loadbalancing the traffic among 3 PSN behind netscaler VIP

sameer.dy09 · ‎08-21-2016

Hi All ,

I have a ISE distributed deployment (VM) with 19000+ endpoints and 11k clients connection . I have three PSNs behind VIP from citrix . Below are set up details

1) according to me , it is best to have 32 GB of RAM and 8 cores of CPU for efficient set up as per documentation

2)Currently ,we have 20GB on PSNs and 16GB on monitoring node , disk space is fine

3) We notice that traffic on most PSNs range between 80-90% and sometimes on PSN it goes nearly 95%

4)Kindly provide some inputs whether 20 GB is fine as documentation says 32 GB is recommended for large setup

5) Under deployment , we have ISE profiling enabled , though there is no license , it would definitely cause issue

6)In VM , I/O speed is below 200 MB/S and hardware reservations is not set , will it help

6) Based on clients connections 11000 and 19000 endpoints what is the recommendation ?

ISE version 1.3(0.876) , patch : none

We need to add admin node 2 and upgrade to ISE 1.4 with latest patch but before that we need to stabilize the environment

Anyhelp would be appreciated

sameer.dy09 · ‎08-21-2016

Also , can we loadbalance the traffic on all three PSNs equally , any documentation for that

Marvin Rhoads · ‎08-21-2016

If you want to stabilize the environment, get all of the PSNs up to minimum recommended specification or greater. 20 GB is not fine when all of the documentation indicates 32 GB is required.

The Plus (or Advanced in older ISE versions) license for profile services is only required when you have a policy that uses profiles. If you don't have any such policy (and thus really don't require profile service) then I would recommend disabling the service.

11,000 simultaneous endpoints would require a distributed persona deployment. depending on the specifications of your PSNs, you would require somewhere between 1 and 4 PSNs. I say that because the SNS-3495 can service up to 20k simultaneous endpoints while the smallest ISE-3315 can only service 3,000.

I recommend you consult Craig Hyps' Cisco Live presentation BRKSEC-3699. Specifically page 39 in the reference slides.

I would also recommend migrating up to 2.1 once you have things stabilized.

And regarding your second posting - of course your can load balance. Indeed you must in a large deployment. Cisco has published a set of detailed guides which can be found here:

https://communities.cisco.com/docs/DOC-64434

We setup server pools with the PSNs, use RADUS health checks and a least connection load balancing algorithm with session stickiness.

sameer.dy09 · ‎08-21-2016

Hi Marvin ,

Thanks , I reviewed the guidelines . Can you please correct since we have maximum of 11000 connection

with 3 PSN , it is possible since each PSN can handle 5000? and it comes under small deployment as per slides so 16GB of RAM would be good ? and with loadbalancing can we achieve dedicated 4000 users on one node with accuracy

If we go for cisco guidelines , for 20000 endpoints , it recommends large deployment with 32 GB of RAM

Regards,

Sameer

Marvin Rhoads · ‎08-21-2016

You did not indicate whether your deployment has dedicated Admin and MnT nodes. If is does not, the maximum active session for the entire deployment - no matter how many or what type of PSNs you have - is 10,000. (20,000 if you have 3595 spec PSNs with 64 B or RAM - Craig hasn't updated slide 39 for that but it is shown on slide 38)

With dedicated Admin and MnT, we then look to how many PSNs there are and usually plan for at least an N+1 model so that we can accommodate the maximum number of simultaneous endpoints given the failure of any one PSN.

The small PSNs (SNS-3415 or SNS-3515 specification) can indeed run with 16 GB of RAM. BUT they can serve fewer simultaneous endpoints.

With 3415 spec VMs, you would need at least 3 online at all times (5000 + 5000 + 5000 = 15,000 capacity). If you plan for N+1 redundancy, it would need to be 4 PSNs.

With 32 GB 3495 spec VMs, you could manage with a single PSN (2 for redundancy) and wouldn't even need to use a load balancer as a single 3495 in a fully distributed deployment can serve 20,000 simultaneous endpoints.

The same applies for 64 GB 3595 spec VMs - only one is needed. they can serve 40,000 simultaneous endpoints.

Note that the 3300 series specifications are no longer supported as of ISE 2.0 and later.

sameer.dy09 · ‎08-21-2016

Thanks Marvin ,

I have one admin node and 3 PSNs and one dedicated monitoring node in active set up . As of now we are planning to add another admin node in secondary , two PSN and another monitoring node is already there in DR site

I just want to clarify with dedicated admin node /MNT node with 3 PSNs and 19000+ endpoints and active connections with 11000 , according to me large deployment and 32 GB of RAM is recommended

However I have read somewhere we can still run with low RAM if we can load-balance the netscaler proper , so I am just confused as I need justification for user to upgrade RAM

Regards,

Sameer

sameer.dy09 · ‎08-26-2016

hi ,

Can someone please confirm ? Secondly , what is the impact of enabling hardware reservations on VM

Regards,

Sameer

Marvin Rhoads · ‎08-26-2016

Confirmed - SNS-3415 specification with 16 GB of RAM can service 5,000 simultaneous endpoints.If you had three you could support the environment with NO PSN redundancy. This would not be recommended nor a best practice.

The presentation I mentioned earlier speaks about hardware reservations and recommends them. Craig is one of the most experienced and knowledgeable ISE engineers there is. I would bank on his advice.

Skimping on the resources is just opening up your deployment for all sorts of problems when you have things running in production. I hold my ground when customers ask about getting by with less. If they insist over my and Cisco's recommendations I put it in writing and tell them that they are proceeding at their own risk.

It is foolish (in my estimation) to save a few thousand dollars on RAM when the vendor tells you it is not recommended based on experience gained over thousands of deployments.