cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Ask the Expert- SD-WAN

ISE Performance & Scale

122179
Views
138
Helpful
11
Comments

image.png

 

ISE Deployment Scale and Limits

ISE Architecture Terminology:

  • PAN = Policy Administration Node
  • MnT = Monitoring & Troubleshooting Node
  • PSN = Policy Services Node
  • PXG = Platform Exchange Grid Node
Attribute ISE 2.2 Maximums ISE 2.4 Maximums ISE 2.6 Maximums
Maximum number of concurrent sessions in a Dedicated deployment
(Separate PAN, MnT, and PSN nodes)
250,000 for 3495 as PAN and 3495 as MnT
500,000 for 3595 as PAN and 3595 as MnT
34xx not supported
500,000 for 3595 as PAN and 3595 as MnT
2,000,000 - 3695 as PAN and MnT
500,000 -3595 as PAN and MnT
Maximum number of concurrent sessions in a Hybrid deployment
(PAN & MnT on a single node and dedicated PSNs)
5,000 for 3415 as PAN+MnT
10,000 for 3495 as PAN+MnT
7,500 for 3515 as PAN+MnT
20,000 for 3595 as PAN+MnT
34xx not supported
7,500 for 3515 as PAN+MnT
20,000 for 3595 as PAN+MnT
10,000 for 3615 as PAN+MnT
25,000 for 3655 as PAN+MnT
50,000 for 3695 as PAN+MnT
7500 for 3515 as PAN+MnT
20,000 for 3595 as PAN+MnT
Maximum number of concurrent sessions in a Standalone deployment
(PAN, MnT, and PSN personas all on a single node)
5,000 for 3415
10,000 for 3495
7,500 for 3515
20,000 for 3595
34xx not supported
7,500 for 3515
20,000 for 3595
10,000 for 3615 
25,000 for 3655
50,000 for 3695
7500 for 3515
20,000 for 3595
Maximum number of PSNs in a Dedicated deployment
(Separate PAN, MnT and PSN nodes)
40 for 3495 as PAN 50 for 3595 as PAN 50 for 3595 as PAN
50 for 3695 as PAN
Maximum number of PSNs in a Hybrid deployment
(PAN and MnT on a single node and dedicated PSNs)
5 Same Same
Maximum number of pxGrid nodes in a Dedicated deployment
(Separate PAN, MnT, PXG, and PSN nodes)
2 4 (All active) Same
Maximum number of pxGrid nodes in a Hybrid deployment
(PAN and MnT on single node and Dedicated PSNs)
2 (either collocate PXG on PAN+MNT node,
or else dedicate PXG nodes and reduce
PSN count by up to 2 nodes)
Same Same
Maximum number of NADs 100,000 Same Same
Maximum number of Network Device Groups (NDGs) 10,000 Same Same
Maximum number of Active Directory Forests
(Join Points)
50 Same Same
Maximum number of Active Directory controllers
(WMI query)
100 Same Same
Maximum number of Internal users 300,000 Same Same
Maximum number of Internal guests 1,000,000

Expect latency for admin GUI + user auth >500k guests

Same Same 
Maximum number of User Certificates 1,000,000 Same Same
Maximum number of Server Certificates 1,000 Same Same
Maximum number of Trusted Certificates 1,000 Same Same
Maximum number of user portals
(Guest, BYOD, MDM, Cert, Posture..)
600 Same Same
Maximum number of Endpoints 1,500,000 Same 2,000,000
Maximum number of Policy Sets 100 200 Same
Maximum number of Authentication Rules 100 (Simple Policy Mode)
200 (Policy Set Mode)
N/A (Simple Policy Mode)
1000 (Policy Set Mode)
Same
Maximum number of Authorization Rules 600 (Simple Policy Mode)
700 (Policy Set Mode)
N/A (Simple Policy Mode)
3,000 (Policy Set Mode)
with 3200 Authz profiles
Same
Maximum number of User Identity Groups 1,000 Same Same
Maximum number of Endpoint Identity Groups 1,000 Same Same
TrustSec Scaling See TrustSec scaling section below See TrustSec scaling section below  

 

Maximum Network Latency Between Nodes

The maximum network latency (in milliseconds) between the ISE Administration Nodes and any other ISE nodes including the secondary PAN, MnT, and PSN.

ISE Versions
Maximum Latency
(milliseconds)
ISE 2.0 and before 200ms
ISE 2.1 and later 300ms

 

ISE Hardware Platforms

VMs must have the equivalent of the hardware platforms or better.
VM resources must be dedicated to ISE and not shared with other VMs.

Appliance SNS-3415 SNS-3495 SNS-3515 SNS-3595 SNS-3615 SNS-3655 SNS-3695
Processor 1 - Intel Xeon 2.4-GHz E5-2609 2 - Intel Xeon 2.4-GHz E5-2609 1 – Intel Xeon
2.40 GHz E5-2620
1 – Intel Xeon
2.60 GHz E5-2640
1 – Intel Xeon
2.10 GHz 4110
1 – Intel Xeon
2.10 GHz 4116
1 – Intel Xeon
2.10 GHz 4116
Cores per processor 4 4 6 8 8 12 12
Memory 16GB 32GB 16 GB (2x8GB) 64 GB (4x16GB) 32 GB (2x16GB) 96 GB (6x16GB) 256 GB (8x32GB)
Hard Disk 1 x 600-GB 10k SAS HDD
(600 GB total disk space)
2 x 600-GB 10k SAS HDDs
(600 GB total)
1 x 600-GB 6Gb SAS 10K RPM 4 x 600-GB 6Gb SAS 10K RPM 1 x 600-GB 6Gb SAS 10K RPM 4 x 600-GB 6Gb SAS 10K RPM 8 x 600-GB 6Gb SAS 10K RPM
Hardware RAID  No RAID 1 No Level 10
Cisco 12G SAS Modular RAID Controller
No Level 10
Cisco 12G SAS Modular RAID Controller
Level 10
Cisco 12G SAS Modular RAID Controller
Network Interfaces 4 x Integrated Gigabit NICs 4 x Integrated Gigabit NICs 6 x 1GBase-T 6 x 1GBase-T 2 X 10Gbase-T
4 x 1GBase-T
2 X 10Gbase-T
4 x 1GBase-T
2 X 10Gbase-T
4 x 1GBase-T
Power Supplies  -  Redundant 1 x 770W 2 x 770W 1 x 770W 2 x 770W 2 x 770W

 

* ISE 2.4 introduces a new Large VM appliance. The current SNS-3595 hardware (or its VM equivalent) will be reclassified as a Medium appliance.   Under ISE 2.4, there is currently no Large Hardware-based appliance, only a Large Virtual appliance.  The Large VM appliance has identical specifications as the SNS-3595, but with 256GB RAM.  The Large 3595-based VM is intended for use as a performance-enhanced MnT node. There is currently no application for its use as a PAN, PSN, or pxGrid node.

*ISE 2.6 introduces 3 new platforms- SNS 3615,SNS-3655 and SNS 3695 supported on hardware and VM equivalent. SNS 35xx series platforms has been announced EoL. 

 

ISE PSN Performance

Authentication values are approximate values. When determining how many PSN is needed for the deployment please use Maximum Concurrent Sessions, RADIUS and TACACS+ authentication rates as your guidelines. Authentication performance for specific use cases is also provided in case it is required to size out the deployment.

  3415 3495 3515 3595 3615 3655 3695
ISE Version ISE 2.0 / 2.1+ ISE 2.0 / 2.1+ ISE 2.0.1 / 2.1+ ISE 2.0.1 / 2.1+ ISE 2.6 ISE 2.6 ISE 2.6
Maximum Concurrent Sessions 5,000 20,000 5,000 / 7,500 20,000 / 40,000 10,000*/10,000 25000*/50,000 50,000*/100,000

* concurrent sessions for hybrid deployment 

 

ISE TACACS+ Performance

Platform performance specs are for a dedicated PSN in transactions per second (TPS).

PAN and MNT nodes are deployed as separate node(s).

Scenario Cisco SNS-3415 Appliance Cisco SNS-3495 Appliance Cisco SNS-3515 Appliance Cisco SNS-3595 Appliance
ISE Version ISE 2.0 ISE 2.0 ISE 2.1 ISE 2.1
TACACS+ Function: PAP 1,400 / second 2,800 / second 3,236 / second 4,884 / second
TACACS+ Function: CHAP 1,500 / second 2,900 / second 2,413 / second 4,961 / second
TACACS+ Function: Enable 700 / second 1,200 / second 1631/second 1,984 / second
TACACS+ Function: Session AuthZ 900 / second 1,700 / second 2,191 / second 3,453 / second
TACACS+ Function: Command AuthZ 900 / second 1,700 / second 2,359 / second 3,467 / second
TACACS+ Function: Accounting 2,900 / second 4,900 / second 3,209 / second 9,128 / second

 

ISE 2.6 RADIUS Performance

Performance per platform.

Authentications per second with PSN only persona (Approximate values)

Authentication Method Identity Store Cisco SNS-3595 
(auths / second)
Cisco SNS-3615 
(auths / second)
Cisco SNS-3655 
(auths / second)
Cisco SNS-3695 
(auths / second) 
PAP Internal 1256 1281 1478     1531
PAP Active Directory 443 513 545 571
PAP LDAP 1557 1463 1537 1604
PEAP (MSCHAPv2) Internal 439 467 491 513
PEAP (MSCHAPv2) Active Directory 356 373 387 407
PEAP (GTC) Internal 421 434 461 496
PEAP (GTC) Active Directory 334 371 404 431
EAP-FAST (MSCHAPv2) Internal 557 643 661 703
EAP-FAST (MSCHAPv2) Active Directory 417 457 471 489
EAP-FAST (GTC) Internal 587 612 667 690
EAP-FAST (GTC) Active Directory 401 443 478 504
EAP-FAST (GTC) LDAP 615 779 811 867
EAP-TLS Internal 247 348 367 388
EAP-TLS Active Directory 251 335 356 381
EAP-TLS LDAP 281 354 381 404
MAB Internal 1101 762 1199 1299
MAB LDAP 729 731 742 731

 

ISE 2.4 RADIUS Performance

Performance per platform.

Authentications per second with PSN only persona (Approximate values)

Authentication Method Identity Store Cisco SNS-3515
(auths / second)
Cisco SNS-3595
(auths / second)
PAP Internal 1485 1575
PAP Active Directory 440 465
PAP LDAP 1255 1340
PEAP (MSCHAPv2) Internal 475 515
PEAP (MSCHAPv2) Active Directory 365 385
PEAP (MSCHAPv2) LDAP Roadmap Roadmap
PEAP (GTC) Internal 435 470
PEAP (GTC) Active Directory 340 365
EAP-FAST (MSCHAPv2) Internal 485 515
EAP-FAST (MSCHAPv2) Active Directory 410 445
EAP-FAST (GTC) Internal 495 555
EAP-FAST (GTC) Active Directory 430 450
EAP-FAST (GTC) LDAP 545 585
EAP-TLS Internal 310 310
EAP-TLS Active Directory 310 315
EAP-TLS LDAP 315 320
MAB Internal 780 1245
MAB LDAP 700 800

 

ISE 2.3 RADIUS Performance

Performance per platform.

Authentications per second with PSN only persona (Approximate values)

Authentication Method Identity Store Cisco SNS-3515
(auths / second)
Cisco SNS-3595
(auths / second)
PAP Internal 1630 2060
PAP Active Directory 355 530
PAP LDAP 585 1575
PEAP (MSCHAPv2) Internal 375 575
PEAP (MSCHAPv2) Active Directory 265 470
PEAP (MSCHAPv2) LDAP Roadmap Roadmap
EAP-FAST (MSCHAPv2) Internal 535 735
EAP-FAST (MSCHAPv2) Active Directory 335 530
EAP-FAST (GTC) Internal 445 1030
EAP-FAST (GTC) Active Directory 410 (p2) 510
EAP-FAST (GTC) LDAP 305 (p2) 775
EAP-TLS Internal 190 330
EAP-TLS Active Directory 200 320
EAP-TLS LDAP 185 320

 

ISE 2.2 RADIUS Performance

Performance per platform.

Authentications per second with PSN only persona (Approximate values)

Authentication Method Identity Store Cisco SNS-3415
(auths / second)
Cisco SNS-3495
(auths / second)
Cisco SNS-3515
(auths / second)
Cisco SNS-3595
(auths / second)
PAP Internal 555   1575 2185
PAP Active Directory 365   530 510
PAP LDAP 730   1980 2810
PEAP (MSCHAPv2) Internal 165   360 570
PEAP (MSCHAPv2) Active Directory 150   400 485
PEAP (MSCHAPv2) LDAP Roadmap Roadmap Roadmap Roadmap
EAP-FAST (MSCHAPv2) Internal 265   560 750
EAP-FAST (MSCHAPv2) Active Directory 235   505 525
EAP-FAST (GTC) Internal 260   505 1060
EAP-FAST (GTC) Active Directory 220   470 520
EAP-FAST (GTC) LDAP 285   600 1155
EAP-TLS Internal 330   335 335
EAP-TLS AD 300   325 325
EAP-TLS LDAP 310   320 320

NA = Not Available

EAP-TLS: 2k key size, Session-Resume set to OFF

PEAP: Fast Reconnect and Session-Resume on the client and ISE - OFF

 

ISE 2.6 Scenario-Based Performance

Scenario SNS-3515
(auths / second)
SNS-3595
(auths / second)
SNS-3615
(auths / second)
SNS-3655
(auths / second)
SNS-3695
(auths / second)
Posture Authentication         47 70   51 83
Guest Hostspot Authentications 152 192 168 225 270
Guest Sponsored Authentications 93 126 111 184 189
BYOD onboarding single SSID (ios)     ISE CA : 22.33 External CA: 21.78 ISE CA: 23.3
External CA: 22.54
ISE CA: 22.58
External CA: 23.56
BYOD onboarding dual SSID (ios)     ISE CA : 23.62 External CA :24.24 ISE CA: 31.35 External CA: 31.69 ISE CA: 22.68
External CA: 30.17
BYOD onboarding single SSID (android)     ISE CA:21
External CA: 22.31
ISE CA:22.35
External CA: 21.92
ISE CA: 21.57
External CA: 21.69
BYOD onboarding dual SSID ( android)     ISE CA: 22.07
External CA: 21.54
ISE CA: 22.88
External CA: 22.3
ISE CA: 22.07
External CA:22.14
MDM ((simulated - not impeded by MDM Server API performance)          
Internal CA certificate Issuance          

 

ISE 2.3 Scenario-Based Performance

Scenario Cisco SNS-3515 Appliance
(auths / second)
  Cisco SNS-3595 Appliance
(auths / second)
Posture Authentications - 50
Guest Hotspot Authentications 90 220
Guest Sponsored User Authentications 60 170
Bulk Guest Creation via ERS API - 375
BYOD Onboarding Single SSID (iOS) ISE CA: 16 / External CA:13 ISE CA: 20 / External CA:29
BYOD Onboarding Dual SSID (iOS) ISE CA: 19 / External CA:16 ISE CA: 19 / External CA:26
BYOD Onboarding Single SSID (Android) ISE CA: 18 / External CA:19 ISE CA: 19 / External CA:26
BYOD Onboarding Dual SSID (Android) ISE CA: 21 / External CA:21 ISE CA: 20 / External CA:35
MDM (simulated - not impeded by MDM Server API performance) 250 340
Internal CA Certificate Issuance 43 45

 

ISE 2.4 Passive Identity (Passive ID) and Easy Connect Scaling

 

Passive ID / Easy Connect Scaling Per Deployment

Passive Identity & Easy Connect Scaling
by Deployment Size
  Scaling with Mixed RADIUS and Passive Identity / Easy Connect Services
Deployment model Platform Max Dedicated
PSNs
  Max RADIUS sessions per Deployment Max Passive ID sessions per Deployment Max Merged & Easy Connect Sessions*
(Shared PSNs)
Max Merged & Easy Connect Sessions*
(Dedicated PSNs)
Standalone 3515 0   7,500 100,000 1,000 N/A
3595 0   20,000 300,000 2,000 N/A
Medium

PAN+MNT on same node
Dedicated PSNs

3515 as PAN+MNT 5   7,500 100,000 1,000 5,000
3595 as PAN+MNT 5   20,000 500,000 2,000 10,000
Dedicated PAN, MNT, PXG and PSN nodes 3595 as PAN and MNT 50   500,000 500,000 500,000 500,000
3595 as PAN and Large MNT 50   500,000 1M 500,000 500,000

 

Passive ID / Easy Connect Scaling per PSN dedicated to Passive ID Service

Platform Max Passive ID sessions per PSN Max Merged & Easy Connect Sessions * per PSN
3515 100,000 7,500
3595 500,000 40,000

* Subset of Max RADIUS/Max Passive Sessions

 

ISE 2.2 and 2.3 Passive Identity (Passive ID) and Easy Connect Scaling

 

Passive ID / EZC Scaling Per Deployment

Passive Identity & Easy Connect Scaling by Deployment Size   Scaling with Mixed RADIUS and Passive Identity / Easy Connect Services
Deployment model Platform Max Dedicated
PSNs
  Max RADIUS sessions per Deployment Max Passive ID sessions per Deployment Max Merged & Easy Connect Sessions*
(Shared PSNs)
Max Merged & Easy Connect Sessions*
(Dedicated PSNs)
Standalone 3415 0   5,000 50,000 500 N/A
3495 0   10,000 100,000 1,000 N/A
3515 0   7,500 100,000 1,000 N/A
3595 0   20,000 300,000 2,000 N/A
Medium PAN+MNT on same node
Dedicated PSNs
3415 as PAN+MNT 5   5,000 50,000 500 2,500
3495 as PAN+MNT 5   10,000 100,000 1,000 5,000
3515 as PAN+MNT 5   7,500 100,000 1,000 5,000
3595 as PAN+MNT 5   20,000 300,000 2,000 10,000
Dedicated PAN, MNT, PXG and PSN nodes 3495 as PAN and MNT 40   250,000 100,000 N/A 25,000
3595 as PAN and MNT 50   500,000 300,000 N/A 50,000

 

Passive ID / Easy Connect Scaling per PSN dedicated to Passive ID Service

Platform Max Passive ID sessions
per PSN
Max Merged & Easy Connect Sessions *
per PSN
3415 50,000 5,000
3495 100,000 25,000
3515 100,000 7,500
3595 300,000 40,000

* Subset of Max RADIUS/Max Passive Sessions

 

Passive ID - Provider and Consumer Scaling

Scenario 3515/3595
Virtual Appliance
Max AD Domain Controllers supported via WMI or ISE AD Agent 100
Max AD Agents (assuming 1:1 agent to DC) 100
Recommended # DCs per Agent (agent on DC) 1
Recommended # DCs per Agent (agent on member server) 10
Recommended # PSNs enabled for WMI (Passive ID service) 2
Max REST API Providers 50
Max REST API EPS 1,000
Max Syslog Providers 70
Max Syslog EPS 400
Max Endpoints Probed per Interval 100,000
Max pxGrid Subscribers 20

 

ISE 2.4 Platform eXchange Grid (pxGrid v2) Scaling

 

pxGrid v2 Scaling per Deployment

image.png Note: pxGrid v2 support added in ISE 2.3 but requires v2 Subscribers/Publishers.  Each pxGrid v2 node can be Active.

 

Deployment Type Platform Max PSNs Max PXGs Max pxGrid Subscribers: Shared PAN+MNT+PXG Max pxGrid Subscribers: Dedicated PSN/PXG
Standalone All personas on same node

2 nodes redundant

3515 0 0 20 N/A
3595 0 0 30 N/A
Medium

PAN+MnT+PXG on same node and dedicated PSNs 
-OR-
PAN+MnT and dedicated PSN & PXG
Minimum 4 nodes redundant

3515 as PAN+MNT/PXG 5* 2* 140 400
3595 as PAN+MNT/PXG 5* 2* 160 400
3595 as PAN+MNT/PXG 5* 3* 160 600
Dedicated All personas on dedicated nodes

Minimum 6 nodes redundant

3595 as PAN and MNT 50 4 N/A 800
3595 as PAN and Large MNT 50 4 N/A 800

* Max PSN + PXG Nodes = 5

 

pxGrid v2 Scaling per Dedicated pxGrid Node

Maximum publish rate is gated by the Total Deployment Size

Platform Max Subscribers per pxGrid node
3515 200
3595 200
3615 220
3655 230
3695 250

 

ISE 2.2 Platform eXchange Grid (pxGrid v1) Scaling

 

pxGrid v1 Scaling per Deployment

Deployment Type Platform Max PSNs Max PXGs Max pxGrid Subscribers: Shared PAN+MNT+PXG Max pxGrid Subscribers: Dedicated PSN/PXG
Standalone All personas on same node

2 nodes redundant

3415 0 0 2 N/A
3495 0 0 2 N/A
3515 0 0 2 N/A
3595 0 0 2 N/A
Medium

PAN+MnT+PXG on same node and dedicated PSNs 
-OR-
PAN+MnT and dedicated PSN & PXG
Minimum 4 nodes redundant

3415 as PAN+MNT/PXG 5* 2* 5 15
3495 as PAN+MNT/PXG 5* 2* 5 15
3515 as PAN+MNT/PXG 5* 2* 5 15
3595 as PAN+MNT/PXG 5* 2* 5 15
Dedicated All personas on dedicated nodes

Minimum 6 nodes redundant

3495 as PAN and MNT 40 2 N/A 25
3595 as PAN and MNT 50 2 N/A 25

* Max PSN + PXG Nodes = 5

 

pxGrid v1 Scaling per Dedicated pxGrid Node

Maximum publish rate is gated by the Total Deployment Size

Platform Max Subscribers per pxGrid node
3415 10
3495 20
3515 15
3595 25

 

ISE 2.2/2.3/2.4 Threat-Centric NAC (TC-NAC) Scaling

image.png Note: 34x5 appliance is not supported after ISE 2.3.

 

TC-NAC Scaling per Deployment


Deployment Type

Platform
TC-NAC enabled on RADIUS PSN Dedicated PSN for TC-NAC
Max TC-NAC Adapters Max VAF (TPM) Max IRF (TPS) Max TC-NAC Adapters Max VAF (TPM) Max IRF(TPS)
Standalone All personas on same node

2 nodes redundant

3415 1 5 5 N/A N/A N/A
3495 1 5 5 N/A N/A N/A
3515 1 5 5 N/A N/A N/A
3595 1 5 5 N/A N/A N/A
Medium PAN+MnT on same node
and dedicated PSNs
Minimum 4 nodes redundant
3415 as PAN+MNT 1 5 10 3 40 80
3495 as PAN+MNT 2 10 20 5 40 80
3515 as PAN+MNT 1 5 10 3 40 80
3595 as PAN+MNT 2 10 20 5 40 80
Dedicated All personas on dedicated nodes

Minimum 6 nodes redundant

3495 as PAN and MNT N/A N/A N/A 5 40 80
3595 as PAN and MNT N/A N/A N/A 5 40 80

* Max 1 TC-NAC node supported per deployment in ISE 2.1/2.2

 

TC-NAC Scaling per PSN

Scaling per PSN Platform Max TC-NAC Adapters Max VAF TPM Max IRF TPS
Dedicated TC-NAC nodes
Gated by Total Deployment Scale
3415 3 40 80
3495 5 40 80
3515 3 40 80
3595 5 40 80

 

ISE TrustSec Scaling

Attribute Maximums (ISE 2.2)
Maximums
(ISE 2.4)
Maximums
(ISE 2.6)
TrustSec Security Group Tags (SGTs)

 4,000  10,000 10,000
TrustSec Security Group ACLs (SGACLs)  1,000  1,000 1,000
TrustSec IP-SGT Static Bindings (over SSH) 10,000 10,000 10,000
NADs with TrustSec CoA in Standalone Deployment (see Best Practice below) 100 100  

 

TrustSec Best Practices

SXP Nodes (SXPSNs)

Take note of the following that is documented in the ISE Admin Guides:

image.png Note: We recommend that you run the SXP service on a standalone node.

 

Multiple Matrices

ISE 2.2+ supports multiple matrices and assigning NADs to each matrix. When moving NADs between the matrix, maximum number of NADs ISE can move to other matrix at one time is 50. If more than 50 NADs needs to be moved, then repeat the steps with less than 50 NADs at a time.

 

ISE CoA Handling

For ISE 2.2 and 2.3:
The CoA messages sent for update-cts-environment-data, update-sgt and update-rbacl, are originated from the PAN.
When CoA’s are transmitted, ISE uses a separate CPU thread for each NAD, increasing the CPU load and Memory consumed on the PAN.
When CoA messages are received by network devices, the consequence is RADIUS requests sent to ISE to download updated data.

The recommendation for large installations is to use a Dedicated deployment (Separate PAN, MnT, and PSN nodes). The CoA operation dictates that if nodes are not deployed on separate instances then for a large number of network devices (over 100 NADs), at least use a Hybrid deployment with dedicated PSNs. Then network devices can be configured to send RADIUS requests to a PSN to download updates so the CPU and Memory utilization and subsequent latency of the PAN is not increased further whilst dealing with the CoA messages.

 
For ISE 2.4:
By default, the CoA messages sent for update-cts-environment-data, update-sgt and update-rbacl, are originated from the PAN. So, without changing the default behaviour, the same recommendation can be provided as per ISE 2.2 and 2.3 above.
It is further recommended to change the default behaviour by sending CoA’s from local PSN’s rather than the PAN to reduce load on the PAN and distribute CoA generation around the ISE nodes. This is a new feature in ISE 2.4 and is configured in the Advanced TrustSec Settings under the Network Device.

 

ISE 2.4 SXP Scaling

 

ISE SXP Scaling per Deployment

Deployment Type Platform Max PSNs Max ISE SXP Bindings
(Shared SXP & RADIUS PSNs)
Max ISE SXP Bindings
(Dedicated RADIUS & SXPSNs)
Max ISE SXP Peers
Standalone All personas on same node,

2 nodes redundant

3515 0 3,500 N/A 20
3595 0 10,000 N/A 30
Uniified PAN+MnT on same node and dedicated PSNs

Minimum 4 nodes redundant

3515 as PAN+MNT 5 3,750 7,500 200
3595 as PAN+MNT 5 10,000 20,000 200
Dedicated All personas on dedicated nodes

Minimum 6 nodes redundant

3595 as PAN and MNT 50 N/A 350,000 (1 pair)
500,000 (2 pair)

200 (1 pair)
400 (2 pair)

3595 as PAN and Large MNT 50 N/A 350,000 (1 pair)
700,000 (2 pair)
1,050,000 (3 pair)
1,400,000 (4 pair)
200 (1 pair)
400 (2 pair)
600 (3 pair)
800 (4 pair)

* Max 4 SXPSN pairs supported in ISE 2.4

 

ISE SXP Scaling per SXPSN

Scaling per SXPSN Platform Max ISE SXP Bindings Max ISE SXP Peers
Dedicated SXPSN nodes
Gated by Total Deployment Scale
3515 200,000 200
3595 350,000 200

 

ISE 2.2 and 2.3 SXP Scaling

 

ISE SXP Scaling per Deployment

Deployment Type Platform Max PSNs Max ISE SXP Bindings
(Shared SXP & RADIUS PSNs)
Max ISE SXP Bindings
(Dedicated RADIUS & SXPSNs)
Max ISE SXP Peers
Standalone All personas on same node,
2 nodes redundant
3415 0 2,500 N/A 10
3495 0 5,000 N/A 20
3515 0 3,750 N/A 15
3595 0 10,000 N/A 25
Uniified PAN+MnT on same node and dedicated PSNs
Minimum 4 nodes redundant
3415 as PAN+MNT 5 2,500 5,000 100
3495 as PAN+MNT 5 5,000 10,000 100
3515 as PAN+MNT 5 3,750 7,500 100
3595 as PAN+MNT 5 10,000 20,000 100
Dedicated All personas on dedicated nodes
Minimum 6 nodes redundant
3495 as PAN and MNT 40 N/A 150,000 (1 pair)
250,000 (2 pair)
100 (1 pair)
200 (2 pair)
3595 as PAN and MNT 50 N/A 250,000 (1 pair)
500,000 (2 pair)
100 (1 pair)
200 (2 pair)

* Max 2 SXPSN pairs supported in ISE 2.2/2.3

 

ISE SXP Scaling per SXPSN

Scaling per SXPSN Platform Max ISE SXP Bindings Max ISE SXP Peers
Dedicated SXPSN nodes
Gated by Total Deployment Scale
3415 100,000 100
3495 150,000 100
3515 150,000 100
3595 250,000 100

 

ISE Storage Requirements

 

VM Disk Size Minimum Requirement

Persona Minimum Disk Size (GB)
Standalone* (all personas on single node) 200+ GB
PAN Only
MnT Only*
PSN Only
PXG Only
PAN + MnT*
PAN + MnT* + PXG

* Minimum 600GB required for any node running MnT persona

 

image.png Note: Thin Provisioning is supported since 1.3, however Thick/Eager Provisioning will yield best performance

 

image.png Note: 10k RPM+ HDD or equivalent speed required

 

image.png Note: Recommended IO Read 300MB/s or higher, IO Write 50MB/s or higher

 

image.png Note: 600GB max for non-MnT persona node, 2TB max for MnT persona node.

 

MnT Persona Log Storage Requirements

ISE MnT Log sizing calculator for TACACS+ and RADIUS

 

RADIUS Log Retention (Days):

Days of log retention - assuming collection filter is enabled - for various MnT Disk Sizes.

ISE 2.0/2.1 (30% disk allocation):

Total Endpoints 200 GB
(days)
400 GB
(days)
600 GB
(days)
1024 GB
(days)
2048 GB
(days)
10,000 126 252 378 645 1,289
20,000 63 126 189 323 645
30,000 42 84 126 215 430
40,000 32 63 95 162 323
50,000 26 51 76 129 258
100,000 13 26 38 65 129
150,000 9 17 26 43 86
200,000 7 13 19 33 65
250,000 6 11 16 26 52

 

ISE 2.2 (60% disk allocation)

Total Endpoints 200 GB
(days)
400 GB
(days)
600 GB
(days)
1024 GB
(days)
2048 GB
(days)
5,000 504 1007 1510 2577 5154
10,000 252 504 755 1289 2577
25,000 101 202 302 516 1031
50,000 51 101 151 258 516
100,000 26 51 76 129 258
150,000 17 34 51 86 172
200,000 13 26 38 65 129
250,000 11 21 31 52 104
500,000 6 11 16 26 52
image.png Note: Above values are based on controlled criteria including message size, re-authentication interval, etc. and result may vary depending on the environment 

 

 

TACACS+ log retention( Days)

Scripted device admin model:

  • Number of sessions per day:  4
  • Number of commands:            10
  • Message Size /session (KB) = 5kB + Number of commands/session *3kB
  • Automated access(single script) log size calculation =  n Number of devices * 4 Sessions * Message size
  • E.g. : Log Size for 30k Network devices = 4GB/day

 

ISE 2.0/2.1 (20% Disk Allocation):

Number of Network Devices
in the deployment
MnT Disk Size (GB)
200 400 600 1024 2048
500 480 959 1439 2455 4909
1000 240 480 720 1228 2455
5000 48 96 144 246 491
10000 24 48 72 123 246
20000 12 24 36 62 123
30000 8 16 24 41 82
50000 5 10 15 25 50

 

ISE 2.2 (60% disk allocation):

# Network Devices 200 GB
(days)
400 GB
(days)
600 GB
(days)
1024 GB
(days)
2048 GB
(days)
100 12,583 25,166 37,749 64,425 128,850
500 2,517 5,034 7,550 12,885 25,770
1,000 1,259 2,517 3,775 6,443 12,885
5,000 252 504 755 1,289 2,577
10,000 126 252 378 645 1,289
25,000 51 101 151 258 516
50,000 26 51 76 129 258
75,000 17 34 51 86 172
100,000 13 26 38 65 129

 

Human admin - Device admin model

  • Number of sessions:   50
  • Number of Commands/session:          10
  • Message Size /session (KB) = 5kB + Number of commands/session *3kB
  • Manual access log size calculation = 50 Sessions * N Admins * Message size
  • E.g. : Log Size for 50 admins = 85.4MB/ day

 

ISE 2.0/2.1 (20% Disk Allocation):

Number of Admins\ Disk Size(GB) MnT Disk Size (GB)
200 400 600 1024 2048
5 3835 7670 11505 19635 39269
10 1918 3835 5753 9818 19635
20 959 1918 2877 4909 9818
30 640 1279 1918 3273 6545
40 480 959 1439 2455 4909
50 384 767 1151 1964 3927

 

ISE ERS Scale 

Units are transactions per seconds (TPS)

 

Concurrent ERS Connections 2.4= 10 2.6= 30

 

Operation 2.4 (3515)  2.4 (3595) 2.6 (3515) 2.6 (3595) 2.6
(3615)
2.6 (3655) 2.6 (3695)
EP Bulk create   361 (250K) 362 (250K) 351 (200K) 533 (200K) 351 (200K)   581 (200K) 598 (200K)
EP Bulk Delete  377 (250K) 399 (250K) 346 (200K) 275 (200K) 297 (200K) 279 (200K) 281 (200K)
EP Bulk Deregister  300 (250K) 376 (250K) 314 (200K) 375 (200K) 340 (200K) 328 (200K) 330 (200K)
EP Bulk Register  315 (250K) 377 (250K) 357 (200K) 377 (200K) 297 (200K) 245 (200K) 260 (200K)
EP Bulk Update  366 (250K) 364 (250K) 247 (200K) 364 (200K) 327 (200K) 283 (200K) 285 (200K)
Guest Bulk Create  
50k
314 388 277 350 387 349 351
Guest Bulk Delete  122 188 119 188 122 141 192
Guest Bulk Reinstate  125 177 93 177 121 132 179
Guest Bulk Suspend  105 149 109 149 109 102 166
Guest Bulk Update 
76 90 76 90 83 53 55
SGT Bulk Create 1k
9 14 13 14 11 13 15

 

ISE WAN Bandwidth Calculator

This calculator can be used to find out how much bandwidth needs to be reserved for ISE operation across WAN links.

ISE Latency and Bandwidth Calculators

The ISE 1.2 version of the tool is still valid for 2.1 release.

 

Sources

 

Comments
Cisco Employee

Wow what a great compilation of information, great work!

Cisco Employee

Really Awesome work, congrats.

Cisco Employee

Take care, CPU numbers for new SNS 3595 is wrong, only one 8 cores CPU.

Advocate

Chassis has 2 sockets, but only one socket occupied by 8-core CPU for total 8 cores.

Cisco Employee

Yes, in fact SNS-3500 use the same UCS hardware with 2 sockets

The gap between both SNS-3500 is the CPU model which is not the same but only one for each platform

This is different from SNS-3400 which have the same model of CPU but SNS-3415 has 1 and SNS-3495 has 2

Other thing is about hyperthreading, I have to double check but as I remember it is disabled by default in the BIOS... so 8 cores -> 8 threads.

Advocate

HT should be enabled on SNS-35x5 appliances. In fact, we test VMs with HT enabled as that is assumption with 35xx series. If find different in your customer's appliance, recommend have them open TAC case to file defect.

Cisco Employee

I have to double check but was on SNS-34xx.

Cisco Employee

Thank you, Jeremy!

I updated the Processor descriptions to only mention the actual processor(s) and not sockets to prevent confusion.

Contributor

Can ISE 2.1 be installed on the SNS-33XX Hardware?

Cisco Employee

No please check release notes

http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/release_notes/ise21_rn.html

Contributor

Perfect, Thanks! That is what I was looking for and completely over looked it the first time.