03-19-2018 10:38 AM
Hi,
"ISE Performance & Scale" and the new "ISE-best practices" documents both require when using a 2 PAN/ MnT nodes setup a maximum of 5 PSNs and 20K active sessions (on 3595 as PAN+MnT).
For a world-wide support design with 3 zones (each 2 PSNs, so total = 6), that requires to use a fully distribution model with separate PAN / MnT nodes, even if the number of maximum sessions remains quite low (around 5K).
Can we reasonably deploy a cluster with 6 PSNs if the number of active sessions is far below what a 3595 can handle as a PAN+MnT server ?
The customer is asking why we need so many management appliances to handle a mere 5k sessions.
Thanks in advance,
jean-francois
Solved! Go to Solution.
03-19-2018 01:31 PM
jean-francois
I too had to justify the need. Your 3 locations need 2 PAN's / MnT just to have basic redundancy, and dual MnT will allow you to load balance the AAA functions across the 2 nodes. As for your other sites, if they are across weaker WAN circuits, then you would need / want to have nodes to perform the same functions at that location and so on. Best practice is to separate the functions of ISE, but of course you CAN have a deployment where you have all the roles enabled on each server, but the performance will definitely take a hit. Just don't call TAC to complain about latency and resource usage if you dont follow the recommended deployment model,
Realistically, I have 2 VM's one is the primary PAN and secondary Monitoring and secondary PxGrid, the other is secondary PAN and primary Monitoring and primary PxGrid. What i can't do is have true PAN failover, which takes 2 primary nodes and 1 secondary. Would I like to have done it differently? Yes, but sometimes budgeted projects get trimmed down.
HTH-
Vince
03-19-2018 10:44 AM
This has been answered several times before on the reasons why
Please see
https://www.google.com/search?q=ise5psn&oq=ise5psn&aqs=chrome..69i57j69i64.3094j0j7&sourceid=chrome&ie=UTF-8
03-19-2018 01:31 PM
jean-francois
I too had to justify the need. Your 3 locations need 2 PAN's / MnT just to have basic redundancy, and dual MnT will allow you to load balance the AAA functions across the 2 nodes. As for your other sites, if they are across weaker WAN circuits, then you would need / want to have nodes to perform the same functions at that location and so on. Best practice is to separate the functions of ISE, but of course you CAN have a deployment where you have all the roles enabled on each server, but the performance will definitely take a hit. Just don't call TAC to complain about latency and resource usage if you dont follow the recommended deployment model,
Realistically, I have 2 VM's one is the primary PAN and secondary Monitoring and secondary PxGrid, the other is secondary PAN and primary Monitoring and primary PxGrid. What i can't do is have true PAN failover, which takes 2 primary nodes and 1 secondary. Would I like to have done it differently? Yes, but sometimes budgeted projects get trimmed down.
HTH-
Vince
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide