.2 and 2.3 above.
It is further recommended to change the default behaviour by sending CoA’s from local PSN’s rather than the PAN to reduce load on the PAN and distribute CoA generation around the ISE nodes. This is a new feature in ISE 2.4 and is configured in the Advanced TrustSec Settings under the Network Device.
Maximum 4 SXPSN pairs supported in ISE 2.4
Deployment Type | Platform | Max PSNs | Max ISE SXP Bindings (Shared SXP & RADIUS PSNs) |
Max ISE SXP Bindings (Dedicated RADIUS & SXPSNs) |
Max ISE SXP Peers |
---|---|---|---|---|---|
Small / Standalone | 3515 | 0 | 3,500 | N/A | 20 |
3595 | 0 | 10,000 | N/A | 30 | |
Medium / Hybrid | PAN+MNT: 3515 | 5 | 3,750 | 7,500 | 200 |
PAN+MNT: 3595 | 5 | 10,000 | 20,000 | 200 | |
Large / Dedicated | PAN and MNT: 3595 | 50 | N/A | 350,000 (1 pair) 500,000 (2 pair) |
200 (1 pair) 400 (2 pair) |
PAN and Large MNT: 3595 | 50 | N/A | 350,000 (1 pair) 700,000 (2 pair) 1,050,000 (3 pair) 1,400,000 (4 pair) |
200 (1 pair) 400 (2 pair) 600 (3 pair) 800 (4 pair) |
Scaling per SXPSN | Platform | Max ISE SXP Bindings | Max ISE SXP Peers |
---|---|---|---|
Dedicated SXPSN nodes Gated by Total Deployment Scale |
3515 | 200,000 | 200 |
3595 | 350,000 | 200 |
Maximum 2 SXPSN pairs supported in ISE 2.2/2.3
Deployment Type | Platform | Max PSNs | Max ISE SXP Bindings (Shared SXP & RADIUS PSNs) |
Max ISE SXP Bindings (Dedicated RADIUS & SXPSNs) |
Max ISE SXP Peers |
---|---|---|---|---|---|
Small / Standalone |
3415 | 0 | 2,500 | N/A | 10 |
3495 | 0 | 5,000 | N/A | 20 | |
3515 | 0 | 3,750 | N/A | 15 | |
3595 | 0 | 10,000 | N/A | 25 | |
Medium / Hybrid Deployment | PAN+MNT: 3415 | 5 | 2,500 | 5,000 | 100 |
PAN+MNT: 3495 | 5 | 5,000 | 10,000 | 100 | |
PAN+MNT: 3515 | 5 | 3,750 | 7,500 | 100 | |
PAN+MNT: 3595 | 5 | 10,000 | 20,000 | 100 | |
Large / Dedicated | PAN and MNT: 3495 | 40 | N/A | 150,000 (1 pair) 250,000 (2 pair) |
100 (1 pair) 200 (2 pair) |
PAN and MNT: 3595 | 50 | N/A | 250,000 (1 pair) 500,000 (2 pair) |
100 (1 pair) 200 (2 pair) |
Scaling per SXPSN | Platform | Max ISE SXP Bindings | Max ISE SXP Peers |
---|---|---|---|
Dedicated SXPSN nodes Gated by Total Deployment Scale |
3415 | 100,000 | 100 |
3495 | 150,000 | 100 | |
3515 | 150,000 | 100 | |
3595 | 250,000 | 100 |
Persona | Minimum Disk Size (GB) |
---|---|
Standalone* (all personas on single node) | 300 GB |
PAN Only | 300 GB |
PSN Only | 300 GB |
PXG Only | 300 GB |
MnT Only* | 600 GB |
PAN + MnT* | 600 GB |
PAN + MnT* + PXG | 600 GB |
Note: Thin Provisioning is supported since 1.3, however Thick/Eager Provisioning will yield best performance |
Note: 10k RPM+ HDD or equivalent speed required |
Note: Recommended IO Read 300MB/s or higher, IO Write 50MB/s or higher |
Note: 600GB max for non-MnT persona node, 2TB max for MnT persona node. |
ISE MnT Log sizing calculator for TACACS+ and RADIUS
Days of log retention - assuming collection filter is enabled - for various MnT Disk Sizes.
ISE 2.0/2.1 (30% disk allocation):
Total Endpoints | 200 GB (days) |
400 GB (days) |
600 GB (days) |
1024 GB (days) |
2048 GB (days) |
---|---|---|---|---|---|
10,000 | 126 | 252 | 378 | 645 | 1,289 |
20,000 | 63 | 126 | 189 | 323 | 645 |
30,000 | 42 | 84 | 126 | 215 | 430 |
40,000 | 32 | 63 | 95 | 162 | 323 |
50,000 | 26 | 51 | 76 | 129 | 258 |
100,000 | 13 | 26 | 38 | 65 | 129 |
150,000 | 9 | 17 | 26 | 43 | 86 |
200,000 | 7 | 13 | 19 | 33 | 65 |
250,000 | 6 | 11 | 16 | 26 | 52 |
ISE 2.2 (60% disk allocation)
Total Endpoints | 200 GB (days) |
400 GB (days) |
600 GB (days) |
1024 GB (days) |
2048 GB (days) |
---|---|---|---|---|---|
5,000 | 504 | 1007 | 1510 | 2577 | 5154 |
10,000 | 252 | 504 | 755 | 1289 | 2577 |
25,000 | 101 | 202 | 302 | 516 | 1031 |
50,000 | 51 | 101 | 151 | 258 | 516 |
100,000 | 26 | 51 | 76 | 129 | 258 |
150,000 | 17 | 34 | 51 | 86 | 172 |
200,000 | 13 | 26 | 38 | 65 | 129 |
250,000 | 11 | 21 | 31 | 52 | 104 |
500,000 | 6 | 11 | 16 | 26 | 52 |
Note: Above values are based on controlled criteria including message size, re-authentication interval, etc. and result may vary depending on the environment |
ISE 2.0/2.1 (20% Disk Allocation):
Number of Network Devices in the deployment |
MnT Disk Size (GB) | ||||
---|---|---|---|---|---|
200 | 400 | 600 | 1024 | 2048 | |
500 | 480 | 959 | 1439 | 2455 | 4909 |
1000 | 240 | 480 | 720 | 1228 | 2455 |
5000 | 48 | 96 | 144 | 246 | 491 |
10000 | 24 | 48 | 72 | 123 | 246 |
20000 | 12 | 24 | 36 | 62 | 123 |
30000 | 8 | 16 | 24 | 41 | 82 |
50000 | 5 | 10 | 15 | 25 | 50 |
ISE 2.2 (60% disk allocation):
# Network Devices | 200 GB (days) |
400 GB (days) |
600 GB (days) |
1024 GB (days) |
2048 GB (days) |
---|---|---|---|---|---|
100 | 12,583 | 25,166 | 37,749 | 64,425 | 128,850 |
500 | 2,517 | 5,034 | 7,550 | 12,885 | 25,770 |
1,000 | 1,259 | 2,517 | 3,775 | 6,443 | 12,885 |
5,000 | 252 | 504 | 755 | 1,289 | 2,577 |
10,000 | 126 | 252 | 378 | 645 | 1,289 |
25,000 | 51 | 101 | 151 | 258 | 516 |
50,000 | 26 | 51 | 76 | 129 | 258 |
75,000 | 17 | 34 | 51 | 86 | 172 |
100,000 | 13 | 26 | 38 | 65 | 129 |
ISE 2.0/2.1 (20% Disk Allocation):
Number of Admins\ Disk Size(GB) | MnT Disk Size (GB) | ||||
---|---|---|---|---|---|
200 | 400 | 600 | 1024 | 2048 | |
5 | 3835 | 7670 | 11505 | 19635 | 39269 |
10 | 1918 | 3835 | 5753 | 9818 | 19635 |
20 | 959 | 1918 | 2877 | 4909 | 9818 |
30 | 640 | 1279 | 1918 | 3273 | 6545 |
40 | 480 | 959 | 1439 | 2455 | 4909 |
50 | 384 | 767 | 1151 | 1964 | 3927 |
Units are transactions per seconds (TPS)
Concurrent ERS Connections | 2.4= 10 | 2.6= 30 |
Operation | ISE 2.4 (3515) TPS |
ISE 2.4 (3595) TPS |
ISE 2.6 (3515) TPS |
ISE 2.6 (3595) TPS |
ISE 2.6 (3615) TPS |
ISE 2.6 (3655) TPS |
ISE 2.6 (3695) TPS |
EP Bulk create | 361 (250K) | 362 (250K) | 351 (200K) | 533 (200K) | 351 (200K) | 581 (200K) | 598 (200K) |
EP Bulk Delete | 377 (250K) | 399 (250K) | 346 (200K) | 275 (200K) | 297 (200K) | 279 (200K) | 281 (200K) |
EP Bulk Deregister | 300 (250K) | 376 (250K) | 314 (200K) | 375 (200K) | 340 (200K) | 328 (200K) | 330 (200K) |
EP Bulk Register | 315 (250K) | 377 (250K) | 357 (200K) | 377 (200K) | 297 (200K) | 245 (200K) | 260 (200K) |
EP Bulk Update | 366 (250K) | 364 (250K) | 247 (200K) | 364 (200K) | 327 (200K) | 283 (200K) | 285 (200K) |
Guest Bulk Create 50k |
314 | 388 | 277 | 350 | 387 | 349 | 351 |
Guest Bulk Delete | 122 | 188 | 119 | 188 | 122 | 141 | 192 |
Guest Bulk Reinstate | 125 | 177 | 93 | 177 | 121 | 132 | 179 |
Guest Bulk Suspend | 105 | 149 | 109 | 149 | 109 | 102 | 166 |
Guest Bulk Update |
76 | 90 | 76 | 90 | 83 | 53 | 55 |
SGT Bulk Create 1k |
9 | 14 | 13 | 14 | 11 | 13 | 15 |
This calculator can be used to find out how much bandwidth needs to be reserved for ISE operation across WAN links.
ISE Latency and Bandwidth Calculators
The ISE 1.2 version of the tool is still valid for 2.1 release.
Wow what a great compilation of information, great work!
Really Awesome work, congrats.
Take care, CPU numbers for new SNS 3595 is wrong, only one 8 cores CPU.
Chassis has 2 sockets, but only one socket occupied by 8-core CPU for total 8 cores.
Yes, in fact SNS-3500 use the same UCS hardware with 2 sockets
The gap between both SNS-3500 is the CPU model which is not the same but only one for each platform
This is different from SNS-3400 which have the same model of CPU but SNS-3415 has 1 and SNS-3495 has 2
Other thing is about hyperthreading, I have to double check but as I remember it is disabled by default in the BIOS... so 8 cores -> 8 threads.
HT should be enabled on SNS-35x5 appliances. In fact, we test VMs with HT enabled as that is assumption with 35xx series. If find different in your customer's appliance, recommend have them open TAC case to file defect.
I have to double check but was on SNS-34xx.
Thank you, Jeremy!
I updated the Processor descriptions to only mention the actual processor(s) and not sockets to prevent confusion.
Can ISE 2.1 be installed on the SNS-33XX Hardware?
No please check release notes
http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/release_notes/ise21_rn.html
Perfect, Thanks! That is what I was looking for and completely over looked it the first time.