Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
919
Views
3
Helpful
3
Replies

ISE PSN sizing

Go to solution
jinapark
Cisco Employee
Cisco Employee

‎05-18-2016 09:08 PM

Dear folks,

When we have 1 x PAN and 1 x MuT with 3415/3515 appliance,

How many PSNs we can deploy?

I've looked through many documents, but I only can see the sizing with SNS3495/3595.

Jina

1 Accepted Solution

Accepted Solutions

Go to solution
Charlie Moreton
Cisco Employee
Cisco Employee

‎05-19-2016 05:58 AM

Depends on the Deployment model, which is unclear.

If all personas are on one server, and you are running HA, then only the two PSNs can be deployed.

If Admin and MnT personas are on a single server and the PSNs are on separate servers, then you can deploy 5 PSNs

HOWEVER, with the two deployment models above you would be limited to 5000 concurrent endpoints.

If you are deploying each persona on a separate server, then you need to use the 3495/3595 hardware as a baseline for your Admin and MnT Nodes and re-purpose your 3415/3515 appliances as PSNs.

ANY deployment that will serve over 5000 concurrent endpoints should utilize the 3495/3595 ad the Admin and MnT nodes.

Effectively, you SHOULD be able to deploy 40 PSNs with the 3415/3515 as Admin and MnT, but they cannot handle the same numbers of AuthC/AuthZ as the 3495/3595 and is NOT a deployment that would be recommended or supported.  This is the reason you cannot find the numbers for this.  It is a scenario that has not been tested.  With the first issue that arises, any call to TAC would result in requiring the upgrade of the Admin and MnT hardware.

Here are some simple deployment guidelines:

deployment.PNG

Charles Moreton

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Charlie Moreton
Cisco Employee
Cisco Employee

‎05-19-2016 05:58 AM

Depends on the Deployment model, which is unclear.

If all personas are on one server, and you are running HA, then only the two PSNs can be deployed.

If Admin and MnT personas are on a single server and the PSNs are on separate servers, then you can deploy 5 PSNs

HOWEVER, with the two deployment models above you would be limited to 5000 concurrent endpoints.

If you are deploying each persona on a separate server, then you need to use the 3495/3595 hardware as a baseline for your Admin and MnT Nodes and re-purpose your 3415/3515 appliances as PSNs.

ANY deployment that will serve over 5000 concurrent endpoints should utilize the 3495/3595 ad the Admin and MnT nodes.

Effectively, you SHOULD be able to deploy 40 PSNs with the 3415/3515 as Admin and MnT, but they cannot handle the same numbers of AuthC/AuthZ as the 3495/3595 and is NOT a deployment that would be recommended or supported.  This is the reason you cannot find the numbers for this.  It is a scenario that has not been tested.  With the first issue that arises, any call to TAC would result in requiring the upgrade of the Admin and MnT hardware.

Here are some simple deployment guidelines:

deployment.PNG

Charles Moreton

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to Charlie Moreton

‎05-19-2016 06:02 AM

It's all defined here and mentions those appliances

http://www.cisco.com/c/en/us/td/docs/security/ise/2-0/installation_guide/b_ise_InstallationGuide20/Network_Deployments_in_Cisco_ISE.html

Go to solution
jinapark
Cisco Employee
Cisco Employee
In response to Charlie Moreton

‎05-19-2016 06:34 AM

Hi Charles, thank you so much for this explanation!

0 Helpful
Customers Also Viewed These Support Documents