- ISE Node Terminology
- ISE Deployments
- ISE Deployment Scale and Limits
- Maximum Network Latency Between Nodes
- ISE Hardware Platforms
- ISE PSN Performance
- ISE TACACS+ Performance
- ISE 2.6 RADIUS Performance
- ISE 2.4 RADIUS Performance
- ISE 2.3 RADIUS Performance
- ISE 2.2 RADIUS Performance
- ISE 2.6 Scenario-Based Performance
- ISE 2.3 Scenario-Based Performance
- ISE 2.4 Passive Identity (Passive ID) and Easy Connect Scaling
- Passive ID / Easy Connect Scaling Per Deployment
- Passive ID / Easy Connect Scaling per PSN dedicated to Passive ID Service
- ISE 2.2 and 2.3 Passive Identity (Passive ID) and Easy Connect Scaling
- Passive ID / EZC Scaling Per Deployment
- Passive ID / Easy Connect Scaling per PSN dedicated to Passive ID Service
- Passive ID - Provider and Consumer Scaling
- ISE 2.4 Platform eXchange Grid (pxGrid v2) Scaling
- pxGrid v2 Scaling per Deployment
- pxGrid v2 Scaling per Dedicated pxGrid Node
- ISE 2.2 Platform eXchange Grid (pxGrid v1) Scaling
- pxGrid v1 Scaling per Deployment
- pxGrid v1 Scaling per Dedicated pxGrid Node
- ISE 2.2/2.3/2.4 Threat-Centric NAC (TC-NAC) Scaling
- TC-NAC Scaling per Deployment
- TC-NAC Scaling per PSN
- ISE TrustSec Scaling
- TrustSec Best Practices
- ISE 2.4 SXP Scaling
- ISE SXP Scaling per Deployment
- ISE SXP Scaling per SXPSN
- ISE 2.2 and 2.3 SXP Scaling
- ISE SXP Scaling per Deployment
- ISE SXP Scaling per SXPSN
- ISE Storage Requirements
- VM Disk Size Minimum Requirement
- MnT Persona Log Storage Requirements
- RADIUS Log Retention (Days):
- TACACS+ log retention( Days)
- ISE ERS Scale
- ISE WAN Bandwidth Calculator
- Sources
ISE Node Terminology
 |
 |
 |
 |
| PAN | MNT | PSN | PXG |
| Policy Administration Node | Monitoring & Troubleshooting Node | Policy Services Node | Platform Exchange Grid Node |
| The single plane of glass for ISE administration and configuration operations. | The reporting and logging node that collects syslogs from ISE nodes | Runs the RADIUS / TACACS+ services that handle profiling, policy decisions, and host portals | Controls and facilitates pxGrid publishing and subscriptions of topics |
ISE Deployments
| ISE Lab, Evaluation, POC |
Small / Standalone Deployment | Medium / Hybrid Deployment | Large / Dedicated Deployment |
 |
 |
 |
 |
| All ISE personas (PAN + MNT + PSN + PXG) on the same appliance or VM instance. Not recommended for production without a second node for high availability. | All ISE personas (PAN + MNT + PSN + PXG) on the same appliance or VM instances. Two (2) standalone nodes - one as primary and one as secondary - are used for redundancy. |
PAN + MnT + PXG running on same node; one as primary and one as secondary for redundancy. PSNs on dedicated nodes. Nodes may be VMs or appliances. Supports <=6 PSNs (ISE 3.0+) Supports dedicated PXG nodes but counts against 6 PSN maximum. |
All ISE personas are fully distributed, running on separate VM or appliance nodes. Supports <= 4 PXG nodes. Supports <= 50 (PSN + PXG) nodes |
ISE Deployment Scale and Limits
| Attribute | ISE 2.2 Maximums | ISE 2.4 Maximums | ISE 2.6+ Maximums |
|---|---|---|---|
| Maximum Active Sessions: Large / Dedicated Deployment |
3595 PAN, MnT: 500,000 3495 PAN, MnT: 250,000 |
3595 PAN, MnT: 500,000 34xx: not supported |
3695 PAN, MnT: 2,000,000 3595 PAN, MnT: 2,000,000 |
| Maximum Active Sessions: Medium / Hybrid Deployment |
3595 PAN+MnT: 20,000 3515 PAN+MnT: 7,500 3495 PAN+MnT: 10,000 3415 PAN+MnT: 5,000 |
3595 PAN+MnT: 20,000 3515 PAN+MnT: 7,500 34xx: not supported |
3695 PAN+MnT: 50,000 3655 PAN+MnT: 25,000 3615 PAN+MnT: 10,000 3595 PAN+MnT: 20,000 3515 PAN+MnT: 7,500 |
| Maximum Active Sessions: Small / Standalone Deployment |
3595: 20,000 3515: 7,500 3495: 10,000 3415: 5,000 |
3515: 7,500 3595: 20,000 34xx: not supported |
3695: 50,000 3655: 25,000 3615: 10,000 3595: 20,000 3515: 7500 |
| Maximum PSN Nodes : Large / Dedicated Deployment |
3495 PAN: 40 | 3595 PAN: 50 | 3695 PAN: 50 3595 PAN: 50 |
| Maximum PSN Nodes: Medium Deployment |
5 | 5 |
5-ISE2.6/2.7 6-ISE3.0 |
| Maximum pxGrid (PXG) Nodes: Large / Dedicated deployment |
2 | 4 (All active) | 4 |
| Maximum pxGrid (PXG) Nodes: Medium / Hybrid deployment (PXG on PAN+MNT node or dedicate PXG nodes reducing PSN count) |
2 | 2 | 2 |
| Maximum Network Devices | 100,000 | 100,000 | 100,000 |
| Maximum Network Device Groups (NDGs) | 10,000 | 10,000 | 10,000 |
| Maximum Active Directory Forests (Join Points) |
50 | 50 | 50 |
| Maximum Active Directory controllers (WMI query) |
100 | 100 | 100 |
| Maximum Internal users | 300,000 | 300,000 | 300,000 |
| Maximum Internal guests Expect latency for admin GUI and user auth with >500,000 guests |
1,000,000 | 1,000,000 | 1,000,000 |
| Maximum User Certificates | 1,000,000 | 1,000,000 | 1,000,000 |
| Maximum Server Certificates | 1,000 | 1,000 | 1,000 |
| Maximum Trusted Certificates | 1,000 | 1,000 | 1,000 |
| Maximum User Portals (Guest, BYOD, MDM, Cert, Posture..) |
600 | 600 | 600 |
| Maximum Endpoints | 1,500,000 | 1,500,000 | 2,000,000 |
| Maximum Policy Sets | 100 | 200 | 200 |
| Maximum Authentication Rules | Simple Policy Mode: 100 Policy Set Mode: 200 |
Policy Set Mode: 1000 | Policy Set Mode: 1000 |
| Maximum Authorization Rules | Simple Policy Mode: 600 Policy Set Mode: 700 |
Policy Set Mode: 3,000 (3200 Authz profiles) |
Policy Set Mode: 3,000 (3200 Authz profiles) |
| Maximum User Identity Groups | 1,000 | 1,000 | 1,000 |
| Maximum Endpoint Identity Groups | 1,000 | 1,000 | 1,000 |
| TrustSec Scaling | See TrustSec scaling section below | See TrustSec scaling section below |
* It is not recommended to have more than 600 authorization rules in a single policy set. The numbers shown here were tested with 200 policy sets with 15 authorizations rules per set.
Maximum Network Latency Between Nodes
The maximum network latency (in milliseconds) between the primary PAN and any other ISE nodes including the secondary PAN, MnT, and PSNs.
| ISE Versions |
Maximum Latency (milliseconds) |
|---|---|
| ISE 2.0 and before | 200ms |
| ISE 2.1 and later | 300ms |
ISE Hardware Platforms
VMs must have the equivalent of the hardware platforms or better.
VM resources must be dedicated to ISE and not shared with other VMs.
| Appliance | SNS-3415 | SNS-3495 | SNS-3515 | SNS-3595 | SNS-3615 | SNS-3655 | SNS-3695 |
|---|---|---|---|---|---|---|---|
| Processor | 1 x Intel Xeon 2.4-GHz E5-2609 | 2 x Intel Xeon 2.4-GHz E5-2609 | 1 x Intel Xeon 2.40 GHz E5-2620 |
1 x Intel Xeon 2.60 GHz E5-2640 |
1 x Intel Xeon 2.10 GHz 4110 |
1 x Intel Xeon 2.10 GHz 4116 |
1 x Intel Xeon 2.10 GHz 4116 |
| Cores per processor | 4 | 4 | 6 | 8 | 8 | 12 | 12 |
| Memory | 16GB | 32GB | 16 GB (2x8GB) | 64 GB (4x16GB) | 32 GB (2x16GB) | 96 GB (6x16GB) | 256 GB (8x32GB) |
| Hard Disk | 1 x 600-GB 10k SAS HDD (600 GB total disk space) |
2 x 600-GB 10k SAS HDDs (600 GB total) |
1 x 600-GB 6Gb SAS 10K RPM | 4 x 600-GB 6Gb SAS 10K RPM | 1 x 600-GB 6Gb SAS 10K RPM | 4 x 600-GB 6Gb SAS 10K RPM | 8 x 600-GB 6Gb SAS 10K RPM |
| Hardware RAID | No | RAID 1 | No | Level 10 Cisco 12G SAS Modular RAID Controller |
No | Level 10 Cisco 12G SAS Modular RAID Controller |
Level 10 Cisco 12G SAS Modular RAID Controller |
| Network Interfaces | 4 x Integrated Gigabit NICs | 4 x Integrated Gigabit NICs | 6 x 1GBase-T | 6 x 1GBase-T | 2 X 10Gbase-T 4 x 1GBase-T |
2 X 10Gbase-T 4 x 1GBase-T |
2 X 10Gbase-T 4 x 1GBase-T |
| Power Supplies | - | Redundant | 1 x 770W | 2 x 770W | 1 x 770W | 2 x 770W | 2 x 770W |
CPU allocation for VM: Two times the core as the physical appliance.
* ISE 2.4 introduces a new Large VM appliance. The current SNS-3595 hardware (or its VM equivalent) will be reclassified as a Medium appliance. Under ISE 2.4, there is currently no Large Hardware-based appliance, only a Large Virtual appliance. The Large VM appliance has identical specifications as the SNS-3595, but with 256GB RAM. The Large 3595-based VM is intended for use as a performance-enhanced MnT node. There is currently no application for its use as a PAN, PSN, or pxGrid node.
*ISE 2.6 introduces 3 new platforms- SNS 3615,SNS-3655 and SNS 3695 supported on hardware and VM equivalent. SNS 35xx series platforms has been announced EoL.
ISE PSN Performance
Authentication values are approximate values. When determining how many PSN is needed for the deployment please use Maximum Active Sessions, RADIUS and TACACS+ authentication rates as your guidelines. Authentication performance for specific use cases is also provided in case it is required to size out the deployment.
| 3415 | 3495 | 3515 | 3595 | 3615 | 3655 | 3695 | |
|---|---|---|---|---|---|---|---|
| ISE Version(s) | ISE 2.0 ISE 2.1+ |
ISE 2.0 ISE 2.1+ |
ISE 2.0.1 ISE 2.1+ |
ISE 2.0.1 ISE 2.1+ |
ISE 2.6 and later |
ISE 2.6 and later |
ISE 2.6 and later |
| Maximum Active Sessions per PSN: Large / Dedicated Deployment |
5,000 | 20,000 | 7,500 | 40,000 | 10,000 | 50,000 | 100,000 |
| Maximum Active Sessions per PSN: Medium / Hybrid Deployment |
5,000 | 20,000 | 5,000 | 20,000 | 10,000 | 25000 | 50,000 |
* concurrent sessions for hybrid deployment
ISE TACACS+ Performance
Platform performance specs are for a dedicated PSN in transactions per second (TPS).
PAN and MNT nodes are deployed as separate node(s).
| Scenario | Cisco SNS-3415 Appliance | Cisco SNS-3495 Appliance | Cisco SNS-3515 Appliance | Cisco SNS-3595 Appliance | Cisco SNS-3615 Appliance | Cisco SNS-3655 Appliance | Cisco SNS-3695 Appliance |
|---|---|---|---|---|---|---|---|
| ISE Version | ISE 2.0 | ISE 2.0 | ISE 2.6 | ISE 2.6 | ISE 2.6 | ISE 2.6 | ISE 2.6 |
| TACACS+ Function: PAP | 1,400 | 2,800 | 1,364 | 1,412 | 1,644 | 3,299 | 3,301 |
| TACACS+ Function: CHAP | 1,500 | 2,900 | 1,312 | 1,389 | 1,289 | 2,075 | 2,099 |
| TACACS+ Function: Enable | 700 | 1,200 | 1,116 | 1,126 | 1,145 | 1,145 | 1,148 |
| TACACS+ Function: Session AuthZ | 900 | 1,700 | 1,356 | 1,488 | 1,482 | 3,259 | 3,281 |
| TACACS+ Function: Command AuthZ | 900 | 1,700 | 1,412 | 1,711 | 1,511 | 1,655 | 1,680 |
| TACACS+ Function: Accounting | 2,900 | 4,900 | 4,128 | 4,435 | 4,484 | 8,539 | 8,589 |
ISE 2.6 RADIUS Performance
Performance per platform.
Authentications per second with PSN only persona (Approximate values)
| Authentication Method | Identity Store | Cisco SNS-3595 (auths / second) |
Cisco SNS-3615 (auths / second) |
Cisco SNS-3655 (auths / second) |
Cisco SNS-3695 (auths / second) |
|---|---|---|---|---|---|
| PAP | Internal | 1256 | 1281 | 1478 | 1531 |
| PAP | Active Directory | 443 | 513 | 545 | 571 |
| PAP | LDAP | 1557 | 1463 | 1537 | 1604 |
| PEAP (MSCHAPv2) | Internal | 439 | 467 | 491 | 513 |
| PEAP (MSCHAPv2) | Active Directory | 356 | 373 | 387 | 407 |
| PEAP (GTC) | Internal | 421 | 434 | 461 | 496 |
| PEAP (GTC) | Active Directory | 334 | 371 | 404 | 431 |
| EAP-FAST (MSCHAPv2) | Internal | 557 | 643 | 661 | 703 |
| EAP-FAST (MSCHAPv2) | Active Directory | 417 | 457 | 471 | 489 |
| EAP-FAST (GTC) | Internal | 587 | 612 | 667 | 690 |
| EAP-FAST (GTC) | Active Directory | 401 | 443 | 478 | 504 |
| EAP-FAST (GTC) | LDAP | 615 | 779 | 811 | 867 |
| EAP-TLS | Internal | 247 | 348 | 367 | 388 |
| EAP-TLS | Active Directory | 251 | 335 | 356 | 381 |
| EAP-TLS | LDAP | 281 | 354 | 381 | 404 |
| MAB | Internal | 1101 | 762 | 1199 | 1299 |
| MAB | LDAP | 729 | 731 | 742 | 731 |
ISE 2.4 RADIUS Performance
Performance per platform.
Authentications per second with PSN only persona (Approximate values)
| Authentication Method | Identity Store | Cisco SNS-3515 (auths / second) |
Cisco SNS-3595 (auths / second) |
|---|---|---|---|
| PAP | Internal | 1485 | 1575 |
| PAP | Active Directory | 440 | 465 |
| PAP | LDAP | 1255 | 1340 |
| PEAP (MSCHAPv2) | Internal | 475 | 515 |
| PEAP (MSCHAPv2) | Active Directory | 365 | 385 |
| PEAP (MSCHAPv2) | LDAP | Roadmap | Roadmap |
| PEAP (GTC) | Internal | 435 | 470 |
| PEAP (GTC) | Active Directory | 340 | 365 |
| EAP-FAST (MSCHAPv2) | Internal | 485 | 515 |
| EAP-FAST (MSCHAPv2) | Active Directory | 410 | 445 |
| EAP-FAST (GTC) | Internal | 495 | 555 |
| EAP-FAST (GTC) | Active Directory | 430 | 450 |
| EAP-FAST (GTC) | LDAP | 545 | 585 |
| EAP-TLS | Internal | 310 | 310 |
| EAP-TLS | Active Directory | 310 | 315 |
| EAP-TLS | LDAP | 315 | 320 |
| MAB | Internal | 780 | 1245 |
| MAB | LDAP | 700 | 800 |
ISE 2.3 RADIUS Performance
Performance per platform.
Authentications per second with PSN only persona (Approximate values)
| Authentication Method | Identity Store | Cisco SNS-3515 (auths / second) |
Cisco SNS-3595 (auths / second) |
|---|---|---|---|
| PAP | Internal | 1630 | 2060 |
| PAP | Active Directory | 355 | 530 |
| PAP | LDAP | 585 | 1575 |
| PEAP (MSCHAPv2) | Internal | 375 | 575 |
| PEAP (MSCHAPv2) | Active Directory | 265 | 470 |
| PEAP (MSCHAPv2) | LDAP | Roadmap | Roadmap |
| EAP-FAST (MSCHAPv2) | Internal | 535 | 735 |
| EAP-FAST (MSCHAPv2) | Active Directory | 335 | 530 |
| EAP-FAST (GTC) | Internal | 445 | 1030 |
| EAP-FAST (GTC) | Active Directory | 410 (p2) | 510 |
| EAP-FAST (GTC) | LDAP | 305 (p2) | 775 |
| EAP-TLS | Internal | 190 | 330 |
| EAP-TLS | Active Directory | 200 | 320 |
| EAP-TLS | LDAP | 185 | 320 |
ISE 2.2 RADIUS Performance
Performance per platform.
Authentications per second with PSN only persona (Approximate values)
| Authentication Method | Identity Store | Cisco SNS-3415 (auths / second) |
Cisco SNS-3495 (auths / second) |
Cisco SNS-3515 (auths / second) |
Cisco SNS-3595 (auths / second) |
|---|---|---|---|---|---|
| PAP | Internal | 555 | 1575 | 2185 | |
| PAP | Active Directory | 365 | 530 | 510 | |
| PAP | LDAP | 730 | 1980 | 2810 | |
| PEAP (MSCHAPv2) | Internal | 165 | 360 | 570 | |
| PEAP (MSCHAPv2) | Active Directory | 150 | 400 | 485 | |
| PEAP (MSCHAPv2) | LDAP | Roadmap | Roadmap | Roadmap | Roadmap |
| EAP-FAST (MSCHAPv2) | Internal | 265 | 560 | 750 | |
| EAP-FAST (MSCHAPv2) | Active Directory | 235 | 505 | 525 | |
| EAP-FAST (GTC) | Internal | 260 | 505 | 1060 | |
| EAP-FAST (GTC) | Active Directory | 220 | 470 | 520 | |
| EAP-FAST (GTC) | LDAP | 285 | 600 | 1155 | |
| EAP-TLS | Internal | 330 | 335 | 335 | |
| EAP-TLS | AD | 300 | 325 | 325 | |
| EAP-TLS | LDAP | 310 | 320 | 320 |
NA = Not Available
EAP-TLS: 2k key size, Session-Resume set to OFF
PEAP: Fast Reconnect and Session-Resume on the client and ISE - OFF
ISE 2.6 Scenario-Based Performance
| Scenario | SNS-3515 (auths / second) |
SNS-3595 (auths / second) |
SNS-3615 (auths / second) |
SNS-3655 (auths / second) |
SNS-3695 (auths / second) |
|---|---|---|---|---|---|
| Posture Authentication | 47 | 70 | 51 | 83 | |
| Guest Hostspot Authentications | 152 | 192 | 168 | 225 | 270 |
| Guest Sponsored Authentications | 93 | 126 | 111 | 184 | 189 |
| BYOD onboarding single SSID (iOS) | ISE CA : 22.33 External CA: 21.78 |
ISE CA: 23.3 External CA: 22.54 |
ISE CA: 22.58 External CA: 23.56 |
||
| BYOD onboarding dual SSID (iOS) | ISE CA : 23.62 External CA :24.24 |
ISE CA: 31.35 External CA: 31.69 |
ISE CA: 22.68 External CA: 30.17 |
||
| BYOD onboarding single SSID (Android) | ISE CA:21 External CA: 22.31 |
ISE CA:22.35 External CA: 21.92 |
ISE CA: 21.57 External CA: 21.69 |
||
| BYOD onboarding dual SSID (Android) | ISE CA: 22.07 External CA: 21.54 |
ISE CA: 22.88 External CA: 22.3 |
ISE CA: 22.07 External CA:22.14 |
||
| MDM simulated - not impeded by MDM Server API performance |
|||||
| Internal CA certificate Issuance |
ISE 2.3 Scenario-Based Performance
| Scenario | Cisco SNS-3515 Appliance (auths / second) |
Cisco SNS-3595 Appliance (auths / second) |
|---|---|---|
| Posture Authentications | - | 50 |
| Guest Hotspot Authentications | 90 | 220 |
| Guest Sponsored User Authentications | 60 | 170 |
| Bulk Guest Creation via ERS API | - | 375 |
| BYOD Onboarding Single SSID (iOS) | ISE CA: 16 External CA:13 |
ISE CA: 20 External CA:29 |
| BYOD Onboarding Dual SSID (iOS) | ISE CA: 19 External CA:16 |
ISE CA: 19 External CA:26 |
| BYOD Onboarding Single SSID (Android) | ISE CA: 18 External CA:19 |
ISE CA: 19 External CA:26 |
| BYOD Onboarding Dual SSID (Android) | ISE CA: 21 External CA:21 |
ISE CA: 20 External CA:35 |
| MDM simulated - not impeded by MDM Server API performance |
250 | 340 |
| Internal CA Certificate Issuance | 43 | 45 |
ISE 2.4 Passive Identity (Passive ID) and Easy Connect Scaling
Passive ID / Easy Connect Scaling Per Deployment
| Passive Identity & Easy Connect Scaling by Deployment Size |
Scaling with Mixed RADIUS and Passive Identity / Easy Connect Services | |||||
|---|---|---|---|---|---|---|
| Deployment model | Platform | Max Dedicated PSNs |
Max RADIUS sessions per Deployment | Max Passive ID sessions per Deployment | Max Merged & Easy Connect Sessions* (Shared PSNs) |
Max Merged & Easy Connect Sessions* (Dedicated PSNs) |
| Standalone | 3515 | 0 | 7,500 | 100,000 | 1,000 | N/A |
| 3595 | 0 | 20,000 | 300,000 | 2,000 | N/A | |
| Medium
PAN+MNT on same node |
PAN+MNT: 3515 | 5 | 7,500 | 100,000 | 1,000 | 5,000 |
| PAN+MNT: 3595 | 5 | 20,000 | 500,000 | 2,000 | 10,000 | |
| Dedicated PAN, MNT, PXG and PSN nodes | PAN and MNT: 3595 | 50 | 500,000 | 500,000 | 500,000 | 500,000 |
| PAN and Large MNT: 3595 | 50 | 500,000 | 1M | 500,000 | 500,000 | |
Passive ID / Easy Connect Scaling per PSN dedicated to Passive ID Service
| Platform | Max Passive ID sessions per PSN | Max Merged & Easy Connect Sessions * per PSN |
|---|---|---|
| 3515 | 100,000 | 7,500 |
| 3595 | 500,000 | 40,000 |
* Subset of Max RADIUS/Max Passive Sessions
ISE 2.2 and 2.3 Passive Identity (Passive ID) and Easy Connect Scaling
Passive ID / EZC Scaling Per Deployment
| Passive Identity & Easy Connect Scaling by Deployment Size | Scaling with Mixed RADIUS and Passive Identity / Easy Connect Services | ||||||
|---|---|---|---|---|---|---|---|
| Deployment Type | Platform | Max Dedicated PSNs |
Max RADIUS sessions per Deployment | Max Passive ID sessions per Deployment | Max Merged & Easy Connect Sessions* (Shared PSNs) |
Max Merged & Easy Connect Sessions* (Dedicated PSNs) |
|
| Small / Standalone | 3415 | 0 | 5,000 | 50,000 | 500 | N/A | |
| 3495 | 0 | 10,000 | 100,000 | 1,000 | N/A | ||
| 3515 | 0 | 7,500 | 100,000 | 1,000 | N/A | ||
| 3595 | 0 | 20,000 | 300,000 | 2,000 | N/A | ||
| Medium / Hybrid | PAN+MNT: 3415 | 5 | 5,000 | 50,000 | 500 | 2,500 | |
| PAN+MNT: 3495 | 5 | 10,000 | 100,000 | 1,000 | 5,000 | ||
| PAN+MNT: 3515 | 5 | 7,500 | 100,000 | 1,000 | 5,000 | ||
| PAN+MNT: 3595 | 5 | 20,000 | 300,000 | 2,000 | 10,000 | ||
| Large / Dedicated |
PAN and MNT: 3495 | 40 | 250,000 | 100,000 | N/A | 25,000 | |
| PAN and MNT: 3595 | 50 | 500,000 | 300,000 | N/A | 50,000 | ||
Passive ID / Easy Connect Scaling per PSN dedicated to Passive ID Service
| Platform | Max Passive ID sessions per PSN |
Max Merged & Easy Connect Sessions * per PSN |
|---|---|---|
| 3415 | 50,000 | 5,000 |
| 3495 | 100,000 | 25,000 |
| 3515 | 100,000 | 7,500 |
| 3595 | 300,000 | 40,000 |
* Subset of Max RADIUS/Max Passive Sessions
Passive ID - Provider and Consumer Scaling
| Scenario | 3515/3595 Virtual Appliance |
|---|---|
| Max AD Domain Controllers supported via WMI or ISE AD Agent | 100 |
| Max AD Agents (assuming 1:1 agent to DC) | 100 |
| Recommended # DCs per Agent (agent on DC) | 1 |
| Recommended # DCs per Agent (agent on member server) | 10 |
| Recommended # PSNs enabled for WMI (Passive ID service) | 2 |
| Max REST API Providers | 50 |
| Max REST API EPS | 1,000 |
| Max Syslog Providers | 70 |
| Max Syslog EPS | 400 |
| Max Endpoints Probed per Interval | 100,000 |
| Max pxGrid Subscribers | 20 |
ISE 2.4 Platform eXchange Grid (pxGrid v2) Scaling
pxGrid v2 Scaling per Deployment
| Deployment Type | Platform | <= ISE 2.4 Max PSN + PXG nodes | Max PXGs | Max pxGrid Subscribers: Shared PAN+MNT+PXG | Max pxGrid Subscribers: Dedicated PSN/PXG |
|---|---|---|---|---|---|
| Small / Standalone |
3515 | 0 | 0 | 20 | N/A |
| 3595 | 0 | 0 | 30 | N/A | |
| Medium / Hybrid PAN+MnT+PXG on same node and dedicated PSNs |
PAN+MNT+PXG: 3515 | 5 | 2 | 140 | 400 |
| PAN+MNT+PXG: 3595 | 5 | 2 | 160 | 400 | |
| PAN+MNT+PXG: 3595 | 5 | 3 | 160 | 600 | |
| Large / Dedicated |
PAN and MNT: 3595 | 50 | 4 | N/A | 800 |
| PAN and Large MNT: 3595 | 50 | 4 | N/A | 800 |
pxGrid v2 Scaling per Dedicated pxGrid Node
Maximum publish rate is gated by the Total Deployment Size
| Platform | Max Subscribers per pxGrid node |
|---|---|
| 3515 | 200 |
| 3595 | 200 |
| 3615 | 220 |
| 3655 | 230 |
| 3695 | 250 |
ISE 2.2 Platform eXchange Grid (pxGrid v1) Scaling
pxGrid v1 Scaling per Deployment
| Deployment Type | Platform | Max PSN + PXG nodes |
Max PXGs |
Max pxGrid Subscribers: Shared PAN+MNT+PXG |
Max pxGrid Subscribers: Dedicated PSN/PXG |
|---|---|---|---|---|---|
| Small / Standalone
|
3415 | 0 | 0 | 2 | N/A |
| 3495 | 0 | 0 | 2 | N/A | |
| 3515 | 0 | 0 | 2 | N/A | |
| 3595 | 0 | 0 | 2 | N/A | |
| Medium / Hybrid |
3415 as PAN+MNT/PXG | 5 | 2 | 5 | 15 |
| 3495 as PAN+MNT/PXG | 5 | 2 | 5 | 15 | |
| 3515 as PAN+MNT/PXG | 5 | 2 | 5 | 15 | |
| 3595 as PAN+MNT/PXG | 5 | 2 | 5 | 15 | |
| Large / Dedicated
|
3495 as PAN and MNT | 40 | 2 | N/A | 25 |
| 3595 as PAN and MNT | 50 | 2 | N/A | 25 |
pxGrid v1 Scaling per Dedicated pxGrid Node
Maximum publish rate is gated by the Total Deployment Size
| Platform | Max Subscribers per pxGrid node |
|---|---|
| 3415 | 10 |
| 3495 | 20 |
| 3515 | 15 |
| 3595 | 25 |
ISE 2.2/2.3/2.4 Threat-Centric NAC (TC-NAC) Scaling
TC-NAC Scaling per Deployment
Deployment Type |
Platform |
TC-NAC enabled on RADIUS PSN | Dedicated PSN for TC-NAC | ||||
|---|---|---|---|---|---|---|---|
| Max TC-NAC Adapters | Max VAF (TPM) | Max IRF (TPS) | Max TC-NAC Adapters | Max VAF (TPM) | Max IRF(TPS) | ||
| Small / Standalone | 3415 | 1 | 5 | 5 | N/A | N/A | N/A |
| 3495 | 1 | 5 | 5 | N/A | N/A | N/A | |
| 3515 | 1 | 5 | 5 | N/A | N/A | N/A | |
| 3595 | 1 | 5 | 5 | N/A | N/A | N/A | |
| Medium/ Hybrid | PAN+MNT: 3415 | 1 | 5 | 10 | 3 | 40 | 80 |
| PAN+MNT: 3495 | 2 | 10 | 20 | 5 | 40 | 80 | |
| PAN+MNT: 3515 | 1 | 5 | 10 | 3 | 40 | 80 | |
| PAN+MNT: 3595 | 2 | 10 | 20 | 5 | 40 | 80 | |
| Large / Dedicated | PAN and MNT: 3495 | N/A | N/A | N/A | 5 | 40 | 80 |
| PAN and MNT: 3595 | N/A | N/A | N/A | 5 | 40 | 80 | |
* Max 1 TC-NAC node supported per deployment in ISE 2.1/2.2
TC-NAC Scaling per PSN
| Scaling per PSN | Platform | Max TC-NAC Adapters | Max VAF TPM | Max IRF TPS |
|---|---|---|---|---|
| Dedicated TC-NAC nodes Gated by Total Deployment Scale |
3415 | 3 | 40 | 80 |
| 3495 | 5 | 40 | 80 | |
| 3515 | 3 | 40 | 80 | |
| 3595 | 5 | 40 | 80 |
ISE TrustSec Scaling
|
Attribute |
ISE 2.2 |
ISE 2.4 | ISE 2.6 |
|---|---|---|---|
| Maximum TrustSec Security Group Tags (SGTs) | 4,000 | 10,000 | 10,000 |
| Maximum TrustSec Security Group ACLs (SGACLs) | 1,000 | 1,000 | 1,000 |
| Maximum TrustSec IP-SGT Static Bindings (over SSH) | 10,000 | 10,000 | 10,000 |
| Maximum NADs with TrustSec CoA in Standalone Deployment See Best Practice below |
100 | 100 |
TrustSec Best Practices
SXP Nodes (SXPSNs)
Take note of the following that is documented in the ISE Admin Guides:
Multiple Matrices
ISE 2.2+ supports multiple matrices and assigning NADs to each matrix. When moving NADs between the matrix, maximum number of NADs ISE can move to other matrix at one time is 50. If more than 50 NADs needs to be moved, then repeat the steps with less than 50 NADs at a time.
ISE CoA Handling
For ISE 2.2 and 2.3:
The CoA messages sent for update-cts-environment-data, update-sgt and update-rbacl, are originated from the PAN.
When CoA’s are transmitted, ISE uses a separate CPU thread for each NAD, increasing the CPU load and Memory consumed on the PAN.
When CoA messages are received by network devices, the consequence is RADIUS requests sent to ISE to download updated data.
The recommendation for large installations is to use a Dedicated deployment (Separate PAN, MnT, and PSN nodes). The CoA operation dictates that if nodes are not deployed on separate instances then for a large number of network devices (over 100 NADs), at least use a Hybrid deployment with dedicated PSNs. Then network devices can be configured to send RADIUS requests to a PSN to download updates so the CPU and Memory utilization and subsequent latency of the PAN is not increased further whilst dealing with the CoA messages.
For ISE 2.4:
By default, the CoA messages sent for update-cts-environment-data, update-sgt and update-rbacl, are originated from the PAN. So, without changing the default behaviour, the same recommendation can be provided as per ISE 2.2 and 2.3 above.
It is further recommended to change the default behaviour by sending CoA’s from local PSN’s rather than the PAN to reduce load on the PAN and distribute CoA generation around the ISE nodes. This is a new feature in ISE 2.4 and is configured in the Advanced TrustSec Settings under the Network Device.
ISE 2.4 SXP Scaling
ISE SXP Scaling per Deployment
Maximum 4 SXPSN pairs supported in ISE 2.4
| Deployment Type | Platform | Max PSNs | Max ISE SXP Bindings (Shared SXP & RADIUS PSNs) |
Max ISE SXP Bindings (Dedicated RADIUS & SXPSNs) |
Max ISE SXP Peers |
|---|---|---|---|---|---|
| Small / Standalone | 3515 | 0 | 3,500 | N/A | 20 |
| 3595 | 0 | 10,000 | N/A | 30 | |
| Medium / Hybrid | PAN+MNT: 3515 | 5 | 3,750 | 7,500 | 200 |
| PAN+MNT: 3595 | 5 | 10,000 | 20,000 | 200 | |
| Large / Dedicated | PAN and MNT: 3595 | 50 | N/A | 350,000 (1 pair) 500,000 (2 pair) |
200 (1 pair) 400 (2 pair) |
| PAN and Large MNT: 3595 | 50 | N/A | 350,000 (1 pair) 700,000 (2 pair) 1,050,000 (3 pair) 1,400,000 (4 pair) |
200 (1 pair) 400 (2 pair) 600 (3 pair) 800 (4 pair) |
ISE SXP Scaling per SXPSN
| Scaling per SXPSN | Platform | Max ISE SXP Bindings | Max ISE SXP Peers |
|---|---|---|---|
| Dedicated SXPSN nodes Gated by Total Deployment Scale |
3515 | 200,000 | 200 |
| 3595 | 350,000 | 200 |
ISE 2.2 and 2.3 SXP Scaling
ISE SXP Scaling per Deployment
Maximum 2 SXPSN pairs supported in ISE 2.2/2.3
| Deployment Type | Platform | Max PSNs | Max ISE SXP Bindings (Shared SXP & RADIUS PSNs) |
Max ISE SXP Bindings (Dedicated RADIUS & SXPSNs) |
Max ISE SXP Peers |
|---|---|---|---|---|---|
| Small / Standalone |
3415 | 0 | 2,500 | N/A | 10 |
| 3495 | 0 | 5,000 | N/A | 20 | |
| 3515 | 0 | 3,750 | N/A | 15 | |
| 3595 | 0 | 10,000 | N/A | 25 | |
| Medium / Hybrid Deployment | PAN+MNT: 3415 | 5 | 2,500 | 5,000 | 100 |
| PAN+MNT: 3495 | 5 | 5,000 | 10,000 | 100 | |
| PAN+MNT: 3515 | 5 | 3,750 | 7,500 | 100 | |
| PAN+MNT: 3595 | 5 | 10,000 | 20,000 | 100 | |
| Large / Dedicated | PAN and MNT: 3495 | 40 | N/A | 150,000 (1 pair) 250,000 (2 pair) |
100 (1 pair) 200 (2 pair) |
| PAN and MNT: 3595 | 50 | N/A | 250,000 (1 pair) 500,000 (2 pair) |
100 (1 pair) 200 (2 pair) |
ISE SXP Scaling per SXPSN
| Scaling per SXPSN | Platform | Max ISE SXP Bindings | Max ISE SXP Peers |
|---|---|---|---|
| Dedicated SXPSN nodes Gated by Total Deployment Scale |
3415 | 100,000 | 100 |
| 3495 | 150,000 | 100 | |
| 3515 | 150,000 | 100 | |
| 3595 | 250,000 | 100 |
ISE Storage Requirements
VM Disk Size Minimum Requirement
| Persona | Minimum Disk Size (GB) |
|---|---|
| Standalone* (all personas on single node) | 300 GB |
| PAN Only | 300 GB |
| PSN Only | 300 GB |
| PXG Only | 300 GB |
| MnT Only* | 600 GB |
| PAN + MnT* | 600 GB |
| PAN + MnT* + PXG | 600 GB |
MnT Persona Log Storage Requirements
ISE MnT Log sizing calculator for TACACS+ and RADIUS
RADIUS Log Retention (Days):
Days of log retention - assuming collection filter is enabled - for various MnT Disk Sizes.
ISE 2.0/2.1 (30% disk allocation):
| Total Endpoints | 200 GB (days) |
400 GB (days) |
600 GB (days) |
1024 GB (days) |
2048 GB (days) |
|---|---|---|---|---|---|
| 10,000 | 126 | 252 | 378 | 645 | 1,289 |
| 20,000 | 63 | 126 | 189 | 323 | 645 |
| 30,000 | 42 | 84 | 126 | 215 | 430 |
| 40,000 | 32 | 63 | 95 | 162 | 323 |
| 50,000 | 26 | 51 | 76 | 129 | 258 |
| 100,000 | 13 | 26 | 38 | 65 | 129 |
| 150,000 | 9 | 17 | 26 | 43 | 86 |
| 200,000 | 7 | 13 | 19 | 33 | 65 |
| 250,000 | 6 | 11 | 16 | 26 | 52 |
ISE 2.2 (60% disk allocation)
| Total Endpoints | 200 GB (days) |
400 GB (days) |
600 GB (days) |
1024 GB (days) |
2048 GB (days) |
|---|---|---|---|---|---|
| 5,000 | 504 | 1007 | 1510 | 2577 | 5154 |
| 10,000 | 252 | 504 | 755 | 1289 | 2577 |
| 25,000 | 101 | 202 | 302 | 516 | 1031 |
| 50,000 | 51 | 101 | 151 | 258 | 516 |
| 100,000 | 26 | 51 | 76 | 129 | 258 |
| 150,000 | 17 | 34 | 51 | 86 | 172 |
| 200,000 | 13 | 26 | 38 | 65 | 129 |
| 250,000 | 11 | 21 | 31 | 52 | 104 |
| 500,000 | 6 | 11 | 16 | 26 | 52 |
TACACS+ log retention( Days)
Scripted device admin model:
- Number of sessions per day: 4
- Number of commands: 10
- Message Size /session (KB) = 5kB + Number of commands/session *3kB
- Automated access(single script) log size calculation = n Number of devices * 4 Sessions * Message size
- E.g. : Log Size for 30k Network devices = 4GB/day
ISE 2.0/2.1 (20% Disk Allocation):
| Number of Network Devices in the deployment |
MnT Disk Size (GB) | ||||
|---|---|---|---|---|---|
| 200 | 400 | 600 | 1024 | 2048 | |
| 500 | 480 | 959 | 1439 | 2455 | 4909 |
| 1000 | 240 | 480 | 720 | 1228 | 2455 |
| 5000 | 48 | 96 | 144 | 246 | 491 |
| 10000 | 24 | 48 | 72 | 123 | 246 |
| 20000 | 12 | 24 | 36 | 62 | 123 |
| 30000 | 8 | 16 | 24 | 41 | 82 |
| 50000 | 5 | 10 | 15 | 25 | 50 |
ISE 2.2 (60% disk allocation):
| # Network Devices | 200 GB (days) |
400 GB (days) |
600 GB (days) |
1024 GB (days) |
2048 GB (days) |
|---|---|---|---|---|---|
| 100 | 12,583 | 25,166 | 37,749 | 64,425 | 128,850 |
| 500 | 2,517 | 5,034 | 7,550 | 12,885 | 25,770 |
| 1,000 | 1,259 | 2,517 | 3,775 | 6,443 | 12,885 |
| 5,000 | 252 | 504 | 755 | 1,289 | 2,577 |
| 10,000 | 126 | 252 | 378 | 645 | 1,289 |
| 25,000 | 51 | 101 | 151 | 258 | 516 |
| 50,000 | 26 | 51 | 76 | 129 | 258 |
| 75,000 | 17 | 34 | 51 | 86 | 172 |
| 100,000 | 13 | 26 | 38 | 65 | 129 |
Human admin - Device admin model
- Number of sessions: 50
- Number of Commands/session: 10
- Message Size /session (KB) = 5kB + Number of commands/session *3kB
- Manual access log size calculation = 50 Sessions * N Admins * Message size
- E.g. : Log Size for 50 admins = 85.4MB/ day
ISE 2.0/2.1 (20% Disk Allocation):
| Number of Admins\ Disk Size(GB) | MnT Disk Size (GB) | ||||
|---|---|---|---|---|---|
| 200 | 400 | 600 | 1024 | 2048 | |
| 5 | 3835 | 7670 | 11505 | 19635 | 39269 |
| 10 | 1918 | 3835 | 5753 | 9818 | 19635 |
| 20 | 959 | 1918 | 2877 | 4909 | 9818 |
| 30 | 640 | 1279 | 1918 | 3273 | 6545 |
| 40 | 480 | 959 | 1439 | 2455 | 4909 |
| 50 | 384 | 767 | 1151 | 1964 | 3927 |
ISE ERS Scale
Units are transactions per seconds (TPS)
| Concurrent ERS Connections | 2.4= 10 | 2.6= 30 |
| Operation | ISE 2.4 (3515) TPS |
ISE 2.4 (3595) TPS |
ISE 2.6 (3515) TPS |
ISE 2.6 (3595) TPS |
ISE 2.6 (3615) TPS |
ISE 2.6 (3655) TPS |
ISE 2.6 (3695) TPS |
| EP Bulk create | 361 (250K) | 362 (250K) | 351 (200K) | 533 (200K) | 351 (200K) | 581 (200K) | 598 (200K) |
| EP Bulk Delete | 377 (250K) | 399 (250K) | 346 (200K) | 275 (200K) | 297 (200K) | 279 (200K) | 281 (200K) |
| EP Bulk Deregister | 300 (250K) | 376 (250K) | 314 (200K) | 375 (200K) | 340 (200K) | 328 (200K) | 330 (200K) |
| EP Bulk Register | 315 (250K) | 377 (250K) | 357 (200K) | 377 (200K) | 297 (200K) | 245 (200K) | 260 (200K) |
| EP Bulk Update | 366 (250K) | 364 (250K) | 247 (200K) | 364 (200K) | 327 (200K) | 283 (200K) | 285 (200K) |
| Guest Bulk Create 50k |
314 | 388 | 277 | 350 | 387 | 349 | 351 |
| Guest Bulk Delete | 122 | 188 | 119 | 188 | 122 | 141 | 192 |
| Guest Bulk Reinstate | 125 | 177 | 93 | 177 | 121 | 132 | 179 |
| Guest Bulk Suspend | 105 | 149 | 109 | 149 | 109 | 102 | 166 |
| Guest Bulk Update |
76 | 90 | 76 | 90 | 83 | 53 | 55 |
| SGT Bulk Create 1k |
9 | 14 | 13 | 14 | 11 | 13 | 15 |
ISE WAN Bandwidth Calculator
This calculator can be used to find out how much bandwidth needs to be reserved for ISE operation across WAN links.
ISE Latency and Bandwidth Calculators
The ISE 1.2 version of the tool is still valid for 2.1 release.
Sources
- ISE Training (check out BRKSEC-3432)
- Cisco Identity Services Engine - Install and Upgrade Guides - Cisco
- Cisco Secure Network Server Data Sheet - Cisco
- ISE High Level Design (HLD)
- ISE Load Balancing
- ISE Latency and Bandwidth Calculators
