ISE Performance & Scale



ISE 2.2+ Deployment Scale and Limits

 

PAN = Policy Administration Node

MnT = Monitoring & Troubleshooting Node

PSN = Policy Services Node

 

AttributeMaximums
Maximum number of concurrent sessions with a Dedicated deployment (separate PAN, MnT, and PSNs)

250,000 for 3495 as PAN and 3495 as MnT

500,000 for 3595 as PAN and 3595 as MnT

Maximum number of concurrent sessions with a Medium deployment (PAN & MnT on a single node)

5,000 for 3415 as PAN+MnT

10,000 for 3495 as PAN+MnT

7,500 for 3515 as PAN+MnT

20,000 for 3595 as PAN+MnT

Maximum number of concurrent sessions with a Standalone deployment (PAN, MnT, and PSN personas all on a single node)

5,000 for 3415

10,000 for 3495

7,500 for 3515

20,000 for 3595

Maximum number of PSNs for a Dedicated deployment (separate PAN, MnT and PSNs)

40 for 3495 as PAN

50 for 3595 as PAN

Maximum number of PSNs for a Medium deployment (PAN and MnT on a single node)5
Maximum number of pxGrid nodes for a Dedicated deployment (separate PAN, MnT, PXG, and PSNs)2
Maximum number of pxGrid nodes for a Medium deployment (PAN and MnT on single node)2 (either collocate PXG on PAN+MNT node, or else dedicate PXG nodes and reduce PSN count by up to 2 nodes)
Maximum number of NADs100,000
Maximum number of Network Device Groups (NDGs)10,000
Maximum number of Active Directory join points50
Maximum number of Active Directory controllers (WMI query)100
Maximum number of Internal users300,000
Maximum number of Internal guests

1,000,000

Expect latency for admin GUI + user auth >500k guests

Maximum number of user portals (guest, byod, mdm, cert, compliance..)2000
Maximum number of Endpoints1,500,000
Maximum number of Policy Sets100
Maximum number of Authentication Rules

100 (Simple Policy Mode)
200 (Policy Set Mode--2 rules + default per policy set)

Maximum number of Authorization Rules

600 (Simple Policy Mode)

700 (Policy Set Mode)

Maximum number of User Identity Groups1,000
Maximum number of Endpoint Identity Groups1,000
TrustSec Security Group Tags (SGTs)4,000
TrustSec Security Group ACLs (SGACLs)2,500
Maximum number of SXP bindings

250,000 per SXPSN

500,000 per deployment with two SXPSNs

 

 


ISE Hardware Platforms


VMs must have the equivalent of the hardware platforms or better.

VM resources must be dedicated to ISE and not shared with other VMs.


Hardware Appliance

ISE

Processor

RAM

Hard disk

RAID

Ethernet NIC

Power

EoS

Cisco SNS-33151.x1x Xeon 2.66-GHz quad-core processor

4GB

 

2 x 250GB SATA3 HDDNo4 x 1GB NIC-24-Dec-2013
Cisco SNS-33551.x1x Nehalem 2.0-GHz quad-core processor4GB2 x 300GB 2.5in. SATA HDDRAID (disabled)4 x 1GB NICRedundant24-Dec-2013
Cisco SNS-33951.x

2x Nehalem 2.0-GHz quad-core processor

4GB

4 x 300GB 2.5in. SASII HDD

RAID 14 x 1GB NICRedundant24-Dec-2013

Cisco SNS-3415

(Small / Medium)

1.x

2.x

1 - Intel Xeon 2.4-GHz E5-2609  (4 total cores)16GB1 x 600-GB 10k SAS HDD
(600 GB total disk space)
No4 x Integrated Gigabit NICs-07-Oct-2016

Cisco SNS-3495

(Large)

1.x

2.x

2 - Intel Xeon 2.4-GHz E5-2609

(8 total cores)

32GB2 x 600-GB 10k SAS HDDs
(600 GB total)
RAID 14 x Integrated Gigabit NICsRedundant07-Oct-2016

Cisco SNS-3515

(Small / Medium)

2.x1 – Intel Xeon 2.40 GHz E5-2620 (6 total cores)16GB

1 x 600-GB 10k SAS HDD
(600 GB total)

No6 x Integrated Gigabit NICs--

Cisco SNS-3595

(Large)

2.x1 – Intel Xeon 2.60 GHz E5-2640  (8 total cores)64GB

4 x 600-GB 10k SAS HDDs
(1200 GB total)

RAID 106 x Integrated Gigabit NICsRedundant-

 

 

 

ISE PSN Performance

 

Authentication values are approximate values.

When determining how many PSN is needed for the deployment please use ‘Maximum Concurrent Sessions’ as the main guideline. Authentication performance for specific use cases is also provided in case it is required to size out the deployment.

 

Cisco SNS-3415

Appliance

Cisco SNS-3495

Appliance

Cisco SNS-3515

Appliance

Cisco SNS-3595

Appliance

ISE VersionISE 2.0 / 2.1+ISE 2.0 / 2.1+ISE 2.0.1 / 2.1+ISE 2.0.1 / 2.1+
Maximum Concurrent Sessions5,00020,0005,000 / 7,50020,000 / 40,000
Posture Authentications25 / second45 / second50 / second (2.1)65 / second
Guest Hotspot Authentications50 / second68 / second80 / second (2.0)180 / second
Guest Sponsored User Authentications17 / second28 / second40 / second (2.0)100 / second
Maximum number of SXP peers20 / 10020 / 10020 / 10020 / 100

 

 

ISE TACACS+ Performance

 

Platform performance specs are for a dedicated PSN.

PAN and MNT nodes are deployed as separate node(s).

 

Scenario

Cisco SNS-3415

Appliance

Cisco SNS-3495

Appliance

Cisco SNS-3515

Appliance

Cisco SNS-3595

Appliance

ISE VersionISE 2.0ISE 2.0ISE 2.1ISE 2.1
TACACS+ Function: PAP1,400 / second2,800 / second3,236 / second4,884 / second
TACACS+ Function: CHAP1,500 / second2,900 / second2,413 / second4,961 / second
TACACS+ Function: Enable700 / second1,200 / second1631/second1,984 / second
TACACS+ Function: Session AuthZ900 / second1,700 / second2,191 / second3,453 / second
TACACS+ Function: Command AuthZ900 / second1,700 / second2,359 / second3,467 / second
TACACS+ Function: Accounting2,900 / second4,900 / second3,209 / second9,128 / second

 

 

ISE 2.0 RADIUS Performance

 

Performance per platform.

Authentications per second with PSN only persona (Approximate values)

Authentication

Method

Identity

Store

Cisco SNS-3415

(auths / second)

Cisco SNS-3495

(auths / second)

Cisco SNS-3515

(auths / second)

Cisco SNS-3595

(auths / second)

PAPInternal764115219892453
PAPActive Directory471425436566
PAPLDAP789130621282818
PEAP (MSCHAPv2)Internal185314455536
PEAP (MSCHAPv2)Active Directory173201453529
PEAP (MSCHAPv2)LDAPRoadmapRoadmapRoadmapRoadmap
EAP-FAST (MSCHAPv2)Internal376608706709
EAP-FAST (MSCHAPv2)Active Directory339363458491
EAP-FAST (GTC)Internal3825939931287
EAP-FAST (GTC)Active Directory323362423551
EAP-FAST (GTC)LDAP38563310841330
EAP-TLSInternal153324222324
MABInternal528NA1580NA
MABMAB : LDAP597NA1489NA

NA = Not Available

EAP-TLS: 2k key size, Session-Resume set to OFF

PEAP: Fast Reconnect and Session-Resume on the client and ISE - OFF

 

 

ISE 2.0 Scenario-Based Performance

 

Scenario

Cisco SNS-3415 Appliance

Cisco SNS-3495 Appliance

Posture Authentications

25 per second

45 per second

Guest Hotspot Authentications

50 per second

68 per second

Guest Sponsored User Authentications

17 per second

28 per second

Bulk Guest Creation via ERS API

50 per second

95 per second

BYOD Onboarding Single SSID (iOS)

9 (External CA:12) per second

15 (External CA:17) per second

BYOD Onboarding Dual SSID (iOS)

10 (External CA:12) per second

14 (External CA:17) per second

BYOD Onboarding Single SSID (Android)

12 (External CA:18) per second

19 (External CA:18) per second

BYOD Onboarding Dual SSID (Android)

17 (External CA:18) per second

18 (External CA:18) per second

MDM

58 per second

243 per second

MDM w/ cache

114 per second

406 per second

Internal CA Certificate Issuance via Web

43 per second

41 per second

Internal CA with AnyConnect/ASA SCEP

18 per second

34 per second

Internal CA Authorization w/ OCSP

30 per second

30 per second

 

 

ISE Passive Identity (Passive ID) and Easy Connect Scaling

Passive ID / EZC Scaling Per Deployment

 

Passive Identity & Easy Connect Scaling

by Deployment Size

Scaling with Mixed RADIUS and Passive Identity / Easy Connect Services
Deployment modelPlatform

Max

Dedicated
PSNs

Max RADIUS sessions

per Deployment

Max Passive ID

sessions per Deployment

Max Merged &

Easy Connect Sessions*
(Shared PSNs)

Max Merged &

Easy Connect Sessions*
(Dedicated PSNs)

Standalone341505,00050,000500N/A
3495010,000100,0001,000N/A
351507,500100,0001,000N/A
3595020,000300,0002,000N/A
Medium

PAN+MNT on same node

Dedicated PSNs

3415 as PAN+MNT55,00050,0005002,500
3495 as PAN+MNT510,000100,0001,0005,000
3515 as PAN+MNT57,500100,0001,0005,000
3595 as PAN+MNT520,000300,0002,00010,000

Dedicated

PAN, MNT, PXG and PSN nodes

3495 as PAN and MNT40250,000100,000N/A25,000
3595 as PAN and MNT50500,000300,000N/A50,000

 

Passive ID / Easy Connect Scaling per PSN dedicated to Passive ID Service

Platform

Max Passive ID sessions per PSN

Max Merged & Easy Connect Sessions* per PSN

341550,00010,000
3495100,00025,000
3515100,00015,000
3595300,00050,000

* Subset of Max RADIUS/Max Passive Sessions

 

Passive ID - Provider and Consumer Scaling

Scenario3515/3595
Virtual Appliance
Max AD Domain Controllers supported via WMI or ISE AD Agent100
Max AD Agents (assuming 1:1 agent to DC)100
Recommended # DCs per Agent (agent on DC)1
Recommended # DCs per Agent (agent on member server)10
Recommended # PSNs enabled for WMI (Passive ID service)2
Max REST API Providers50
Max REST API EPS1,000
Max Syslog Providers50
Max Syslog EPS500
Max Endpoints Probed per Interval100,000
Max pxGrid Subscribers20

 

 

ISE Platform Exchange Grid (pxGrid) Scaling

pxGrid Scaling per Deployment

 

Deployment TypePlatformMax PSNsMax PXGs

Max pxGrid Subscribers:

Shared PAN+MNT+PXG

Max pxGrid Subscribers:

Dedicated PSN/PXG

Standalone

All personas on same node

2 nodes redundant

3415002N/A
3495002N/A
3515002N/A
3595002N/A
Medium

PAN+MnT+PXG on same node and dedicated PSNs 
-OR-

PAN+MnT and dedicated PSN & PXG

Minimum 4 nodes redundant

3415 as PAN+MNT/PXG5*2*515
3495 as PAN+MNT/PXG5*2*515
3515 as PAN+MNT/PXG5*2*515
3595 as PAN+MNT/PXG5*2*515

Dedicated

All personas on dedicated nodes

Minimum 6 nodes redundant

3495 as PAN and MNT402N/A25
3595 as PAN and MNT502N/A25

*Max PSN + PXG Nodes = 5

 

 

pxGrid Scaling per Dedicated pxGrid Node

Maximum publish rate is gated by the Total Deployment Size

Platform

Max Subscribers

per pxGrid node

341510
349520
351515
359525

 

ISE SXP Scaling

 

ISE SXP Scaling per Deployment

Deployment TypePlatformMax PSNsMax ISE SXP Bindings
(Shared SXP & RADIUS PSNs)

Max ISE SXP Bindings

(Dedicated RADIUS & SXPSNs)

Max ISE SXP Peers

Standalone

All personas on same node,

2 nodes redundant

341502,500N/A10
349505,000220
351503,750215
3595010,000225

Uniified

PAN+MnT on same node and dedicated PSNs

Minimum 4 nodes redundant

3415 as PAN+MNT52,5005,000100
3495 as PAN+MNT55,00010,000100
3515 as PAN+MNT53,7507,500100
3595 as PAN+MNT510,00020,000100

Dedicated

All personas on dedicated nodes

Minimum 6 nodes redundant

3495 as PAN and MNT40N/A150,000 (1 pair)
250,000 (2 pair)
100 (1 pair)
200 (2 pair)
3595 as PAN and MNT50N/A250,000 (1 pair)
500,000 (2 pair)
100 (1 pair) 200 (2 pair)

* Max 2 SXPSN pairs supported in ISE 2.1/2.2

 

ISE SXP Scaling per SXPSN

Scaling per SXPSNPlatformMax ISE SXP Bindings Max ISE SXP Peers
Dedicated SXPSN nodes
Gated by Total Deployment Scale
3415100,000100
3495150,000100
3515150,000100
3595250,000100

 

 

Threat-Centric NAC (TC-NAC) Scaling


TC-NAC Scaling per Deployment


Deployment Type

Platform
TC-NAC enabled on RADIUS PSNDedicated PSN for TC-NAC

Max

TC-NAC

Adapters

Max

VAF

(TPM)

Max

IRF

(TPS)

Max

TC-NAC

Adapters

Max

VAF

(TPM)

Max

IRF

(TPS)

Standalone

All personas on same node

2 nodes redundant

3415155N/AN/AN/A
3495155N/AN/AN/A
3515155N/AN/AN/A
3595155N/AN/AN/A
Medium

PAN+MnT on same node

and dedicated PSNs

Minimum 4 nodes redundant

3415 as PAN+MNT151034080
3495 as PAN+MNT2102054080
3515 as PAN+MNT151034080
3595 as PAN+MNT2102054080

Dedicated

All personas on dedicated nodes

Minimum 6 nodes redundant

3495 as PAN and MNTN/AN/AN/A54080
3595 as PAN and MNTN/AN/AN/A54080

* Max 1 TC-NAC node supported per deployment in ISE 2.1/2.2

 

TC-NAC Scaling per PSN

Scaling per PSNPlatformMax TC-NAC AdaptersMax VAF TPMMax IRF TPS
Dedicated TC-NAC nodes
Gated by Total Deployment Scale
341534080
349554080
351534080
359554080

 

 

ISE Storage Requirements

 

VM Disk Size Minimum Requirement

 

PersonaDisk Size (GB)
Standalone200+ GB
Administration Only
Monitoring Only
Policy Service Only
Admin + MnT
Admin + MnT + PSN

Note: Thin Provisioning is supported since 1.3, however Thick/Eager Provisioning will yield best performance

Note: 10k RPM+ HDD or equivalent speed required

Note: Recommended IO Read 300MB/s or higher, IO Write 50MB/s or higher

Note: 600GB max for non-MnT persona node, 2TB max for MnT persona node

 

 

MnT Persona Log Storage Requirements

 

ISE MnT Log sizing calculator for TACACS+ and RADIUS

 

RADIUS Log Retention (Days):

Days of log retention - assuming collection filter is enabled - for various MnT Disk Sizes.

ISE 2.0/2.1 (30% disk allocation):

Total Endpoints

200 GB

(days)

400 GB

(days)

600 GB

(days)

1024 GB

(days)

2048 GB

(days)

10,0001262523786451,289
20,00063126189323645
30,0004284126215430
40,000326395162323
50,000265176129258
100,00013263865129
150,000917264386
200,000713193365
250,000611162652

 

ISE 2.2 (60% disk allocation):

Total Endpoints

200 GB

(days)

400 GB

(days)

600 GB

(days)

1024 GB

(days)

2048 GB

(days)

5,0005041007151025775154
10,00025250475512892577
25,0001012023025161031
50,00051101151258516
100,000265176129258
150,00017345186172
200,00013263865129
250,00011213152104
500,000611162652

Note: Above values are based on controlled criteria including message size, re-authentication interval, etc. and result may vary depending on the environment 

 

TACACS+ log retention( Days)

 

Scripted device admin model:

Number of sessions per day:  4

Number of commands:            10

Message Size /session (KB) = 5kB + Number of commands/session *3kB

Automated access(single script) log size calculation =  n Number of devices * 4 Sessions * Message size

E.g. : Log Size for 30k Network devices = 4GB/day

 

ISE 2.0/2.1 (20% Disk Allocation):

Number of Network Devices

in the deployment

MnT Disk Size (GB)

200

400

600

1024

2048

500480959143924554909
100024048072012282455
50004896144246491
10000244872123246
2000012243662123
30000816244182
50000510152550

 

ISE 2.2 (60% disk allocation):

# Network Devices

200 GB

(days)

400 GB

(days)

600 GB

(days)

1024 GB

(days)

2048 GB

(days)

10012,58325,16637,74964,425128,850
5002,5175,0347,55012,88525,770
1,0001,2592,5173,7756,44312,885
5,0002525047551,2892,577
10,0001262523786451,289
25,00051101151258516
50,000265176129258
75,00017345186172
100,00013263865129

Human admin - Device admin model

Number of sessions:   50

Number of Commands/session:          10

Message Size /session (KB) = 5kB + Number of commands/session *3kB

Manual access log size calculation = 50 Sessions * N Admins * Message size

E.g. : Log Size for 50 admins = 85.4MB/ day

 

ISE 2.0/2.1 (20% Disk Allocation):

Number of Admins\ Disk Size(GB)

MnT Disk Size (GB)

200

400

600

1024

2048

538357670115051963539269
10191838355753981819635
209591918287749099818
306401279191832736545
40480959143924554909
50384767115119643927

 

 

ISE Latency & Bandwidth

 

ISE 2.0 Latency

For ISE 2.0 and earlier, the maximum latency between the Admin node and any other ISE node including secondary Admin, MnT, and PSN is 200ms.

 

ISE 2.1 Latency

For ISE 2.1 and later, the maximum latency between the Admin node and any other ISE node including secondary Admin, MnT, and PSN is 300ms.

 

WAN Bandwidth Calculator

This calculator can be used to find out how much bandwidth needs to be reserved for ISE operation across WAN links.

ISE Latency and Bandwidth Calculators

The ISE 1.2 version of the tool is still valid for 2.1 release.

 

 

 

Sources