Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2451
Views
17
Helpful
7
Replies

Cisco ISE Hybrid Distributed Node Deployment

Go to solution
edwardonelife
Level 1
Level 1

‎11-23-2016 04:31 AM - edited ‎03-11-2019 12:15 AM

Is it possible or recommended to have the deployment shown below;

Node 1 - Running Admin+MnT (Primary)+PSN - SNS3595

Node 2 - Running Admin+MnT (Secondary)+PSN - SNS3595

Node 3 - PSN - SNS3515

Node 4 - PSN - SNS3515

How many endpoints would such a deployment handle?

How many PSN nodes would it support max?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to edwardonelife

‎11-24-2016 05:59 AM

It would be supported.

The maximum concurrent sessions would be 20,000 with just the first two nodes you listed. Adding Node 3 and Node 4 in that scenario would not do a lot for you unless you have some intelligent load balancing to allocate  RADIUS sessions among the PSNs.

Remember a given NAD is limited in its ability to use multiple RADIUS servers. A Cisco WLC, for example, will only ever use the first defined RADIUS server for a given SSID as long as it is reachable. A Cisco switch with a 15.x IOS will do crude round robin load balancing of RADIUS server. 12.x IOS will not.

View solution in original post

7 Replies 7

Go to solution
Kanwaljeet Singh
Cisco Employee
Cisco Employee

‎11-23-2016 12:10 PM

Hi Edward,

You would be interested in this document below:

https://communities.cisco.com/docs/DOC-68347

Hope this helps!

Regards,

Kanwal

Note: Please mark answers if they are helpful.

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-23-2016 07:47 PM

20,000 concurrent endpoints max - that is noted on Craig's document which Fnu shared. To get to that you would need at least three SNS-3515 level appliances with ISE 2.1 (or 4 with ISE 2.0.1).

However a single PSN on SNS-3595 could handle it.

You could put a maximum of 5 PSNs in a deployment with combined PAN + MnT nodes. However, without a load balancing scheme in place, their use will be constrained based on capabilities of your NADs to load balance RADIUS natively.

Go to solution
edwardonelife
Level 1
Level 1
In response to Marvin Rhoads

‎11-23-2016 10:57 PM

Hi Marvin,

Based on the below setup, what do you think will be the maximums?

Is it a supported deployment?

Node 1 - Running Admin + MnT (Primary) + PSN - SNS3595

Node 2 - Running Admin + MnT (Secondary) + PSN - SNS3595

Node 3 - PSN - SNS3515

Node 4 - PSN - SNS3515

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to edwardonelife

‎11-24-2016 05:59 AM

It would be supported.

The maximum concurrent sessions would be 20,000 with just the first two nodes you listed. Adding Node 3 and Node 4 in that scenario would not do a lot for you unless you have some intelligent load balancing to allocate  RADIUS sessions among the PSNs.

Remember a given NAD is limited in its ability to use multiple RADIUS servers. A Cisco WLC, for example, will only ever use the first defined RADIUS server for a given SSID as long as it is reachable. A Cisco switch with a 15.x IOS will do crude round robin load balancing of RADIUS server. 12.x IOS will not.

Go to solution
Uwe Siegrist
Level 1
Level 1
In response to Marvin Rhoads

‎11-05-2019 09:48 AM - edited ‎11-05-2019 09:49 AM

Sorry, if I warm up this thread again.
I've come across this question so often. Recently, even from Cisco side this was shown in a upgrade demo. A Cisco employee said that this is a valid small hybrid deployment. However, the ISE Installation Guide specifically states "Hybrid-Distributed deployment (Admin and MnT on same appliance; Policy Service on dedicated appliance)" and "In a medium-sized network deployment, you can not enable the policy persona on a node that runs the Administration persona, Monitoring persona, or Both. You need dedicated policy service node (s) ". So there is probably still need for explanation here.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_00.html#reference_A4A76D628B6847EDB1715F2C11C3B753

0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to edwardonelife

‎11-05-2019 10:21 AM

@edwardonelife wrote:

Hi Marvin,

Based on the below setup, what do you think will be the maximums?

Is it a supported deployment?

 

Node 1 - Running Admin + MnT (Primary) + PSN - SNS3595

Node 2 - Running Admin + MnT (Secondary) + PSN - SNS3595

Node 3 - PSN - SNS3515

Node 4 - PSN - SNS3515

This is not supported. Once you install a PSN outside of the node running admin and/or MNT then its a distributed hybrid model and policy services needs to be disabled on any node running admin and/or MNT 

 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_00.html#reference_A4A76D628B6847EDB1715F2C11C3B753

Go to solution
Uwe Siegrist
Level 1
Level 1
In response to Jason Kunst

‎11-05-2019 11:42 AM

Hi Jason,

thank you for your clarification.

0 Helpful
Customers Also Viewed These Support Documents