Overview

This document lists the performance and scalability metrics for Cisco Identity Services Engine (Cisco ISE).

Cisco ISE Node Terminology

A Cisco ISE node can provide various services based on the persona that it assumes. The menu options that are available through the Admin portal are dependent on the role and personas that a Cisco ISE node assumes.

Table 1. Different Types of Cisco ISE Nodes

Node Type

Description

Policy Administration node (PAN)

A Cisco ISE node with the Administration persona allows you to perform all administrative operations and configurations on Cisco ISE. It serves as a single pane of glass for viewing all administrative operations, configurations, and contextual data. It synchronizes the configuration to the rest of the nodes in the deployment.

Policy Service node (PSN)

A Cisco ISE node with the Policy Service persona provides network access, posture, guest access, client provisioning, and profiling services. This persona evaluates the policies and makes all the decisions.

Monitoring node (MnT)

A Cisco ISE node with the Monitoring persona functions as the log collector and stores log messages from all the Administration and Policy Service nodes in a network. This persona provides advanced monitoring and troubleshooting tools that you can use to effectively manage the network and resources. A node with this persona aggregates and correlates the data that it collects, and provides you with meaningful reports.

pxGrid node

You can use Cisco pxGrid to share context-sensitive information from Cisco ISE session directory with other network systems such as Cisco ISE ecosystem partner systems and other Cisco platforms. The pxGrid framework can also be used to exchange policy and configuration data between nodes (like sharing tags and policy objects between Cisco ISE and third party vendors) and for other information exchanges.

Different Types of Cisco ISE Deployment

Table 2. Types of Cisco ISE Deployments

Evaluation

Small Deployment

Medium Deployment

Large Deployment

Evaluation Deployment in Cisco ISE
  • All ISE personas (PAN + MnT + PSN + pxGrid) on the same appliance or VM instance.

  • Not recommended for production.

Small Deployments in Cisco ISE
  • All ISE personas (PAN + MnT + PSN + pxGrid) on the same appliance or VM instances.

  • Two-node deployment. One node as primary and the other node as secondary for redundancy.

  • An additional node can be added (which is optional) to a small deployment as a PSN, pxGrid, or Health Check node. The additional node can be a combination of any of the following personas:

    Dedicated PSNDedicated PSN

    pxGrid nodepxGrid node

    Health Check nodeHealth Check node

    Note 

    Adding an extra node with a PSN, pxGrid, or Health Check persona does not alter the existing scale limits of the small deployment. We recommend that you use the additional node only for load sharing purposes.

Medium Deployments in Cisco ISE
  • PAN + MnT + pxGrid running on the same node.

  • One node as primary and the other node as secondary for redundancy.

  • PSNs on dedicated nodes. Nodes may be VMs or appliances.

  • Supports up to 6 PSNs (for Cisco ISE 3.0 and above). You can enable pxGrid persona on any of the PSN or add dedicated pxGrid nodes to the deployment.

Large Deployments in Cisco ISE
  • All ISE personas are fully distributed, running on separate VM or appliance nodes.

  • Supports up to 4 pxGrid nodes.

  • Supports up to 50 nodes (PSN + pxGrid).

Sizing Guidelines for Cisco ISE Policy Service Nodes

Cisco Identity Services Engine (ISE) can be installed on Cisco SNS hardware, virtual appliances, or public cloud platforms like Amazon Web Services (AWS), Azure Cloud, and Oracle Cloud Infrastructure (OCI).

You can determine the number of PSNs required for your deployment based on the following considerations:

  • Maximum concurrent active endpoints

  • RADIUS authentication rate

  • TACACS+ authentication rate

  • Scenario-specific transaction rate


Note

The Extra Small PSN profile is available from Cisco ISE Release 3.2.


Table 3. PSN Profile Sizing Across Platforms
PSN Profile Extra Small Small Medium Large

Physical Appliances

Cisco SNS 3615

Cisco SNS 3595

Cisco SNS 3655

Cisco SNS 3695

VM Appliances

Extra Small VM (8 vCPU, 32 GB)

VM Equivalent of SNS 3615 (16 vCPU, 32 GB)

VM Equivalent of SNS 3595 (16 vCPU, 64 GB)

VM Equivalent of SNS 3655 (24 vCPU, 96 GB)

VM Equivalent of SNS 3695 (24 vCPU, 256 GB)

AWS

m5.2xlarge

c5.4xlarge*

m5.4xlarge

c5.9xlarge

Azure

Standard_D8s_v4

Standard_F16s_v2*

Standard_D16s_v4

Standard_F32s_v2

OCI

Standard3.Flex (4 OCPU and 32 GB)

Optimized3.Flex* (8 OCPU** and 32 GB)

Standard3.Flex (8 OCPU and 64 GB)

Optimized3.Flex (16 OCPU and 64 GB)

*This instance is compute-optimized and provides better performance compared to the general purpose instances.

**In OCI, you choose CPU in terms of Oracle CPU (OCPU). Each OCPU provides CPU capacity equal to one physical core of an Intel Xeon processor with hyper-threading enabled. Each OCPU equals two hardware execution threads known as vCPUs.

Maximum Concurrent Active Endpoints Across PSN Profile Sizes

The following table shows the maximum concurrent active endpoints that are supported across PSN profile sizes.

Table 4. Maximum Concurrent Active Endpoints Across PSN Profile Sizes
PSN Profile

Extra Small

Small

Medium

Large

Concurrent active endpoints supported by a dedicated PSN

(Cisco ISE node only has PSN persona.)

12,000 25,000 40,000 50,000

Concurrent active endpoints supported by a shared PSN

(Cisco ISE node has multiple personas.)

Unsupported 12,500 20,000 25,000

Note

  1. SNS 3515 is supported in Cisco ISE Release 3.0 and previous versions. The number of maximum concurrent active endpoints supported by a dedicated PSN is 7,500 and a shared PSN is 5,000.

  2. The authentication values documented are approximate values with a 5 percent margin of error.


RADIUS Authentication Rates Across PSN Sizes

The following table shows the authentication rates for RADIUS protocols when a Cisco ISE node performs as a dedicated PSN.

Table 5. Supported for a Dedicated PSN For RADIUS Protocols
PSN Profile Extra Small Small Medium Large
PAP with internal user database 500 900 1100 1300
PAP with Active Directory 150 250 250 300
PAP with LDAP Directory 150 300 300 350
PEAP (MSCHAPv2) with internal user database 100 150 150 200
PEAP (MSCHAPv2) with Active Directory 100 150 150 175
PEAP (GTC) with internal user database 100 150 150 250
PEAP (GTC) with Active Directory 50 100 150 175
EAP-FAST (MSCHAPv2) with internal user database 200 350 400 500
EAP-FAST (MSCHAPv2) with Active Directory 100 200 250 300
EAP-FAST (GTC) with internal user database 200 350 400 450
EAP-FAST (GTC) with Active Directory 100 200 200 300
EAP-FAST (GTC) with LDAP Directory 100 200 300 300
EAP-TLS with internal user database 100 150 150 200
EAP-TLS with Active Directory 50 150 150 200
EAP-TLS with LDAP Directory 100 150 200 250
EAP TEAP with internal user database 50 100 100 200
MAB with internal user database 300 500 900 1000
MAB with LDAP Directory 200 400 500 600
EAP-TTLS PAP with Azure AD 5 5 10 15

TACACS+ Authentication Rates Across PSN Sizes

The following table shows the transactions per second (TPS) when a Cisco ISE node performs as a dedicated PSN.

Table 6. Supported Transactions Per Second For a Dedicated PSN
PSN Profile Extra Small Small Medium Large
TACACS+ Function: PAP 1500 2500 3000 3200
TACACS+ Function: CHAP 1500 2500 3000 3500
TACACS+ Function: Enable 500 1000 1100 1100
TACACS+ Function: Session Authorization 1500 2500 3000 3500
TACACS+ Function: Command Authorization 1500 2500 2500 3500
TACACS+ Function: Accounting 1500 3000 7000 9000

Scenario-Specific Authentication Rates Across PSN Sizes

The following table shows the transactions per second (TPS) when Cisco ISE node is performing as a dedicated PSN. The authentication values provided below are approximate, around 5 percent.

Table 7. Scenario-Based Authentications Per Second For a Dedicated PSN
PSN Profile Extra Small Small Medium Large
Posture authentication 30 50 50 60
Guest: Hotspot authentication 50 75 100 100
Guest: Sponsored authentication 25 50 75 75
BYOD: Onboarding single SSID 5 10 10 15
BYOD: Onboarding dual SSID 5 10 15 15
MDM 100 150 200 200
Internal CA certificate issuance 25 50 50 50
New endpoints profiled per second/profile updates per second 100 200 250 250
Maximum PassiveID sessions processed per second 600 1000 1000 1000

ERS: Endpoints Bulk API

75 75 100
ERS: Guest Bulk API 75 75 100

ERS: TrustSec Bulk API

5 5 10
Table 8. Time Taken, in Seconds, For Various Operations
PSN Profile Extra Small Small Medium Large
Time taken (in seconds) to push 300 TrustSec policies to 254 NADs 25 50 50 50
Time taken (in seconds) for 5000 TrustSec policies to download 2GB data via REST API 25 50 50 50
Time taken (in milliseconds) to connect SXP to SXPSN 10 10 5 5
Time taken (in seconds) for 200 pxGrid subscribers bulk download with 20,000 sessions 25 50 50 50
Sessions published per second to 200 pxGrid subscribers for bulk download of 20,000 sessions 200 300 400 400

When these limits are exceeded, there could be performance degradation resulting in requests being dropped. When you provision the Cisco ISE appliances and VMs, consider the total capacity per deployment and the expected peak hour authentication rates.

Sizing Guidelines for Policy Administration Nodes and Monitoring and Troubleshooting Nodes

Determine your deployment model based on the maximum concurrent endpoints that must be supported by the PAN and MnT nodes in your deployment.

Table 9. PAN and MnT Node Profile Sizing Across Platforms
Profile Type Small Medium Large Extra Large

Physical Appliances

Cisco SNS 3615

Cisco SNS 3595

Cisco SNS 3655

Cisco SNS 3695

VM Appliances

8 cores (16 vCPU, 32 GB)

8 cores (16 vCPU, 64 GB)

12 cores (24 vCPU, 96 GB)

12 cores (24 vCPU, 256 GB)

AWS

c5.4xlarge

m5.4xlarge

c5.9xlarge*

m5.8xlarge

m5.16xlarge

Azure

Standard_F16s_v2

Standard_D16s_v4

Standard_F32s_v2*

Standard_D32s_v4

Standard_D64s_v4

OCI

Optimized3.Flex (8 OCPU** and 32 GB)

Standard3.Flex (8 OCPU, 64 GB)

Optimized3.Flex* (16 OCPU and 64 GB)

Standard3.Flex (16 OCPU and 128 GB)

Standard3.Flex (32 OCPU and 256 GB)

*This instance is compute-optimized and provides better performance compared to the general purpose instances.

**In OCI, you choose CPU in terms of Oracle CPU (OCPU). Each OCPU provides CPU capacity equal to one physical core of an Intel Xeon processor with hyper-threading enabled. Each OCPU equals two hardware execution threads known as vCPUs.

Table 10. Maximum Concurrent Active Endpoints Supported Based on PAN and MnT Profile Types
PAN, MnT, or both PAN and MnT Profiles Small Medium Large Extra Large
Large deployment Unsupported 500,000 500,000 2,000,000
Medium deployment 10,000 20,000 25,000 50,000
Small Deployment 10,000 20,000 25,000 50,000

For information about different types of deployments, see Different Types of Cisco ISE Deployment.


Note

Though the concurrent active endpoints supported by medium and small deployments are the same, medium deployments perform better because of dedicated PSNs. The endpoint support values are applicable for all types of active sessions. When the number of concurrent active endpoints goes beyond these numbers for any deployment, sessions might be dropped.


Cisco ISE Hardware Appliances

Cisco SNS 3600 series appliances support the Unified Extensible Firmware Interface (UEFI) secure boot feature. This feature ensures that only a Cisco-signed Cisco ISE image can be installed on the Cisco SNS 3600 series appliances, and prevents the installation of any unsigned operating system even with physical access to the device.

Table 11. Specifications For Cisco ISE Hardware Appliances
Specifications Cisco SNS 3615 Cisco SNS 3595 Cisco SNS 3655 Cisco SNS 3695
Processor

1 x Intel Xeon

2.10 GHz 4110

1 x Intel Xeon

2.60 GHz E5-2640

1 x Intel Xeon

2.10 GHz 4116

1 x Intel Xeon

2.10 GHz 4116

Cores per Processor 8 8 12 12
Memory 32 GB (2x16 GB) 64 GB (4x16 GB) 96 GB (6x16 GB) 256 GB (8x32 GB)
Hard Disk 1 x 600-GB 6 Gb SAS 10K RPM 4 x 600-GB 6 Gb SAS 10K RPM 4 x 600-GB 6 Gb SAS 10K RPM 8 x 600-GB 6 Gb SAS 10K RPM
Hardware RAID

Level 10

Cisco 12G SAS Modular RAID Controller

Level 10

Cisco 12G SAS Modular RAID Controller

Level 10

Cisco 12G SAS Modular RAID Controller

Network Interfaces

2 X 10 Gbase-T

4 x 1 GBase-T

6 x 1 GBase-T

2 X 10 Gbase-T

4 x 1 GBase-T

2 X 10 Gbase-T

4 x 1 GBase-T

Power Supplies 1 x 770W 2 x 770W 2 x 770W 2 x 770W

Cisco ISE on Virtual Appliances

Cisco ISE can be installed on VMware servers, KVM hypervisors, Hyper-V, and Nutanix AHV. To achieve performance and scalability comparable to Cisco ISE hardware appliances, virtual machines must be allocated system resources equivalent to the Cisco SNS 3500 or 3600 series appliances. We recommend that you reserve CPU and memory resources that match the resource allocation. Failure to do so may significantly impact Cisco ISE performance and stability.

Table 12. Specifications for Cisco ISE Virtual Appliances
Specifications VM 8vCPU 32GB VM 16vCPU 32 GB VM 16vCPU 64 GB VM 24vCPU 96 GB VM 24vCPU 256 GB
vCPU 8 16 16 24 24
Memory 32 32 64 96 256
Disk size 300 GB

300 GB for PSN

600 GB for PAN, MnT, PAN+MnT

300 GB for PSN

1200 GB for PAN, MnT, PAN+MnT

300 GB for PSN

1200 GB for PAN, MnT, PAN+MnT

300 GB for PSN

2400 GB for PAN, MnT, PAN+MnT

A VM of the specification 8 vCPU and 32 GB is available only on VMware servers, KVM hypervisors, Hyper-V, and Nutanix AHV. This specification is not available on SNS appliances.

For a VM deployment, the number of cores is twice the number of cores in a physical appliance due to hyperthreading. For example, in case of a small network deployment, allocate 16 vCPU cores to meet the CPU specification of SNS 3615, which has 8 CPU cores or 16 threads.

Deploy dedicated VM resources and do not share or oversubscribe resources across multiple guest VMs.

Cisco ISE on Cloud Platforms

Cisco ISE is now available from the cloud, enabling you to scale your Cisco ISE deployments quickly and easily to meet changing business needs. Cisco ISE is available as an Infrastructure as Code solution, helping you to rapidly deploy network accesses and control services anywhere. Extend the Cisco ISE policies in your home network to new remote deployments securely through Amazon Web Services (AWS), Azure Cloud Services, or Oracle Cloud Infrastructure (OCI).

AWS supports Cisco ISE Release 3.1 and later releases.

OCI and Azure Cloud support is available from Cisco ISE Release 3.2 and later releases.

Compute optimized instances are intended for compute intensive tasks or applications are best suited for PSNs.

General purpose instances are intended for data processing tasks or database operations which are best suited for PAN or MNT personas, or both.

See Deploy Cisco ISE Natively on Cloud Platforms and respective cloud documentations for resource specifications of supported instances.

Cisco ISE Deployment Scale Limits

Table 13. Deployment Scale Limits
Attribute Maximum Limit

Maximum pxGrid nodes in Large or Dedicated deployment

4
Maximum pxGrid subscribers per pxGrid node 200
Dedicated PSN with SXP service enabled 8 nodes, or 4 pairs
Maximum ISE SXP peers per PSN with SXP service enabled 200
Maximum network device entries (IP addresses or IP address ranges, or both)
Note 

You must use IP address range and subnets when configuring more than 300,000 NADs.

100,000
Maximum network device groups (NDG) 10,000

Maximum Active Directory forests (Join Points)

50

Maximum Active Directory controllers (WMI query)

100
Maximum internal users 300,000

Maximum internal guests

Note 

Having more than 500,000 guest users might create latency in user authentication.

1,000,000
Maximum user certificates 1,000,000
Maximum server certificates 1,000
Maximum trusted certificates 1,000

Maximum user portals (Guest, BYOD, MDM, Certificate Provisioning, Posture, Client Provisioning)

600
Maximum concurrent active endpoints 2,000,000
Maximum policy sets 200
Maximum authentication rules 1,000 (Policy Set mode)
Maximum authorization rules

Policy Set mode: 3,000 (3,200 authorization profiles)

It is not recommended to have more than 600 authorization rules in a single policy set.

Note 

Increasing the number of conditions per authorization rule might impact the performance.

Maximum user identity groups 1,000
Maximum endpoint identity groups 1,000

TrustSec Security Group Tags (SGTs)

TrustSec Security Group ACLs (SGACLs)

TrustSec IP-SGT Static Bindings (over SSH)

10,000

1,000

10,000

Maximum concurrent REST API connections

ERS API: 100

OpenAPI: 150

Maximum Passive ID sessions for Large deployment

3695 PAN, MnT: 2,000,000

3595 PAN, MnT: 500,000

Maximum network latency between primary PAN and any other Cisco ISE node including the secondary PAN, MnT, and PSNs

300 milliseconds

Maximum Passive ID sessions providers

Maximum AD Domain Controllers

Maximum REST API Providers

Maximum Syslog Providers

Maximum pxGrid Subscribers

74

50

70

50