Overview
This document lists the performance and scalability metrics for Cisco Identity Services Engine (Cisco ISE).
Cisco ISE Node Terminology
A Cisco ISE node can provide various services based on the persona that it assumes. The menu options that are available through the Admin portal are dependent on the role and personas that a Cisco ISE node assumes.
Node Type |
Description |
---|---|
Policy Administration node (PAN) |
A Cisco ISE node with the Administration persona allows you to perform all administrative operations and configurations on Cisco ISE. It serves as a single pane of glass for viewing all administrative operations, configurations, and contextual data. It synchronizes the configuration to the rest of the nodes in the deployment. |
Policy Service node (PSN) |
A Cisco ISE node with the Policy Service persona provides network access, posture, guest access, client provisioning, and profiling services. This persona evaluates the policies and makes all the decisions. |
Monitoring node (MnT) |
A Cisco ISE node with the Monitoring persona functions as the log collector and stores log messages from all the Administration and Policy Service nodes in a network. This persona provides advanced monitoring and troubleshooting tools that you can use to effectively manage the network and resources. A node with this persona aggregates and correlates the data that it collects, and provides you with meaningful reports. |
pxGrid node |
You can use Cisco pxGrid to share context-sensitive information from Cisco ISE session directory with other network systems such as Cisco ISE ecosystem partner systems and other Cisco platforms. The pxGrid framework can also be used to exchange policy and configuration data between nodes (like sharing tags and policy objects between Cisco ISE and third party vendors) and for other information exchanges. |
Different Types of Cisco ISE Deployment
Evaluation |
Small Deployment |
Medium Deployment |
Large Deployment |
||
---|---|---|---|---|---|
![]()
|
![]()
|
![]()
|
![]()
|
Maximum Concurrent Active Endpoints for Different Deployments
Cisco Identity Services Engine (ISE) can be installed on Cisco SNS hardware or virtual appliances. To achieve performance and scalability comparable to the Cisco ISE hardware appliance, the virtual machine should be allocated system resources equivalent to the Cisco SNS 3500 or 3600 series appliances.
The authentication values given below are approximate (around 5 percent). You can determine the number of PSNs that are needed for your deployment based on the following:
-
Maximum concurrent active endpoints
-
RADIUS authentication rate
-
TACACS+ authentication rate
PSN Type | Cisco SNS 3515 | Cisco SNS 3595 | Cisco SNS 3615 | Cisco SNS 3655 | Cisco SNS 3695 |
---|---|---|---|---|---|
Dedicated PSN | 7500 | 40,000 | 10,000 | 50,000 | 100,000 |
Shared PSN | 5000 | 20,000 | 10,000 | 25,000 | 50,000 |
Deployment Type | Cisco SNS 3515 | Cisco SNS 3595 | Cisco SNS 3615 | Cisco SNS 3655 | Cisco SNS 3695 |
---|---|---|---|---|---|
PAN and MnT |
PAN and MnT |
PAN and MnT |
PAN and MnT |
PAN and MnT |
|
Large deployment | — | 500,000 | — | 500,000 | 2,000,000 |
Medium deployment | 7500 | 20,000 | 10,000 | 25,000 | 50,000 |
Small deployment | 7500 | 20,000 | 10,000 | 25,000 | 50,000 |
For information about different types of deployments, see Different Types of Cisco ISE Deployment
![]() Note |
|
Cisco ISE Deployment Scale Limits
Attribute | Maximum Limit | ||
---|---|---|---|
Maximum pxGrid nodes in Large or Dedicated deployment |
4 | ||
Maximum pxGrid subscribers per pxGrid node | 200 | ||
Dedicated PSN nodes with SXP service enabled | 4 | ||
Maximum ISE SXP peers per PSN node with SXP service enabled | 200 | ||
Maximum network device entries (IP addresses and/or IP address range) | 100,000 | ||
Maximum network device groups (NDG) | 10,000 | ||
Maximum Active Directory forests (Join Points) |
50 | ||
Maximum Active Directory controllers (WMI query) |
100 | ||
Maximum internal users | 300,000 | ||
Maximum internal guests
|
1,000,000 | ||
Maximum user certificates | 1,000,000 | ||
Maximum server certificates | 1,000 | ||
Maximum trusted certificates | 1,000 | ||
Maximum user portals (Guest, BYOD, MDM, Certificate Provisioning, Posture, Client Provisioning) |
600 | ||
Maximum concurrent active endpoints | 2,000,000 | ||
Maximum policy sets | 200 | ||
Maximum authentication rules | 1000 (Policy Set mode) | ||
Maximum authorization rules |
Policy Set mode: 3,000 (3,200 authorization profiles) It is not recommended to have more than 600 authorization rules in a single policy set.
|
||
Maximum user identity groups | 1,000 | ||
Maximum endpoint identity groups | 1,000 | ||
TrustSec Security Group Tags (SGTs) TrustSec Security Group ACLs (SGACLs) TrustSec IP-SGT Static Bindings (over SSH) |
10,000 1,000 10,000 |
||
Maximum concurrent REST API connections |
ERS API: 100 OpenAPI: 150 |
||
Maximum Passive ID sessions for Large deployment |
3695 PAN, MnT: 2,000,000 3595 PAN, MnT: 500,000 |
||
Maximum network latency between primary PAN and any other Cisco ISE node including the secondary PAN, MnT, and PSNs |
300 milliseconds |
||
Maximum Passive ID sessions providers |
|||
Maximum AD Domain Controllers Maximum REST API Providers Maximum Syslog Providers Maximum pxGrid Subscribers |
100 50 70 50 |
RADIUS Performance
![]() Note |
Cisco ISE can be installed on Cisco SNS hardware or virtual appliances. Both physical and virtual deployments provide the same level of performance. To achieve performance and scalability comparable to the Cisco ISE hardware appliance, the Cisco ISE virtual machine should be allocated system resources equivalent to the Cisco SNS 3500 or 3600 series appliances. |
The following table shows authentications per second for a dedicated PSN node.
Authentication Method | Identity Store |
Cisco SNS 3515 |
Cisco SNS 3595 | Cisco SNS 3615 | Cisco SNS 3655 |
Cisco SNS 3695 |
---|---|---|---|---|---|---|
PAP | Internal | 775 | 1100 | 900 | 1300 | 1300 |
PAP | Active Directory | 250 | 275 | 275 | 300 | 300 |
PAP | LDAP | 275 | 300 | 300 | 350 | 350 |
PEAP (MSCHAPv2) | Internal | 125 | 150 | 150 | 225 | 225 |
PEAP (MSCHAPv2) | Active Directory | 100 | 150 | 150 | 175 | 175 |
PEAP (GTC) | Internal | 100 | 150 | 175 | 250 | 250 |
PEAP (GTC) | Active Directory | 100 | 125 | 100 | 175 | 175 |
EAP-FAST (MSCHAPv2) | Internal | 375 | 400 | 375 | 550 | 550 |
EAP-FAST (MSCHAPv2) | Active Directory | 175 | 225 | 200 | 275 | 300 |
EAP-FAST (GTC) | Internal | 300 | 450 | 350 | 450 | 450 |
EAP-FAST (GTC) | Active Directory | 125 | 200 | 200 | 300 | 300 |
EAP-FAST (GTC) | LDAP | 150 | 300 | 200 | 300 | 300 |
EAP-TLS | Internal | 125 | 150 | 175 | 225 | 250 |
EAP-TLS | Active Directory | 125 | 175 | 150 | 200 | 200 |
EAP-TLS | LDAP | 150 | 175 | 175 | 250 | 250 |
EAP TEAP | Internal | 75 | 100 | 100 | 175 | 200 |
MAB | Internal | 400 | 575 | 500 | 1000 | 1300 |
MAB | LDAP | 300 | 500 | 400 | 600 | 600 |
EAP-TTLS-PAP |
Azure AD |
NA |
10 |
5 |
15 |
15 |
TACACS+ Performance
The following table shows the transactions per second (TPS) for a dedicated PSN node.
Scenario | Cisco SNS 3515 | Cisco SNS 3595 | Cisco SNS 3615 | Cisco SNS 3655 | Cisco SNS 3695 |
---|---|---|---|---|---|
TACACS+ Function: PAP | 1800 | 2500 | 2800 | 3000 | 3200 |
TACACS+ Function: CHAP | 2000 | 3200 | 2800 | 3200 | 3900 |
TACACS+ Function: Enable | 1000 | 1100 | 1000 | 1100 | 1100 |
TACACS+ Function: Session Authorization | 1800 | 3000 | 2800 | 3000 | 3600 |
TACACS+ Function: Command Authorization | 1800 | 2800 | 2800 | 3000 | 3900 |
TACACS+ Function: Accounting | 2000 | 3000 | 3000 | 6000 | 9000 |
Cisco ISE Scenario-Based Performance
The following table shows the transactions per second (TPS) for a dedicated PSN node.
Scenario | Cisco SNS 3515 | Cisco SNS 3595 | Cisco SNS 3615 | Cisco SNS 3655 | Cisco SNS 3695 |
---|---|---|---|---|---|
Posture authentication | 50 | 55 | 55 | 60 | 60 |
Guest Hotspot authentication | 50 | 100 | 75 | 125 | 150 |
Guest Sponsored authentication | 50 | 75 | 50 | 75 | 75 |
BYOD onboarding single SSID | 10 | 12 | 12 | 15 | 15 |
BYOD onboarding dual SSID | 10 | 12 | 12 | 15 | 15 |
MDM |
100 | 200 | 200 | 225 | 350 |
Internal CA certificate issuance | 40 | 45 | 45 | 50 | 50 |
New endpoints profiled per second/profile updates per second | 200 | 250 | 200 | 250 | 250 |
Maximum PassiveID sessions processed per second |
1000 | 1000 | 1000 | 1000 | 1000 |
ERS: Endpoints Bulk API | 50 | 75 | 75 | 100 | 100 |
ERS: Guest Bulk API | 50 | 75 | 75 | 100 | 100 |
ERS: TrustSec Bulk API | 5 | 5 | 5 | 10 | 10 |
TrustSec |
|||||
Time taken (in seconds) to push 300 TrustSec policies to 254 NADs |
50 | 50 | 50 | 50 | 25 |
Time taken (in seconds) for 5000 TrustSec policies to download 2GB data via REST API |
50 | 50 | 50 | 50 | 25 |
SXP |
|||||
Time taken (in milliseconds) to connect SXP to SXPSN |
5 | 5 | 5 | 3 | 3 |
pxGrid |
|||||
Time taken (in seconds) for 200 pxGrid subscribers bulk download with 20,000 sessions |
40 | 45 | 40 | 55 | 60 |
![]() Note |
When these limits are exceeded, there could be performance degradation resulting in requests being dropped. You must provision the Cisco ISE appliance and VMs keeping in mind the total capacity per deployment and the expected peak hour authentication rates. |
Cisco ISE Hardware Platforms
Note the following points:
-
VM appliance specifications should be comparable with physical appliances run in a production environment.
-
You must deploy dedicated VM resources and not share or oversubscribe resources across multiple guest VMs.
-
For VM deployment, the number of cores is twice of that present in equivalent of the physical appliance, due to hyperthreading. For example, in case of Small network deployment, you must allocate 16 vCPU cores to meet the CPU specification of SNS 3615, which has 8 CPU Cores or 16 Threads.
-
Cisco ISE 3.1 does not support Cisco Secured Network Server (SNS) 3515 appliance.
Appliance | Cisco SNS 3515 | Cisco SNS 3595 | Cisco SNS 3615 | Cisco SNS 3655 | Cisco SNS 3695 |
---|---|---|---|---|---|
Processor |
1 x Intel Xeon 2.40 GHz E5-2620 |
1 x Intel Xeon 2.60 GHz E5-2640 |
1 x Intel Xeon 2.10 GHz 4110 |
1 x Intel Xeon 2.10 GHz 4116 |
1 x Intel Xeon 2.10 GHz 4116 |
Cores per Processor | 6 | 8 | 8 | 12 | 12 |
Memory | 16 GB (2x8GB) | 64 GB (4x16GB) | 32 GB (2x16GB) | 96 GB (6x16GB) | 256 GB (8x32GB) |
Hard Disk | 1 x 600-GB 6Gb SAS 10K RPM | 4 x 600-GB 6Gb SAS 10K RPM | 1 x 600-GB 6Gb SAS 10K RPM | 4 x 600-GB 6Gb SAS 10K RPM | 8 x 600-GB 6Gb SAS 10K RPM |
Hardware RAID | — |
Level 10 Cisco 12G SAS Modular RAID Controller |
— |
Level 10 Cisco 12G SAS Modular RAID Controller |
Level 10 Cisco 12G SAS Modular RAID Controller |
Network Interfaces | 6 x 1GBase-T | 6 x 1GBase-T |
2 X 10Gbase-T 4 x 1GBase-T |
2 X 10Gbase-T 4 x 1GBase-T |
2 X 10Gbase-T 4 x 1GBase-T |
Power Supplies | 1 x 770W | 2 x 770W | 1 x 770W | 2 x 770W | 2 x 770W |
For information on how to plan your Cisco ISE deployment, see the following links: |
Cisco ISE on Amazon Web Services
Cisco ISE is now available from the cloud, enabling you to scale your Cisco ISE deployments quickly and easily to meet changing business needs. Cisco ISE is available as an Infrastructure as Code solution, helping you to rapidly deploy network accesses and control services anywhere. Extend the Cisco ISE policies in your home network to new remote deployments securely through Amazon Web Services (AWS).
For more information, see Cisco ISE on AWS.
The following Cisco ISE instances are currently available in AWS, with the EBS volume type General Purpose SSO (gp2).
Cisco ISE Instance Type |
CPU Cores |
RAM (in GB) |
---|---|---|
c5.4xlarge |
16 |
32 |
m5.4xlarge |
16 |
64 |
c5.9xlarge |
36 |
72 |
t3.xlarge |
4 |
16 |
Maximum Concurrent Active Endpoints for Different Cisco ISE Deployments in AWS
Cisco ISE can be launched in Amazon Web Services through an Amazon Machine Image (AMI) or a CloudFormation Template (CFT).
The authentication values given below are approximate (around 5 percent). You can determine the number of PSNs that are needed for your deployment based on the following:
-
Maximum concurrent active endpoints
-
RADIUS authentication rate
-
TACACS+ authentication rate
![]() Note |
|
PSN Type | c5.4xlarge | c5.9xlarge | m5.4xlarge |
---|---|---|---|
Dedicated PSN | 40,000 | 100,000 | — |
Shared PSN | 20,000 | 50,000 | 20,000 |
Deployment Type | c5.4xlarge | c5.9xlarge | m5.4xlarge |
---|---|---|---|
PAN and MnT |
PAN and MnT |
PAN and MnT |
|
Large deployment | — | — | 500,000 |
Medium deployment | — | — | 240,000 |
Small deployment | 20,000 | 50,000 | 20,000 |
RADIUS Performance
The RADIUS performance values that are displayed in the following table are based on deployments where Active Directory and Cisco ISE are placed in the same virtual private network.
Authentication Method | Identity Store | c5.4xlarge Instance | c5.9xlarge Instance |
---|---|---|---|
PAP | Internal | 775 | 1300 |
PAP | Active Directory | 250 | 300 |
PEAP (MSCHAPv2) | Internal | 125 | 225 |
PEAP (MSCHAPv2) | Active Directory | 100 | 175 |
PEAP (GTC) | Internal | 100 | 250 |
PEAP (GTC) | Active Directory | 100 | 175 |
EAP-FAST (MSCHAPv2) | Internal | 375 | 550 |
EAP-FAST (MSCHAPv2) | Active Directory | 175 | 300 |
EAP-FAST (GTC) | Internal | 300 | 450 |
EAP-FAST (GTC) | Active Directory | 125 | 300 |
EAP-TLS | Internal | 125 | 250 |
EAP-TLS | Active Directory | 125 | 200 |
EAP-TEAP | Active Directory | 75 | 200 |
MAB | Internal | 400 | 1000 |
TACACS+ Performance
Scenario | c5.4xlarge Instance | c5.9xlarge Instance |
---|---|---|
TACACS+ Function: PAP | 2800 | 3000 |
TACACS+ Function: CHAP | 2800 | 3200 |
TACACS+ Function: Enable |
1000 |
1100 |
TACACS+ Function: Session Authorization | 2800 | 3000 |
TACACS+ Function: Command Authorization | 2800 | 3000 |
TACACS+ Function: Accounting | 3000 | 6000 |
Cisco ISE Scenario-Based Performance
Scenario | c5.4xlarge Instance |
c5.9xlarge Instance |
---|---|---|
Posture authentication | 55 | 60 |
Guest Hotspot authentication | 75 | 125 |
Guest Sponsored authentication | 50 | 75 |
MDM | 200 | 225 |
Internal CA certificate issuance | 45 | 50 |
New endpoints profiled per second/profile updates per second | 200 | 250 |
Maximum PassiveID sessions processed per second | 1000 | 1000 |
ERS: Endpoints Bulk API | 100 | 350 |
ERS: Guest Bulk API | 100 | 150 |
ERS: TrustSec Bulk API | 45 | 60 |
Cisco TrustSec |
||
Time taken (in seconds) to push 300 Cisco TrustSec policies to 254 NADs | 50 | 50 |
Time taken (in seconds) for 5000 Cisco TrustSec policies to download 2GB data via REST API | 50 | 50 |
SXP |
||
Time taken (in milliseconds) to connect SXP to SXPSN | 5 | 3 |
pxGrid |
||
Time taken (in seconds) for 200 pxGrid subscribers bulk download with 20,000 sessions | 40 |
55 |