You can choose the right ISE deployment by considering the maximum scale numbers for active endpoints in each deployment type, the scale supported by individual PSN nodes, and other relevant factors described in this section.

Each endpoint with a unique MAC address counts as one active session. Concurrent active sessions are supported for all types of sessions, including Dot1x, MAB, Guest, BYOD, and Posture.

The maximum number of active sessions shown in this table was determined by tests performed under these conditions:

• Cisco ISE deployments are formed in a single data center deployed in same region, low latency (less than 5 ms) between the ISE internode communications, Dot1x authentications and accounting events generated by endpoints in the range of two to four repetitions per day.

• The majority of the sessions use RADIUS protocols to authenticate with local ID providers.

ISE deployment scale

These tables show the maximum concurrent active sessions for deployments with different SNS appliances acting as PAN, MnT, or PAN/MnT.

Note

Cisco SNS 3815, Cisco SNS 3855, and Cisco SNS 3895 are supported from Cisco ISE 3.3 patch 7 onwards. Cisco SNS 3595 is supported only for Cisco ISE 3.2 and earlier releases. Small or medium deployments with 32 GB memory instances (Cisco SNS 3615 or Cisco SNS 3715) acting as PAN/MnT are recommended for RADIUS-only or TACACS+-only workloads. For deployments that need both RADIUS and TACACS+ at scale, use Cisco ISE nodes with higher resources, such as Cisco SNS 3655 or newer models. Advanced features such as AI/ML Profiling, Cisco ACI Integration, Workload Connectors, Monitoring, and Log Analytics (under System 360) require more resources. Enable these features only on Cisco SNS 3815, 3655, 3755, 3855, 3695, 3795, or 3895 for optimal performance.

Policy Service Node scale

*Cisco SNS 3795 and Cisco SNS 3895 are equipped with more RAM and better Disk Read/Write performance. These models are best suited for dedicated PAN, dedicated MnT, or PAN/MnT personas and provide no added value when deployed as a dedicated PSN.

Note	SNS 3595 is supported in Cisco ISE release 3.2 and earlier versions.

Consider these points when selecting a deployment:

• You can choose small deployment for up to 50,000 concurrent active sessions and medium deployment for up to 150,000 concurrent active sessions.

• For deployments with more than 150,000 concurrent active sessions, a large deployment is required. Register MnT nodes as Dedicated MnT nodes in large deployments.

• Deploy PSNs closer to workloads and Identity Providers (such as AD, LDAP) for performance-sensitive loads.

• Group PSNs for similar workloads, such as RADIUS Dot1x, Guest, BYOD, or TACACS+, and distribute traffic through load balancers.

• For better performance, configure Calling-Station-ID (MAC)-based stickiness in the load balancer.

• Configure PSNs in node groups if you use services that require URL redirect, such as posture services, guest services, or MDM.

• Have multiple data centers, and group PSNs per datacenter. Configure RADIUS (primary, secondary, tertiary) failover on NAS devices. For example, if the primary data center (DC-A) fails, 50 percent of NADs can fail over to the secondary data center (DC-B), and the remaining NADs can fail over to the tertiary data center (DC-C).

• Implement N+1 or N+2 redundancy within a PSN group.

• Purge guest and inactive endpoints at regular intervals to prevent latency in ISE operations.

• The maximum concurrent active session values given for each deployment are applicable for connected devices that are generating dot1x authentications up to 4 times a day.

• For deployments where endpoints generate repeated authentication and accounting events, additional PSNs in the PSN group are required to handle heavy traffic scenarios such as simultaneous login events from a large number of users or Wi-Fi users roaming from one location to another.

• PSN node variations include TACACS+ PSN, TC-NAC PSN, Guest PSN (GPSN), Cisco TrustSec PSN, Security Group eXchange Protocol PSN, and PassiveID PSN. For better performance, reserve TACACS+, RADIUS, Guest, BYOD workloads to dedicated PSN groups within a deployment.

• Assign separate Cisco TrustSec PSNs to handle TrustSec functions in TrustSec deployments. This prevents overloading RADIUS PSNs when pushing policies.

• For large-scale NAC environments with many Device Administration tasks, such as frequent script usage or network management systems, split deployments and use a separate deployment for Device Administration (TACACS+).

This table shows the authentication rates for RADIUS protocols when a Cisco ISE node acts as a single dedicated PSN in a deployment.

This table shows the transactions per second (TPS) when Cisco ISE node is acting as a single dedicated PSN in a deployment for different scenarios.

The authentication values provided in this table may have + or - 5 percent deviation in production environment.

Note	Cisco ISE integration with Duo MFA for RADIUS and TACACS+ flows is applicable from Cisco ISE 3.3 Patch 1 onwards. The authentication rates are applicable to deployments, where the latency between Cisco ISE and Duo is 4 or 5 seconds.

**Having more than 500,000 guest users might create latency in user authentication.

***Sample use case: Cisco SNS 3795 can support a maximum of 2,000,000 active endpoints/sessions (as stated in Sizing guidelines for Cisco ISE deployment). In addition, it can handle a maximum of 2,000,000 inactive endpoints, resulting in a total of 4,000,000 endpoints in the Cisco ISE database for large deployments. For medium deployments, it can handle up to 150,000 active endpoints/sessions and 3,850,000 inactive endpoints. For small deployments it can handle up to 50,000 active endpoints/sessions and 3,950,000 inactive endpoints.

****It is not recommended to have more than 600 authorization rules in a single policy set. Increasing the number of conditions per authorization rule might impact the performance.

This section specifies the time taken for Cisco ISE pxGrid Direct connector integration via URL Fetcher and URL Pusher for different scales of endpoints.

Note

These values are applicable only when the network latency between Cisco ISE and CMDB is less than 50 milliseconds. This data is applicable for endpoints with 15 attributes each. Data size for each endpoint with its attributes should not exceed 5 GB. Timeout for Full Sync download is 120 minutes. It is highly recommended to schedule synchronization during off-peak hours. Cisco ISE can fetch data from 5 connectors simultaneously.

The data presented in this table is based on these conditions:

• Number of requests: 1

• Endpoints per request: 10,000

• Attributes per endpoint: 17

• Total payload: <= 5 MB

• Inter-request delay: 30 seconds between each request

Best practices for optimized performance

• Ensure that the total request payload size is not more than 5 MB. You might see this error when this limit is exceeded:

  "Response: Size limit exceeded 5 MB, Bad Request"

• It is recommended to maintain a 30-second delay between each request. Insufficient delay between requests may lead to rate-limiting errors (for example, "Response: Too Many Requests").

• Monitor response errors and adjust payload size and request frequency accordingly.

Note	The URL Pusher data is applicable only from Cisco ISE release 3.4. It is recommended to schedule large synchronization tasks during off-peak hours. pxGrid Direct URL Pusher supports only two concurrent connections.

The context learned from Cisco Application Centric Infrastructure (Cisco ACI) can be shared with Cisco Catalyst Center, network devices, SD-WAN components, and any other pxGrid subscribers. This section describes the scale and performance limits when Cisco ISE is integrated with Cisco ACI.

This table describes supported Cisco ACI cluster scale for different Cisco ISE clusters and maximum SXP bindings supported for respective deployments.

Note these points while integrating Cisco ISE with Cisco ACI:

• It is recommended to integrate scaled ACI Fabric during off-peak hours. If the RADIUS traffic rate is high in the Cisco ISE deployment, TrustSec traffic enforcement might be delayed.

• Maximum SXP binding values specified in this table are applicable for both deployments using only IPv4 addresses and deployments using a combination of IPv4 and IPv6 addresses.

• Time taken for an ACI connection with 20,000 to 32,000 endpoints to reach the Connected state can be up to 5 minutes and time taken to download the bindings can be up to 10 minutes.

• The initial time taken to download EPG endpoints or create SXP bindings can increase if the overall load on the Cisco ISE system is increased.

• The total number of SXP bindings in the Cisco ISE deployment must not exceed 1,400,000. This count includes:

  • SXP bindings created by SGT assignment in authorization policies for RADIUS workload

  • SXP bindings received from SXP speakers

  • SXP bindings from IP-EPG mappings learned from Cisco ACI or SXP bindings created for workloads from all the Workload Connections

  • SXP bindings created by evaluating the Inbound SGT Domain rules

  • SXP bindings created by the Workload Classification rules

These are few examples for calculating the number of Cisco ACI connections that can be integrated with Cisco ISE based on scale:

Example 1

If the total number of SXP bindings created by SGT assignment in an authorization policy for RADIUS workload is 1,000,000, the total number of ACI connections that can be created is:

• If each ACI Fabric has 20,000 endpoints to be shared with Cisco ISE, total number of ACI Fabrics that can be integrated = (1,400,000-1,000,000) / 20,000 = 20

• If each ACI Fabric has 32,000 endpoints to be shared with Cisco ISE, total number of ACI connections that can be integrated = (1,400,000-1,000,000) / 32,000 = 12 or 13

Example 2

If the total number of SXP bindings created by SGT assignment in an authorization policy for RADIUS workload is 50,000, the total number of ACI connections that can be created is:

• If each ACI Fabric has 20,000 endpoints to be shared with Cisco ISE, the total number of ACI connections that can be integrated = (1,400,000-50,000) / 20,000 = 67 or 68

• If each ACI Fabric has 32,000 endpoints to be shared with Cisco ISE, the total number of ACI connections that can be integrated = (1,400,000-50,000) / 32000 = 42

Example 3

In a small deployment with Cisco SNS 3655/3755/3695/3795 as PAN/MnT, if the:

• Total number of SXP bindings created by SGT assignment in an authorization policy for RADIUS workload is 10,000

• Total SXP bindings for this deployment is 40,000

• Total ACI Connections is 3

Maximum endpoints per ACI connection = (Total SXP bindings in deployment - Total SXP bindings)/Number of connectors for deployment = (40,000-10,000)/3 = 10,000

From Cisco ISE release 3.4 patch 1, Cisco ISE can be integrated with these Workload Connectors, in addition to Cisco ACI:

• AWS

• Azure

• GCP

• vCenter

*This could be a combination of different workload connections like AWS, GCP, Azure, and vCenter, or of same type. For example, if the maximum workload connection value is specified as 10, this deployment can include 3 GCP connections, 4 AWS connections, and 3 Azure connections, or 10 Azure connections.

Deployment requirements while integrating Cisco ISE with Cisco ACI and Workload Connectors

• Small or medium deployments with Cisco SNS 3615 or 3715 acting as PAN/MnT are not recommended for production use.

• Instances of the SXP persona must be configured as dedicated nodes for optimal performance in Medium and Large deployments.

• When Inbound SGT domain rules are configured, additional SXP bindings might be created for specific endpoints.

• While creating the Outbound SGT Domain rules, ensure that the maximum number of SGTs from all the rules and filters does not exceed 500. For example, if there are 5 Outbound SGT Domain rules, the number of SGTs per rule can be up to 100. It is recommended to have less than 10 Outbound SGT Domain rules in a deployment.

• The maximum number of SXP bindings includes:

  • SXP bindings created by SGT assignment in authorization policies for RADIUS workload

  • SXP bindings received from SXP speakers

  • Static IP-SGT bindings

  • SXP bindings from IP-EPG mappings learned from Cisco ACI or SXP bindings created for workloads from all the Workload Connections

  • SXP bindings created by evaluating the Inbound SGT domain rules

  • SXP bindings created by the Workload Classification rules

• It is strongly recommended to add scaled workload connections to Cisco ISE during the off-peak hours. If the RADIUS traffic rate is high in the Cisco ISE deployment, SXP binding creation might be delayed.

This section lists the best practices recommended while configuring the network devices and Cisco ISE for better performance.​​

Some of the factors that affect authentications are​:​

• Network adapter disconnecting or reconnecting and leading to new authentication process​

• Network switches configured with very less session time

• Network switches configured with frequent accounting interim updates

• Power outages

• Automated scripts requiring mass reboot of systems

These events result in new authentication (Access-Request), accounting-interim update, or accounting stops.

configure terminal
  service cache enable hosts ttl 180

Cisco SNS hardware appliances support the Unified Extensible Firmware Interface (UEFI) secure boot feature. This feature ensures that only a Cisco-signed Cisco ISE image can be installed on the Cisco SNS hardware appliances, and prevents the installation of any unsigned operating system even with physical access to the device.

Note

Cisco ISE Release 3.1 patch 6 and later and Cisco ISE release 3.2 patch 2 and later versions support Cisco SNS 3700 series appliances. You cannot add additional hardware resources like memory, processor, or storage to a Cisco SNS hardware appliance. Mixing SAS/SATA hard drives and SAS/SATA SSDs is not supported. You must use either SAS/SATA hard drives or SAS/SATA SSDs. SSD offers improved performance in disk read/write operations and other Cisco ISE operations like boot, installation (up to 10% improvement), and upgrade database intensive tasks like backup and reports generation (up to 20% improvement). Note that the PSN performance for RADIUS and TACACS+ operations will remain the same as described in preceding sections. Additional power supplies can be ordered separately for SNS 3615 and SNS 3715. For component part numbers, see the Cisco Secure Network Server Data Sheet.

Note

Cisco SNS 3800 series appliances are supported from Cisco ISE release 3.3 patch 7 onwards. You cannot add additional hardware resources like memory, processor, or storage to a Cisco SNS hardware appliance. NVMe offers improved performance in disk read/write operations and other Cisco ISE operations like boot, installation (up to 10% improvement), and upgrade database intensive tasks like backup and reports generation (up to 20% improvement). Note that the PSN performance for RADIUS and TACACS+ operations will remain the same as described in preceding sections. For component part numbers, see the Cisco Secure Network Server Data Sheet.

Cisco ISE can be installed on VMware servers, KVM hypervisors, Hyper-V (Windows Server and Azure Stack HCI), and Nutanix AHV. To achieve performance and scalability comparable to Cisco ISE hardware appliances, virtual machines must be allocated system resources equivalent to the Cisco SNS appliances.

It is recommended that you reserve CPU and memory resources that match the resource allocation. Failure to do so may significantly impact Cisco ISE performance and stability.

For a VM deployment, the number of cores is twice the number of cores in a physical appliance due to hyperthreading. For example, in case of a small network deployment, allocate 16 vCPU cores to meet the CPU specification of SNS 3615, which has 8 CPU cores or 16 threads.

Deploy dedicated VM resources and do not share or oversubscribe resources across multiple guest VMs.

Cisco ISE is now available from the cloud, enabling you to scale your Cisco ISE deployments quickly and easily to meet changing business needs.

Cisco ISE is available as an Infrastructure as Code solution, helping you to rapidly deploy network accesses and control services anywhere.

Extend the Cisco ISE policies in your home network to new remote deployments securely through Amazon Web Services (AWS), Azure Cloud Services, or Oracle Cloud Infrastructure (OCI). AWS supports Cisco ISE release 3.1 and later releases.

OCI and Azure Cloud support is available from Cisco ISE release 3.2 and later releases.

See Deploy Cisco ISE Natively on Cloud Platforms and respective cloud documentations for resource specifications of supported instances.

This table describes matrix of VM specification, cloud instances to their equivalent Cisco SNS appliances.

Extra Small form factor for Cisco ISE VM and cloud instances

Extra Small VM specification is available only on virtualization platforms such as VMware, KVM, Hyper-V, Nutanix AHV hypervisors, and Cloud instances.

This form factor is not supported for SNS appliances.

Extra Small form factor supports these two deployment types:

• PSNLite: The node can be deployed as a dedicated PSN persona in a deployment supporting up to 500,000 sessions.

  Performance for RADIUS and TACACS+ authentication is around 50 percent of that of Cisco SNS 3615. For example, if the RADIUS authentication rate of Cisco SNS 3615 for PEAP-MSCHAP2 with internal user database is 150, this value will be 75 (50% of 150) for the PSNLite.

• ISELite: The node can be deployed as a standalone Cisco ISE node. It is not recommended to use ISELite for Small (HA) deployments.

  ISELite is optimized to run only for small office scenario supporting up to a maximum of 1000 concurrently active endpoints with an optimal RADIUS performance at 50 TPS.

  ISELite is recommended only for RADIUS or TACACS+ traffic. It is not recommended to enable advanced services like SXP, PassiveID, pxGrid Direct, pxGrid Cloud, TC-NAC, Log Analytics, and Cisco AI Analytics on an ISELite node.

  Ensure that the Log Analytics option (under Operations > System 360) is disabled in the ISELite node.