Solved: Re: ISE Latency & Licensing - 2nd Try

nadeekha · ‎03-10-2016

Hi Experts,

My client has the following questions in regards to Latency and Licensing for their ISE 1.4 deployment. They currently already have ISE deployed for North America but now considering to roll it out to their sites in Europe and Asia.

I Would appreciate your help on the below questions:

- I've noted from some presentations that 200ms RTT is the maximum latency tolerated between a PAN+MnT and a PSN but can't find any official Cisco product documentation that specifies this or provides any latency requirements, only bandwidth(sometimes stating that 1Gbps is required and others that state only 256Kbps is required). Can you direct me to the documentation that specifies latency requirements between ISE Node types as well as PSNs and NADs?

-What is the recommended deployment for global organizations where <200ms of latency is not achievable between the datacenter (PAN+MnT) and branch offices (PSN)?

-What is the failure scenario with regards to licensing, if a site deployed with a local PSN loses connectivity to the Data Centre where the PAN and MnT are hosted? Will the PSN continue to authenticate clients and for how long?

Thanks in advance

Nadeem Khan

Craig Hyps · ‎03-10-2016

Please refer to ISE Deployment Sizing and Scalability for more details on this topic.

Points of clarification:

Latency guidance is based on connection between Primary PAN to secondary nodes.
- Q: What is a secondary node?
- A: Any ISE node that is not the Primary PAN. And remember to consider that the Secondary PAN may be promoted in case of Primary failure, thus making it the new P-PAN.
200ms is not a magical number, but the figure we have validated and QA tested for most operations to be a reasonable guard rail for design. Actual latency requirement is impacted by a few factors, primarily profiling design.
Bandwidth guidance is provided in the calculator provided at the above link. Disregard any information that states 1Gbps or other fixed value for minimum bandwidth. It is likely an artifact from some document delivered back in ISE 1.0!
The 200ms guidance figure is called out in the Bandwidth/Latency page and the HLD document provided in the top link.
As called out in the Bandwidth/Latency page, the BW calculator does not address bandwidth between NADs and PSNs. This is highly variable based on # endpoints, reauth/session timers, protocols implemented and EAP options (such as cert key sizes, use of Session Resume, fast reconnect, device registration, etc. It is recommended that you perform analysis of existing WAN links for RADIUS and other traffic to/from PSNs and extrapolate average BW per endpoint which should help set expectations for your specific environment.
Latency between NADs and PSNs is not as critical. Realize that RADIUS timeouts are typically on the order of seconds, not milliseconds. Latency still matters, but not nearly as it does between P-PAN and secondary ISE nodes.
Please refer to the Cisco Live session (BRKSEC-3699) listed in top link which details the different deployment options when latency exceeds guidance. The session also covers failover scenarios including expected behavior and which services are impacted when certain nodes fail.
Licensing is not impacted by PSN or connectivity failures. As covered in Live session, AAA can continue to operate in event of loss of connectivity from PSN to P-PAN, but some services like self-registered guest and BYOD will be impacted until link to P-PAN re-established. Of course, if local network lacks connectivity to critical resources such as AD, LDAP, etc, then AAA services would be impacted anyway.

/Craig

View solution in original post

Craig Hyps · ‎03-10-2016

Please refer to ISE Deployment Sizing and Scalability for more details on this topic.

Points of clarification:

Latency guidance is based on connection between Primary PAN to secondary nodes.
- Q: What is a secondary node?
- A: Any ISE node that is not the Primary PAN. And remember to consider that the Secondary PAN may be promoted in case of Primary failure, thus making it the new P-PAN.
200ms is not a magical number, but the figure we have validated and QA tested for most operations to be a reasonable guard rail for design. Actual latency requirement is impacted by a few factors, primarily profiling design.
Bandwidth guidance is provided in the calculator provided at the above link. Disregard any information that states 1Gbps or other fixed value for minimum bandwidth. It is likely an artifact from some document delivered back in ISE 1.0!
The 200ms guidance figure is called out in the Bandwidth/Latency page and the HLD document provided in the top link.
As called out in the Bandwidth/Latency page, the BW calculator does not address bandwidth between NADs and PSNs. This is highly variable based on # endpoints, reauth/session timers, protocols implemented and EAP options (such as cert key sizes, use of Session Resume, fast reconnect, device registration, etc. It is recommended that you perform analysis of existing WAN links for RADIUS and other traffic to/from PSNs and extrapolate average BW per endpoint which should help set expectations for your specific environment.
Latency between NADs and PSNs is not as critical. Realize that RADIUS timeouts are typically on the order of seconds, not milliseconds. Latency still matters, but not nearly as it does between P-PAN and secondary ISE nodes.
Please refer to the Cisco Live session (BRKSEC-3699) listed in top link which details the different deployment options when latency exceeds guidance. The session also covers failover scenarios including expected behavior and which services are impacted when certain nodes fail.
Licensing is not impacted by PSN or connectivity failures. As covered in Live session, AAA can continue to operate in event of loss of connectivity from PSN to P-PAN, but some services like self-registered guest and BYOD will be impacted until link to P-PAN re-established. Of course, if local network lacks connectivity to critical resources such as AD, LDAP, etc, then AAA services would be impacted anyway.

/Craig