Cisco ISE Profiling Service
The profiling service in Cisco Identity Services Engine (ISE) identifies the devices that connect to your network and their location. The endpoints are profiled based on the endpoint profiling policies configured in Cisco ISE. Cisco ISE then grants permission to the endpoints to access the resources in your network based on the result of the policy evaluation.
The profiling service:
Facilitates an efficient and effective deployment and ongoing management of authentication by using IEEE standard 802.1X port-based authentication access control, MAC Authentication Bypass (MAB) authentication, and Network Admission Control (NAC) for any enterprise network of varying scale and complexity.
Identifies, locates, and determines the capabilities of all of the attached network endpoints regardless of endpoint types.
Protects against inadvertently denying access to some endpoints.
Endpoint Inventory Using Profiling Service
You can use the profiling service to discover, locate, and determine the capabilities of all the endpoints connected to your network. You can ensure and maintain appropriate access of endpoints to the enterprise network, regardless of their device types.
The profiling service collects attributes of endpoints from the network devices and the network, classifies endpoints into a specific group according to their profiles, and stores endpoints with their matched profiles in the Cisco ISE database. All the attributes that are handled by the profiling service need to be defined in the profiler dictionaries.
The profiling service identifies each endpoint on your network, and groups those endpoints according to their profiles to an existing endpoint identity group in the system, or to a new group that you can create in the system. By grouping endpoints, and applying endpoint profiling policies to the endpoint identity group, you can determine the mapping of endpoints to the corresponding endpoint profiling policies.
Cisco ISE Profiler Queue Limit Configuration
Cisco ISE profiler collects a significant amount of endpoint data from the network in a short period of time. It causes Java Virtual Machine (JVM) memory utilization to go up due to accumulated backlog when some of the slower Cisco ISE components process the data generated by the profiler, which results in performance degradation and stability issues.
To ensure that the profiler does not increase the JVM memory utilization and prevent JVM to go out of memory and restart, limits are applied to the following internal components of the profiler:
Endpoint Cache—Internal cache is limited in size that has to be purged periodically (based on least recently used strategy) when the size exceeds the limit.
Forwarder—The main ingress queue of endpoint information collected by the profiler.
Event Handler—An internal queue that disconnects a fast component, which feeds data to a slower processing component (typically related to a database query).
maxEndPointsInLocalDb = 100000 (endpoint objects in cache)
endPointsPurgeIntervalSec = 300 (endpoint cache purge thread interval in seconds)
numberOfProfilingThreads = 8 (number of threads)
The limit is applicable to all profiler internal event handlers. A monitoring alarm is triggered when queue size limit is reached.
Cisco ISE Profiler Queue Size Limits
forwarderQueueSize = 5000 (endpoint collection events)
eventHandlerQueueSize = 10000 (events)
NetworkDeviceEventHandler—For network device events, in addition to filtering duplicate Network Access Device (NAD) IP addresses, which are already cached.
ARPCacheEventHandler—For ARP Cache events.