Overview

This document lists the performance and scalability metrics for Cisco Identity Services Engine (Cisco ISE).

Cisco ISE Node Terminology

A Cisco ISE node can provide various services based on the persona that it assumes. The menu options that are available through the Admin portal are dependent on the role and personas that a Cisco ISE node assumes.

Table 1. Different Types of Cisco ISE Nodes

Node Type

Description

Policy Administration node (PAN)

A Cisco ISE node with the Administration persona allows you to perform all administrative operations and configurations on Cisco ISE. It serves as a single pane of glass for viewing all administrative operations, configurations, and contextual data. It synchronizes the configuration to the rest of the nodes in the deployment.

Policy Service node (PSN)

A Cisco ISE node with the Policy Service persona provides network access, posture, guest access, client provisioning, and profiling services. This persona evaluates the policies and makes all the decisions.

Monitoring node (MnT)

A Cisco ISE node with the Monitoring persona functions as the log collector and stores log messages from all the Administration and Policy Service nodes in a network. This persona provides advanced monitoring and troubleshooting tools that you can use to effectively manage the network and resources. A node with this persona aggregates and correlates the data that it collects, and provides you with meaningful reports.

pxGrid node

You can use Cisco pxGrid to share context-sensitive information from Cisco ISE session directory with other network systems such as Cisco ISE ecosystem partner systems and other Cisco platforms. The pxGrid framework can also be used to exchange policy and configuration data between nodes (like sharing tags and policy objects between Cisco ISE and third party vendors) and for other information exchanges.

Different Types of Cisco ISE Deployment

Evaluation

Small Deployment

Medium Deployment

Large Deployment

  • All ISE personas (PAN + MnT + PSN + pxGrid) on the same appliance or VM instance.

  • Not recommended for production.

  • All ISE personas (PAN + MnT + PSN + pxGrid) on the same appliance or VM instances.

  • Two-node deployment. One node as primary and the other node as secondary for redundancy.

  • An additional node can be added (which is optional) to a small deployment as a PSN, pxGrid, or Health Check node. The additional node can be a combination of any of the following personas:

    Dedicated PSN

    pxGrid node

    Health Check node

    Note 

    It is recommended that the additional node is used only for load sharing purpose. Note that adding an additional node with a PSN, pxGrid, or Health Check persona will not change the existing scale limits of small deployment.

  • PAN + MnT + pxGrid running on the same node.

  • One node as primary and the other node as secondary for redundancy.

  • PSNs on dedicated nodes. Nodes may be VMs or appliances.

  • Supports up to 6 PSNs (for Cisco ISE 3.0 and above). You can enable pxGrid persona on any of the PSN or add dedicated pxGrid nodes to the deployment.

  • All ISE personas are fully distributed, running on separate VM or appliance nodes.

  • Supports up to 4 pxGrid nodes.

  • Supports up to 50 nodes (PSN + pxGrid).

Maximum Concurrent Active Endpoints for Different Deployments

Cisco Identity Services Engine (ISE) can be installed on Cisco SNS hardware or virtual appliances. To achieve performance and scalability comparable to the Cisco ISE hardware appliance, the virtual machine should be allocated system resources equivalent to the Cisco SNS 3500 or 3600 series appliances.

The authentication values given below are approximate (around 5 percent). You can determine the number of PSNs that are needed for your deployment based on the following:

  • Maximum concurrent active endpoints

  • RADIUS authentication rate

  • TACACS+ authentication rate

Table 2. Maximum Concurrent Active Endpoints Based on PSN Type
PSN Type Cisco SNS 3515 Cisco SNS 3595 Cisco SNS 3615 Cisco SNS 3655 Cisco SNS 3695
Dedicated PSN 7500 40,000 10,000 50,000 100,000
Shared PSN 5000 20,000 10,000 25,000 50,000
Table 3. Maximum Concurrent Active Endpoints for Different Deployments
Deployment Type Cisco SNS 3515 Cisco SNS 3595 Cisco SNS 3615 Cisco SNS 3655 Cisco SNS 3695

PAN and MnT

PAN and MnT

PAN and MnT

PAN and MnT

PAN and MnT
Large deployment 500,000 500,000 2,000,000
Medium deployment 7500 20,000 10,000 25,000 50,000
Small deployment 7500 20,000 10,000 25,000 50,000

For information about different types of deployments, see Different Types of Cisco ISE Deployment


Note

  • Even though the number of Concurrent Active Endpoints in Medium and Small deployment is same, Medium deployment provides higher performance because of dedicated PSNs.

  • The values are applicable for all types of active sessions.

  • When the number of concurrent active endpoints goes beyond these numbers for any deployment, the sessions might be dropped.

Cisco ISE Deployment Scale Limits

Attribute Maximum Limit

Maximum pxGrid nodes in Large or Dedicated deployment

 4
Maximum pxGrid subscribers per pxGrid node 200
Dedicated PSN nodes with SXP service enabled 4
Maximum ISE SXP peers per PSN node with SXP service enabled 200
Maximum network device entries (IP addresses and/or IP address range) 100,000
Maximum network device groups (NDG) 10,000

Maximum Active Directory forests (Join Points)

 50

Maximum Active Directory controllers (WMI query)

 100
Maximum internal users 300,000

Maximum internal guests

Note 

Having more than 500,000 guest users might create latency in user authentication.

1,000,000
Maximum user certificates 1,000,000
Maximum server certificates 1,000
Maximum trusted certificates 1,000

Maximum user portals (Guest, BYOD, MDM, Certificate Provisioning, Posture, Client Provisioning)

600
Maximum concurrent active endpoints 2,000,000
Maximum policy sets 200
Maximum authentication rules 1000 (Policy Set mode)
Maximum authorization rules

Policy Set mode: 3,000 (3,200 authorization profiles)

It is not recommended to have more than 600 authorization rules in a single policy set.

Note 

Increasing the number of conditions per authorization rule might impact the performance.

Maximum user identity groups 1,000
Maximum endpoint identity groups 1,000

TrustSec Security Group Tags (SGTs)

TrustSec Security Group ACLs (SGACLs)

TrustSec IP-SGT Static Bindings (over SSH)

10,000

1,000

10,000

Maximum concurrent REST API connections

ERS API: 100

OpenAPI: 150

Maximum Passive ID sessions for Large deployment

3695 PAN, MnT: 2,000,000

3595 PAN, MnT: 500,000

Maximum network latency between primary PAN and any other Cisco ISE node including the secondary PAN, MnT, and PSNs

300 milliseconds

Maximum Passive ID sessions providers

Maximum AD Domain Controllers

Maximum REST API Providers

Maximum Syslog Providers

Maximum pxGrid Subscribers

100

50

70

50

RADIUS Performance


Note

Cisco ISE can be installed on Cisco SNS hardware or virtual appliances. Both physical and virtual deployments provide the same level of performance. To achieve performance and scalability comparable to the Cisco ISE hardware appliance, the Cisco ISE virtual machine should be allocated system resources equivalent to the Cisco SNS 3500 or 3600 series appliances.

The following table shows authentications per second for a dedicated PSN node.

Authentication Method Identity Store

Cisco SNS 3515

Cisco SNS 3595 Cisco SNS 3615 Cisco SNS 3655

Cisco SNS 3695
PAP Internal 775 1100 900 1300 1300
PAP Active Directory 250 275 275 300 300
PAP LDAP 275 300 300 350 350
PEAP (MSCHAPv2) Internal 125 150 150 225 225
PEAP (MSCHAPv2) Active Directory 100 150 150 175 175
PEAP (GTC) Internal 100 150 175 250 250
PEAP (GTC) Active Directory 100 125 100 175 175
EAP-FAST (MSCHAPv2) Internal 375 400 375 550 550
EAP-FAST (MSCHAPv2) Active Directory 175 225 200 275 300
EAP-FAST (GTC) Internal 300 450 350 450 450
EAP-FAST (GTC) Active Directory 125 200 200 300 300
EAP-FAST (GTC) LDAP 150 300 200 300 300
EAP-TLS Internal 125 150 175 225 250
EAP-TLS Active Directory 125 175 150 200 200
EAP-TLS LDAP 150 175 175 250 250
EAP TEAP Internal 75 100 100 175 200
MAB Internal 400 575 500 1000 1300
MAB LDAP 300 500 400 600 600

EAP-TTLS-PAP

Azure AD

NA

10

5

15

15

TACACS+ Performance

The following table shows the transactions per second (TPS) for a dedicated PSN node.

Scenario Cisco SNS 3515 Cisco SNS 3595 Cisco SNS 3615 Cisco SNS 3655 Cisco SNS 3695
TACACS+ Function: PAP 1800 2500 2800 3000 3200
TACACS+ Function: CHAP 2000 3200 2800 3200 3900
TACACS+ Function: Enable 1000 1100 1000 1100 1100
TACACS+ Function: Session Authorization 1800 3000 2800 3000 3600
TACACS+ Function: Command Authorization 1800 2800 2800 3000 3900
TACACS+ Function: Accounting 2000 3000 3000 6000 9000

Cisco ISE Scenario-Based Performance

The following table shows the transactions per second (TPS) for a dedicated PSN node.

Scenario Cisco SNS 3515 Cisco SNS 3595 Cisco SNS 3615 Cisco SNS 3655 Cisco SNS 3695
Posture authentication 50 55 55 60 60
Guest Hotspot authentication 50 100 75 125 150
Guest Sponsored authentication 50 75 50 75 75
BYOD onboarding single SSID 10 12 12 15 15
BYOD onboarding dual SSID 10 12 12 15 15

MDM

 100 200 200 225 350
Internal CA certificate issuance 40 45 45 50 50
New endpoints profiled per second/profile updates per second 200 250 200 250 250

Maximum PassiveID sessions processed per second

 1000 1000 1000 1000 1000
ERS: Endpoints Bulk API 50 75 75 100 100
ERS: Guest Bulk API 50 75 75 100 100
ERS: TrustSec Bulk API 5 5 5 10 10

TrustSec

Time taken (in seconds) to push 300 TrustSec policies to 254 NADs

50 50 50 50 25

Time taken (in seconds) for 5000 TrustSec policies to download 2GB data via REST API

50 50 50 50 25

SXP

Time taken (in milliseconds) to connect SXP to SXPSN

 5 5 5 3 3

pxGrid

Time taken (in seconds) for 200 pxGrid subscribers bulk download with 20,000 sessions

40 45 40 55 60

Note

When these limits are exceeded, there could be performance degradation resulting in requests being dropped. You must provision the Cisco ISE appliance and VMs keeping in mind the total capacity per deployment and the expected peak hour authentication rates.

Cisco ISE Hardware Platforms

Note the following points:

  • VM appliance specifications should be comparable with physical appliances run in a production environment.

  • You must deploy dedicated VM resources and not share or oversubscribe resources across multiple guest VMs.

  • For VM deployment, the number of cores is twice of that present in equivalent of the physical appliance, due to hyperthreading. For example, in case of Small network deployment, you must allocate 16 vCPU cores to meet the CPU specification of SNS 3615, which has 8 CPU Cores or 16 Threads.

  • Cisco ISE 3.1 does not support Cisco Secured Network Server (SNS) 3515 appliance.

Table 4. Specifications for Different Hardware Platforms
Appliance Cisco SNS 3515 Cisco SNS 3595 Cisco SNS 3615 Cisco SNS 3655 Cisco SNS 3695
Processor

1 x Intel Xeon

2.40 GHz E5-2620

1 x Intel Xeon

2.60 GHz E5-2640

1 x Intel Xeon

2.10 GHz 4110

1 x Intel Xeon

2.10 GHz 4116

1 x Intel Xeon

2.10 GHz 4116
Cores per Processor 6 8 8 12 12
Memory 16 GB (2x8GB) 64 GB (4x16GB) 32 GB (2x16GB) 96 GB (6x16GB) 256 GB (8x32GB)
Hard Disk 1 x 600-GB 6Gb SAS 10K RPM 4 x 600-GB 6Gb SAS 10K RPM 1 x 600-GB 6Gb SAS 10K RPM 4 x 600-GB 6Gb SAS 10K RPM 8 x 600-GB 6Gb SAS 10K RPM
Hardware RAID

Level 10

Cisco 12G SAS Modular RAID Controller

Level 10

Cisco 12G SAS Modular RAID Controller

Level 10

Cisco 12G SAS Modular RAID Controller
Network Interfaces 6 x 1GBase-T 6 x 1GBase-T

2 X 10Gbase-T

4 x 1GBase-T

2 X 10Gbase-T

4 x 1GBase-T

2 X 10Gbase-T

4 x 1GBase-T
Power Supplies 1 x 770W 2 x 770W 1 x 770W 2 x 770W 2 x 770W

ISE Community Resource

For information on how to plan your Cisco ISE deployment, see the following links:

ISE High Level Design

ISE Planning & Pre-Deployment Checklists

Cisco ISE on Amazon Web Services

Cisco ISE is now available from the cloud, enabling you to scale your Cisco ISE deployments quickly and easily to meet changing business needs. Cisco ISE is available as an Infrastructure as Code solution, helping you to rapidly deploy network accesses and control services anywhere. Extend the Cisco ISE policies in your home network to new remote deployments securely through Amazon Web Services (AWS).

For more information, see Cisco ISE on AWS.

The following Cisco ISE instances are currently available in AWS, with the EBS volume type General Purpose SSO (gp2).

Table 5. Cisco ISE Instances

Cisco ISE Instance Type

CPU Cores

RAM (in GB)

c5.4xlarge

16

32

m5.4xlarge

16

64

c5.9xlarge

36

72

t3.xlarge

4

16

Maximum Concurrent Active Endpoints for Different Cisco ISE Deployments in AWS

Cisco ISE can be launched in Amazon Web Services through an Amazon Machine Image (AMI) or a CloudFormation Template (CFT).

The authentication values given below are approximate (around 5 percent). You can determine the number of PSNs that are needed for your deployment based on the following:

  • Maximum concurrent active endpoints

  • RADIUS authentication rate

  • TACACS+ authentication rate


Note

  • We recommend that you use c5.4xlarge and c5.9xlarge instances as PSNs, and m5.4xlarge instance as a PAN or MnT node.

  • You must use the t3.xlarge instance only for evaluation purposes.
Table 6. Maximum Concurrent Active Endpoints Based on PSN Type
PSN Type c5.4xlarge c5.9xlarge m5.4xlarge
Dedicated PSN 40,000 100,000
Shared PSN 20,000 50,000 20,000
Table 7. Maximum Concurrent Active Endpoints for Different Deployments
Deployment Type c5.4xlarge c5.9xlarge m5.4xlarge

PAN and MnT

PAN and MnT

PAN and MnT
Large deployment 500,000
Medium deployment 240,000
Small deployment 20,000 50,000 20,000

RADIUS Performance

The RADIUS performance values that are displayed in the following table are based on deployments where Active Directory and Cisco ISE are placed in the same virtual private network.

Table 8. Authentications Per Second for a Dedicated PSN in AWS
Authentication Method Identity Store c5.4xlarge Instance c5.9xlarge Instance
PAP Internal 775 1300
PAP Active Directory 250 300
PEAP (MSCHAPv2) Internal 125 225
PEAP (MSCHAPv2) Active Directory 100 175
PEAP (GTC) Internal 100 250
PEAP (GTC) Active Directory 100 175
EAP-FAST (MSCHAPv2) Internal 375 550
EAP-FAST (MSCHAPv2) Active Directory 175 300
EAP-FAST (GTC) Internal 300 450
EAP-FAST (GTC) Active Directory 125 300
EAP-TLS Internal 125 250
EAP-TLS Active Directory 125 200
EAP-TEAP Active Directory 75 200
MAB Internal 400 1000

TACACS+ Performance

Table 9. Transactions Per Second (TPS) for a Dedicated PSN in AWS
Scenario c5.4xlarge Instance c5.9xlarge Instance
TACACS+ Function: PAP 2800 3000
TACACS+ Function: CHAP 2800 3200
TACACS+ Function: Enable

1000

 1100
TACACS+ Function: Session Authorization 2800 3000
TACACS+ Function: Command Authorization 2800 3000
TACACS+ Function: Accounting 3000 6000

Cisco ISE Scenario-Based Performance

Table 10. Transactions Per Second (TPS) for a Dedicated PSN in AWS
Scenario c5.4xlarge Instance

c5.9xlarge Instance
Posture authentication 55 60
Guest Hotspot authentication 75 125
Guest Sponsored authentication 50 75
MDM 200 225
Internal CA certificate issuance 45 50
New endpoints profiled per second/profile updates per second 200 250
Maximum PassiveID sessions processed per second 1000 1000
ERS: Endpoints Bulk API 100 350
ERS: Guest Bulk API 100 150
ERS: TrustSec Bulk API 45 60

Cisco TrustSec
Time taken (in seconds) to push 300 Cisco TrustSec policies to 254 NADs 50 50
Time taken (in seconds) for 5000 Cisco TrustSec policies to download 2GB data via REST API 50 50

SXP
Time taken (in milliseconds) to connect SXP to SXPSN 5 3

pxGrid
Time taken (in seconds) for 200 pxGrid subscribers bulk download with 20,000 sessions 40

55