Solved: Re: ISE resource usage

nloverin · ‎06-04-2018

I have a customer who is asking about the "resources" that ISE uses in a server (memory, drive, CPU) and why a 'larger' server is needed for ISE 2.4. Can anyone detail the 'behind the scenes' resource allocation that ISE needs/uses to justify the need to upgrade from an SNS3495 to an SNS3595? We will also explore virtualizing their 50+ physical server deployment, but the dedicated resource shock may hit there too.

"ISE is just a database lookup. I should be able to run this on my laptop." - customer quote. I realize that ISE requires a healthy server or quite noticeable virtual resources. He wants to know what in ISE is chewing up all those resources.

On that same thread, is there any way to 'disable' unneeded/unused features/resources in ISE to decrease the necessary server footprint? IOW, if I can disable things like BYOD, CA services, Guest, then I can still run ISE 2.4 on a 3495.

Thanks.

Neil

Jason Kunst · ‎06-04-2018

The requirement for hardware change is because we only keep an existing model for a period of time and then we move on with newer hardware. Discontinuing the older hardware. That said ISE still runs on the 3415 platform. Also we don’t support older hardware. 34xx support stopped at 2.3

https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/eos-eol-notice-c51-737032.html

Also ISE is not a simple database. All sessions are stored in memory. Unlike ACS or other simple AAA servers there is much more going on in the background.

All numbers are based on the same services running. Turning off services will not buy you anything. We test ISE with full resource utilization and don’t have different numbers based off only guest or base services.

HTH

View solution in original post

Jason Kunst · ‎06-04-2018

The requirement for hardware change is because we only keep an existing model for a period of time and then we move on with newer hardware. Discontinuing the older hardware. That said ISE still runs on the 3415 platform. Also we don’t support older hardware. 34xx support stopped at 2.3

https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/eos-eol-notice-c51-737032.html

Also ISE is not a simple database. All sessions are stored in memory. Unlike ACS or other simple AAA servers there is much more going on in the background.

All numbers are based on the same services running. Turning off services will not buy you anything. We test ISE with full resource utilization and don’t have different numbers based off only guest or base services.

HTH

nloverin · ‎06-04-2018

Jason,

I guess the question then becomes ... if I still have a small ISE deployment with few ISE features, when why do the necessary ISE resources continue to go up? I understand that if I want to run more features or have a larger network, but if those are static variables, then the ISE resources to support them, even with newer versions, should be somewhat constant (just using customer logic).

Good point about the older SNS3400 servers. But will ISE install/run on them? Or does ISE 2.4 prevent the install on that box (even if the physical resources are more than enough for the requested ISE features)?

And still an open question ... what are the ISE processes that eat all the server resources? Are there any white papers that describe what an ISE server is doing?

Neil

Jason Kunst · ‎06-04-2018

I guess the question then becomes ... if I still have a small ISE deployment with few ISE features, when why do the necessary ISE resources continue to go up? I understand that if I want to run more features or have a larger network, but if those are static variables, then the ISE resources to support them, even with newer versions, should be somewhat constant (just using customer logic).

JAK - because we get new equipment that replaces the old and we don't continue to support the old. These new appliances come with more memory and bigger CPU. At some point we cut off old hardware from being supported. That's why the move to 35xx

Good point about the older SNS3400 servers. But will ISE install/run on them? Or does ISE 2.4 prevent the install on that box (even if the physical resources are more than enough for the requested ISE features)?

JAK - ISE 2.4 is supported with 35xx appliances it won't install on the 34xx- https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/release_notes/b_ise_24_rn.html#id_64711

And still an open question ... what are the ISE processes that eat all the server resources? Are there any white papers that describe what an ISE server is doing?

JAK - this may help? if you're still having trouble finding let us know

https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/install_guide/b_ise_InstallationGuide23/b_ise_InstallationGuide23…

Or looking at cisco live BRKSEC-3699 reference slides

ISE Training

Arne Bier · ‎06-04-2018

Neil makes a very good point and ISE is not an isolated product that is going on this upward trend in resource utilisation. I can't think of a single vendor product whose memory/disk footprint is reducing. Have you looked at Cisco Prime Infrastructure lately? That makes ISE look like a walk in the park.

My opinion is that, at a superficial level, a radius server can start off being quite a simple thing and if a customer's requirements are simple (e.g. 500 devices, 802.1X EAP-PEAP, and throw in some basic PAP auth, mixed with local accounts and AD integration) then one could satisfy that with a server that needs around 4GB of RAM or less. At that point you might as well build a FreeRadius deployment and you'll be just fine. Likewise, an old ACS 5.4 server sitting in the corner doing an excellent job doesn't need more than 4GB and a mediocre CPU. We still hit 100,000 authentications a day on that single box and it's a happy little camper. It gets the job done without much fuss or fanfare.

ISE comes along with the whole kitchen sink, whether you need it or not. And all the Oracle, Java, Elastic Search baggage adds up over time. There should be an ISE lite that strips all that PxGrid/BYO/Profiling/Clustering/Posturing stuff out just provides the bare bones. But this would probably require a complete product re-write because I doubt it's that modular to allow this. It's probably not viable because ISE scales really well, and it requires a lot of infrastructure to make that scaling happen. Still, it would be nice to have a lite version that isn't able to scale (for SMB market).

nloverin · ‎06-05-2018

Jason,

Great stuff. Thanks for the BRKSEC reference. While that doesn't answer the "how does ISE eat the resources" question, it does show the concept of ISE and why ISE would 'need' those same resources.

I agree with @Arne that while it may be nice that ISE could come in a "lite" version, it is unlikely to happen anytime soon (although there are many industries that would benefit from every vendor creating such images).

Thank again!

Neil

Timothy Abbott · ‎06-04-2018

Hi Neil,

ISE has a bit more going on than just a database lookup. There are many services that run in addition to the DB and those services require compute resources. At the same time, we are constantly working to increase the performance and scalability of ISE deployment so ISE will require more CPU, Memory, and disk space over time. Also, we have to be able to support standalone deployments that may require all of those features to run reliably at the same time.

The customer has the ability to turn off profiling, TC-NAC, SXP, Device Admin, passive ID or pxGrid. Other than that, there is no way to turn off / disable individual processess.

Regards,

-Tim