Re: Double-check ISE design (dual DC scenario / 22K sessions)

JDores · ‎05-16-2018

Hi experts,

I would like to double-check an ISE proposal I'm sending to a customer.

In my customer's scenario there are 2 DCs (located in the same medium size country) which are connected via layer 3, and are redundant of each other. In each DC, we'll need to support the authentication of all endpoints in the network. The number of sessions is around 22K sessions.

From the 2.4 guide and the BRKSEC-3699 session from Cisco Live I believe I'll need:

DC#1:

SNS3595 for PAN services (Max scale sessions: 500K)

SNS3595 for MNT services (Max scale sessions: 500K)

SNS3595 for PSN services (Max scale sessions: 40K)

DC#2:

SNS3595 for PAN services (Max scale sessions: 500K)

SNS3595 for MNT services (Max scale sessions: 500K)

SNS3595 for PSN services (Max scale sessions: 40K)

Licensing: ISE Base 25K licenses (we don’t need profiling or posturing services)

Is the above solution effective and efficient to address the scenario?

In terms of high-availability does the fact that the DCs are L3 connected pose any challenges?

Thanks in advance,

Jose

kvenkata1 · ‎05-16-2018

Hi Jose,

Looks good. One additional reference that can answer your WAN latency/bandwidth question - ISE Performance & Scale

- Krish

JDores · ‎05-17-2018

Hi Krish,

Thank you for your quick reply and for the latency/bandwidth documentation. We won't have latency issues in this case and I see that BW won't be very significant. I'm more worried from a networking perspective - the fact that the DCs are L3 separate (ISE in Primary and Secondary location won't be in the same LAN) can be an issue?

I also got an advice from a colleague to consider 2 PSNs in the primary DC. In this case, if DC#1_PSN1 fails we still have DC#1_PSN2 and only in case of DC Failover we would use DC#2_PSN (along with DC#2_PAN and DC#2_MNT). Do you see any issues with this?

It would be:

DC#1:

SNS3595 for PAN services (Max scale sessions: 500K)

SNS3595 for MNT services (Max scale sessions: 500K)

SNS3595 PSN#1 for PSN services (Max scale sessions: 40K)

SNS3595 PSN#2 for PSN services (Max scale sessions: 40K)

DC#2:

SNS3595 for PAN services (Max scale sessions: 500K)

SNS3595 for MNT services (Max scale sessions: 500K)

SNS3595 for PSN services (Max scale sessions: 40K) (just one PSN in DC#2)

Licensing: ISE Base 25K licenses (we don’t need profiling or posturing services)

Thanks again,

Jose

Jason Kunst · ‎05-17-2018

There are no issues being L3 separated and what you’re stating is fine. Not sure why 2 psns needed at each site however? Seems like overkill if the psn supports 40k endpoints and you have only 22k then each site by themselves would run fine for the whole network

Please make sure an experienced partner is involved as these are basic design questions

Also would recommend that you look at Craig Hyps scale information from Cisco live as it goes through design as well

https://communities.cisco.com/docs/DOC-63882?mobileredirect=true#jive_content_id_2018_Cisco_Live_Barcelona

JDores · ‎05-17-2018

"Not sure why 2 psns needed at each site however? Seems like overkill if the psn supports 40k endpoints and you have only 22k then each site by themselves would run fine for the whole network"

Just one PSN in DC#2. DC#2 will only be used in a disaster recovery scenario. So if DC1_PSN1 would fail, then there would be no available PSN in DC#1. Makes sense?

Jason Kunst · ‎05-17-2018

Yes

JDores · ‎05-17-2018

Hi Jason,

Sorry to keep pestering you - what is the impact if the PAN or MNT fails in DC#1?

Thanks again,

Jose

Jason Kunst · ‎05-17-2018

Please watch the Cisco live BRKSEC-3699 as stated it goes through this and look at reference slide deck

Please make sure experience ISE engineer is involved with account