Performance and Scalability Guide for Cisco Identity Services Engine

Overview 2
Change History 2
Cisco ISE Node Terminology 2
Different Types of Cisco ISE Deployment 3
Sizing Guidelines for ISE Deployment 5
Considerations for Choosing a Deployment 6
RADIUS Authentication Rates 7

TACACS+ Authentication Rates 8

Scenario-Specific Authentication Rates 8

Cisco ISE Deployment Scale Limits 10

Cisco ISE SXP Scaling 16
Cisco ISE pxGrid Direct Scaling 17

Cisco ISE and Cisco Application Centric Infrastructure Scaling 18

Cisco ISE Workload Connector Scaling 20
Configuration Best Practices 21
Cisco ISE Hardware Appliances 22
Cisco ISE Virtual Machine and Cloud Platforms 24
Revised: March 27, 2025

Overview
This document lists the sizing guidelines for Cisco Identity Services Engine (Cisco ISE).

Change History
The following table lists changes to this document since its initial release.

Date Change Location

2024-12-16 Added Workload Cisco ISE and Cisco

Connector scaling details Application Centric
for Cisco ACI Infrastructure Scaling, on
connections page 18

2024-12-16 Added Workload Cisco ISE Workload

Connector scaling details Connector Scaling, on page
for Azure, AWS, GCP, 20
and vCenter connections

2025-03-27 Added "Maximum Cisco ISE Deployment

validated endpoints in the Scale Limits, on page 10
Cisco ISE database"

Cisco ISE Node Terminology

A Cisco ISE node can provide various services based on the persona that it assumes. The menu options that are available through the
Admin portal are dependent on the role and personas that a Cisco ISE node assumes.

Table 1: Different Types of Cisco ISE Nodes

Node Type Description

Policy Administration node (PAN) A Cisco ISE node with the Administration persona allows you to perform all
administrative operations and configurations on Cisco ISE. It serves as a single pane
of glass for viewing all administrative operations, configurations, and contextual data.
It synchronizes the configuration to the rest of the nodes in the deployment.

Policy Service node (PSN) A Cisco ISE node with the Policy Service persona provides network access, posture,
guest access, client provisioning, and profiling services. This persona evaluates the
policies and makes all the decisions.

Monitoring node (MnT) A Cisco ISE node with the Monitoring persona functions as the log collector and stores
log messages from all the Administration and Policy Service nodes in a network. This
persona provides advanced monitoring and troubleshooting tools that you can use to
effectively manage the network and resources. A node with this persona aggregates
and correlates the data that it collects, and provides you with meaningful reports.

2
Node Type Description

pxGrid node You can use Cisco pxGrid to share context-sensitive information from Cisco ISE session
directory with other network systems such as Cisco ISE ecosystem partner systems
and other Cisco platforms. The pxGrid framework can also be used to exchange policy
and configuration data between nodes (like sharing tags and policy objects between
Cisco ISE and third party vendors) and for other information exchanges.

Different Types of Cisco ISE Deployment

A deployment is one or more Cisco ISE nodes connected together in a cluster (distributed system).
A deployment that has a single Cisco ISE node is called a standalone deployment. This node runs all the personas. Standalone
deployment is not recommended for production because it does not provide redundancy.
A deployment that has more than one Cisco ISE node is called a distributed deployment. To support failover and to improve
performance, you can set up a deployment with multiple Cisco ISE nodes in a distributed fashion. In a Cisco ISE distributed deployment,
administration and monitoring activities are centralized, and processing is distributed across the Policy Service nodes. Depending on
your performance needs, you can scale your deployment. The following table describes the different types of Cisco ISE deployment.

3
Table 2: Types of Cisco ISE Deployments
Standalone
• All ISE personas (PAN +
MnT + PSN + pxGrid) on
the same appliance or VM
instance.
• Not recommended for
production.
4
Small Deployment Medium Deployment Large Deployment
• All ISE personas (PAN +
MnT + PSN + pxGrid) on
the same appliance or VM
instances.
• Two-node deployment.
One node as primary and • PAN + MnT + pxGrid
the other node as running on the same node.
secondary for redundancy.
• One node as primary and • PAN (2), MnT (2), pxGrid,
• An additional node can be the other node as and PSNs on dedicated
added (which is optional) secondary for redundancy. nodes.
to a small deployment as a
PSN, pxGrid, or Health • PSNs on dedicated nodes. • Nodes can be appliances or
Check node. The additional equivalent VMs.
• Nodes can be appliances or
node can be a combination equivalent VMs. • Supports up to 4 pxGrid
of any of the following
nodes.
personas: • Supports up to 6 PSNs (for
Cisco ISE 3.0 and above). • Supports up to 50 PSNs
You can also enable
Dedicated PSN pxGrid persona on any of • Maximum 58 nodes (2 x
the PSN or add dedicated PAN + 2 x MnT + 50 x
pxGrid nodes (maximum PSN + 4 x pxGrid)
pxGrid node up to 2) to the deployment.
• Maximum 8 nodes (2 x
Health Check node PAN/MnT/pxGrid + 6 x
PSN Or 2 x PAN/MnT + 4
Note x PSN + 2 x pxGrid/SXP)
Adding an extra node with
a PSN, pxGrid, or Health
Check persona does not
alter the existing scale
limits of the small
deployment. We
recommend that you use
the additional node only
for load sharing purposes.
Sizing Guidelines for ISE Deployment
You can choose the right ISE deployment based on the maximum scale numbers for active endpoints offered by specific deployment
type, maximum scale numbers for active endpoints supported by individual PSN nodes and other relevant factors that are described
in the below sections.
Every endpoint with unique MAC address is considered as one active session and the concurrent active sessions support is applicable
for all types of sessions including Dot1x, Mab, Guest, BYOD, and Posture.
The maximum number of active sessions in the below table are derived based on tests under following conditions:
ISE deployments are formed in single datacenter deployed in same region, low latency (less than 5 ms) between the ISE internode
communications, dot1xauthentications and accounting events generated by endpoints in the range of 2 to 4 repetitions per day, and
majority of the sessions are RADIUS protocols authenticating with local ID providers.

ISE Deployment Scale

Table 3: Maximum Concurrent Active Sessions for Deployments with Different ISE Appliances Acting as PAN, MnT, PAN/MnT

Deployment Cisco SNS Cisco SNS Cisco SNS Cisco SNS Cisco SNS Cisco SNS Cisco SNS
3595 3615 3715 3655 3755 3695 3795
Large 500,000 Unsupported Unsupported 500,000 750,000 2,000,000 2,000,000
Medium 20,000 12,500 75,000 25,000 150,000 50,000 150,000
Small 20,000 12,500 25,000 25,000 50,000 50,000 50,000

Note • Cisco SNS 3595 is supported only for Cisco ISE 3.2 and earlier releases.
• Small deployments with 32 GB memory instances (Cisco SNS 3615 or Cisco SNS 3715) or Medium deployments with
32 GB memory instances (Cisco SNS 3615 or Cisco SNS 3715) acting as PAN/MnT are highly recommended for either
RADIUS only or TACACS+ only workloads. If a deployment requires both RADIUS and TACACS+ at scaled workloads,
it is recommended to use Cisco ISE nodes with higher resources such as Cisco SNS 3655 or higher models. Advanced
features like Log Analytics, AI/ML Profiling, Cisco ACI Integration, Workload Connectors, and so on require higher
resources. Therefore, it is recommended that you enable these features only on Cisco SNS 3655, 3755, 3695, and 3795
for optimal performance.

Policy Service Node Scale

Table 4: Maximum Concurrent Active Sessions for Different ISE Appliances Acting as PSNs

PSN Type Cisco SNS Cisco SNS Cisco SNS Cisco SNS Cisco SNS Cisco SNS Cisco SNS
3595 3615 3715 3655 3755 3695 3795*
Dedicated PSN 40,000 25,000 50,000 50,000 100,000 100,000 100,000
(Cisco ISE
node has only
PSN persona)

5
PSN Type Cisco SNS Cisco SNS Cisco SNS Cisco SNS Cisco SNS Cisco SNS Cisco SNS
3595 3615 3715 3655 3755 3695 3795*
Shared PSN 20,000 12,500 25,000 25,000 50,000 50,000 50,000
(Cisco ISE
node has
multiple
personas)

*Cisco SNS 3795 is equipped with more RAM and better Disk Read/Write performance. It is best suited for dedicated PAN, dedicated
MnT, or PAN/MnT personas and provides no added value when deployed as a dedicated PSN.

Note • SNS 3595 is supported in Cisco ISE Release 3.2 and earlier versions.
• SNS 3515 is supported in Cisco ISE Release 3.0 and previous versions. The number of maximum concurrent active
endpoints supported by a dedicated PSN is 7,500 and a shared PSN is 5,000.

Considerations for Choosing a Deployment

• You can choose small deployment for up to 50,000 concurrent active sessions and medium deployment for up to 150,000
concurrent active sessions.
• Large deployment is required for more than 150,000 concurrent concurrent active sessions. You must register MnT nodes as
Dedicated MnT nodes in Large deployment.
• We recommend that you deploy PSNs closer to workload and Identity Providers (such as AD, LDAP) for performance sensitive
loads.
• We recommend that you group PSNs for similar workload (for example, RADIUS Dot1x, Guest/BYOD, TACACS+) and
distribute traffic through load balancer.
• For better performance, it is recommended to configure Calling-Station-ID (MAC) based stickiness in the load balancer.
• It is recommended to configure the PSNs in Node-groups if you are using the services that need URL redirect (for example,
posture services, guest services, MDM, and so on).
• It is recommended to have multiple datacenters and group PSNs per datacenter. You can implement RADIUS
(Primary/Secondary/Tertiary) failover on NAS devices. For example, if the primary datacenter (DC-A) fails, 50 percent NADs
can failover to secondary datacenter (DC-B) and remaining NADs can failover to tertiary datacenter (DC-C).
• It is recommended to implement N+1 or N+2 redundancy within a PSN group.
• It is highly recommended to purge guest and inactive endpoints at regular intervals to avoid latency in ISE operations.
• The maximum concurrent active session values given above for each deployment are applicable for connected devices that are
generating dot1x authentications up to 4 times a day.
• In case of deployments where endpoints generate repeated authentication and accounting events, more number of PSNs are
required in PSN group to help in handling heavy traffic scenarios like simultaneous login events from huge number of users,
Wi-Fi users roaming from one location to another, and so on.

6
 • PSN node variations include TACACS+ PSN (T+PSN), TC-NAC PSN (TCNPSN), Guest PSN (GPSN), Cisco TrustSec PSN
(CTSPSN), Security Group eXchange Protocol PSN (SXPSN), and PassiveID PSN (PIDPSN). For better performance, it is
recommended to reserve TACACS+, RADIUS, Guest/BYOD workloads to dedicated PSN groups within a deployment.
• It is recommended to assign separate Cisco TrustSec PSNs (CTSPSNs) to handle TrustSec functions for TrustSec deployments
to avoid overloading of RADIUS PSNs while pushing policies.
• For large scale NAC environments with huge number of Device Administration tasks (for example, heavy usage of scripts or
Network management Systems), we recommend that you split the deployments and use a separate deployment for Device
Administration (TACACS+).

RADIUS Authentication Rates

The following table shows the authentication rates for RADIUS protocols when a Cisco ISE node acts as a single dedicated PSN in
a deployment.

Table 5: RADIUS Transactions per Second (TPS) for a Dedicated PSN Node

Authentication Method Cisco SNS 3615/3715 Cisco SNS 3595 Cisco SNS
3655/3755/3695/3795
PAP with internal user database 900 1100 1300
PAP with Active Directory 250 250 300
PAP with LDAP Directory 300 300 350
PEAP (MSCHAPv2) with internal user 150 150 200
database
PEAP (MSCHAPv2) with Active 150 150 175
Directory
PEAP (GTC) with internal user 150 150 250
database
PEAP (GTC) with Active Directory 100 150 175
EAP-FAST (MSCHAPv2) with 350 400 500
internal user database
EAP-FAST (MSCHAPv2) with Active 200 250 300
Directory
EAP-FAST (GTC) with internal user 350 400 450
database
EAP-FAST (GTC) with Active 200 200 300
Directory
EAP-FAST (GTC) with LDAP 200 300 300
Directory
EAP-TLS with internal user database 150 150 200
EAP-TLS with Active Directory 150 150 200

7
 Authentication Method Cisco SNS 3615/3715 Cisco SNS 3595 Cisco SNS
3655/3755/3695/3795
EAP-TLS with LDAP Directory 150 200 200
EAP TEAP with internal user database 100 100 200
MAB with internal user database 500 900 1000
MAB with LDAP Directory 400 500 600
EAP-TTLS PAP with Microsoft Entra 30 30 50
ID
EAP-TLS with Microsoft Entra ID 40 40 50

Note • EAP-TLS authentication rates for Microsoft Entra ID are applicable for Cisco ISE Release 3.2 Patch 3 and above and
Cisco ISE Release 3.3 and above releases.
• EAP-TTLS PAP authentication rates for Microsoft Entra ID are applicable for Cisco ISE Release 3.3 and above releases.
• When DTLS is enabled, RADIUS transactions per second (TPS) might show around 15% reduction in the authentication
rates compared to the values shown in RADIUS Authentication Rates .

TACACS+ Authentication Rates

The following table shows the authentication rates for TACACS+ protocol when a Cisco ISE node acts as a single dedicated PSN in
a deployment.

Table 6: TACACS+ Transactions per Second (TPS) for a Dedicated PSN Node

Scenario Cisco SNS 3615/3715 Cisco SNS 3595 Cisco SNS

3655/3755/3695/3795
TACACS+ Function: PAP 2500 3000 3200
TACACS+ Function: CHAP 2500 3000 3500
TACACS+ Function: Enable 1000 1000 1100
TACACS+ Function: Session 2500 3000 3500
Authorization
TACACS+ Function: Command 2500 2500 3500
Authorization
TACACS+ Function: Accounting 3000 7000 9000

Scenario-Specific Authentication Rates

The following table shows the transactions per second (TPS) when Cisco ISE node is acting as a single dedicated PSN in a deployment
for different scenarios.

8
The authentication values provided below may have + or - 5 percent deviation in production environment.

Table 7: Scenario-Based Authentications Per Second For a Dedicated PSN

Scenario Cisco SNS 3615/3715 Cisco SNS 3595 Cisco SNS 3655/3
Posture authentication 50 50
Guest Hotspot authentication 75 100
Guest Sponsored authentication 50 75
BYOD Onboarding single SSID 10 10
BYOD Onboarding dual SSID 10 15
MDM 150 200
Internal CA certificate issuance 50 50
New endpoints profiled per second/profile 200 250
updates per second
Maximum PassiveID sessions processed per 1000 1000
second
Sessions published per second to pxGrid 300 400
subscribers

RADIUS VPN flow with Duo MFA 10 N/A

TACACS+ flow with Duo MFA 20 N/A

Note Cisco ISE integration with Duo MFA for RADIUS and TACACS+ flows is applicable from Cisco ISE 3.3 Patch 1 onwards.
The authentication rates are applicable to deployments, where the latency between Cisco ISE and Duo is 4 or 5 seconds.

Table 8: Time Taken to Perform Various Operations in Seconds

Scenario Cisco SNS 3615/3715 Cisco SNS 3595 Cisco SNS

3655/3755/3695/3795
Time taken to push 300 TrustSec 50 50 50
policies to 254 NADs
Time taken for 5000 TrustSec policies 50 50 50
to download 2GB data via REST API
Time taken to connect SXP to SXPSN 10 5 5
Time taken for ERS Endpoints Bulk 15 10 10
API for 1000 endpoints
Time taken for ERS Guest Bulk API for 15 10 10
1000 endpoints
Time taken for ERS: Trustsec Bulk API 200 200 100
for 1000 endpoints

9
Scenario Cisco SNS 3615/3715 Cisco SNS 3595 Cisco SNS
3655/3755/3695/3795
Time taken for pxGrid ANC APIs to 120 120 120
quarantine or unquarantine 10,000
endpoints (with 100 requests per
second)

Cisco ISE Deployment Scale Limits

Table 9: Deployment Scale Limits

Attribute M a x i m u m
Limit
Maxm i um 4
pxGrid
nodes
in
Large
or
Dedicated
deployment
Maxmi um Cisco SNS
pxGrid 3695/3795 as
subscribers dedicated/shared
per pxGrid node:
pxGrid 200
node
Cisco SNS
3655/3755 as
dedicated/shared
pxGrid node: 50
Cisco SNS
3715/3615 as
dedicated/shared
pxGrid node: 5

Dedicated 8 nodes, or 4
PSN pairs
with
SXP
service
enabled

10
Attribute M a x i m u m
Limit
Maxm
i um 200
ISE
SXP
peers
per
PSN
with
SXP
service
enabled
Maxm
i um 100,000 (unicast
network addresses)
device
entries*
Maxm
i um 10,000
network
device
groups
(NDG)
Maxmi um 50
Active
Directory
forests
(Join
Points)
Maxmi um 100
Active
Directory
controllers
(WMI
query)
Maxm
i um 300,000
internal
users
Maxm
i um 1,000,000
internal
guests**
Maxm i um 1,000,000
user
certificates
Maxm i um 1,000
server
certificates

11
Attribute M a x i m u m
Limit
Maxm i um 1,000
trusted
certificates
Maxm i um Cisco SNS
concurrent 3695/3795 as
active dedicated
endponist/esoins PAN/MnT:
2,000,000
Refer to Sizing
Guidelines for
ISE
Deployment, on
page 5 for
other appliance
combinations

Maxm i um Cisco SNS

validated 3695/3795 as
endpoints dedicated/shared
in the PAN: 4,000,000
Cisco
Cisco SNS 3655
ISE
as
database
dedicated/shared
(including
PAN: 1,000,000
both
active Cisco SNS 3755
and as
inactive dedicated/shared
endponist)*** PAN: 1,500,000
Cisco SNS 3715
as shared PAN:
50,000
Cisco SNS 3615
as shared PAN:
25,000

Maxm
i um 200
policy
sets
Maxm i um 3000
authorization
(3,200
rules****
authorization
profiles)

12
Attribute M a x i m u m
Limit
Maxm i um 1000
authentication
rules
Maxm i um 64
atribute-value
(AV)
pairs
Maxm
i um 1,000
user
identity
groups
Maxm
i um 1,000
endpoint
identity
groups
TrustSec 10,000
Security
50,000
Group
Tags
(SGTs)
TrustSec
SGTs
on
Cisco
SNS
3655/3755
and
above
models
from
Cisco
ISE
Release
3.4
Patch
1
onwards

TrustSec 1,000
Security
Group
ACLs
(SGACLs)

13
Attribute M a x i m u m
Limit
TrustSec 10,000
IP-SGT
Static
Bindings
(over
SSH)
Maxmi um ERS API: 100
concurrent
OpenAPI: 150
REST
API
connections
Maxm i um Cisco SNS
PassiveID 3695/3795
sessions PAN, MnT:
for 2,000,000
Large
Cisco SNS 3595
deployment
PAN, MnT:
500,000
Cisco SNS 3655
PAN, MnT:
500,000
Cisco SNS 3755
PAN, MnT:
750,000

Maxmi um 300
network milliseconds
latency
between
primary
PAN
and
any
other
Cisco
ISE
node
including
the
secondary
PAN,
MnT,
and
PSNs

14
 Attribute M a x i m u m
Limit
Maxm
i um 150
IPSec
tunnels
per
dedicated
PSN

Maximum PassiveID
sessions providers

Maxm
i um 100
AD
50
Domain
Controlers 70
Maxm
i um
REST
API
Providers
Maxm
i um
Syslog
Providers

MnT API
Performance

MnT Cisco SNS

API 3655/3755: 10
<M
//:psnT
tPdah>
Im
tM
A
(/m
n/uA
s/P
ithaS
IA
untC<
A
M
/sedrACu4V
>
e3)2laA
50/l0/l
Cisco SNS
requests
3695/3795: 200
per
second
in
Medium
deployment

MnT Cisco SNS

API 3655/3755: 100
<M
//:psnT
tPdah>
Im
tM
A
(/m
n/uA
s/P
ithaS
IA
untC<
A
M
/sedrACu4V
>
e3)2laA
50/l0/l
Cisco SNS
requests
3695/3795: 400
per
second
for
Large
deployment

15
 Attribute M a x i m u m
Limit
Time 40 seconds
taken
by
MnT
API
</M
/p:sth(tnTPI>
ad/m
A
n/im
P/ISo/neA
ist/vei)L
ctsi
to
download
200,000
endpoints
in
Medium
and
Large
deployments

*Up to 300,000 NADs are supported. You must provide the network address and subnet in the Administration > Network Resources
> Network Devices page.
**Having more than 500,000 guest users might create latency in user authentication.
***Sample use case: Cisco SNS 3795 can support a maximum of 2,000,000 active endpoints/sessions (as stated in Sizing Guidelines
for ISE Deployment, on page 5). In addition, it can handle a maximum of 2,000,000 inactive endpoints, resulting in a total of
4,000,000 endpoints in the Cisco ISE database for large deployments. For medium deployments, it can handle up to 150,000 active
endpoints/sessions and 3,850,000 inactive endpoints. For small deployments it can handle up to 50,000 active endpoints/sessions and
3,950,000 inactive endpoints.
****It is not recommended to have more than 600 authorization rules in a single policy set. Increasing the number of conditions per
authorization rule might impact the performance.

Cisco ISE SXP Scaling

Table 10: SXP Scaling for Different Deployments

Deployment Type Platform Max PSNs Max ISE SXP Bindings Max ISE SXP Listener
Peers

Standalone (all personas 3595 0 20,000 30

on same node)
3615 0 12,500 30
2 nodes redundant
3655/3715 0 25,000 40
3695/3755/3795 0 50,000 50

16
Deployment Type Platform Max PSNs Max ISE SXP Bindings Max ISE SXP Listener
Peers

Unified PAN+MnT on 3595 as PAN and MnT 6 20,000 200

same node and dedicated
3655 as PAN and MnT 6 25,000 200
PSNs
3695 as PAN and MnT 6 50,000 200
3715 as PAN and MnT 6 75,000 200
3755/3795 as PAN and 6 150,000 200
MnT
Dedicated (all personas 3595 as PAN and MnT 50 350,000 (1 pair) 200 (1 pair)
on dedicated nodes)
500,000 (2 pairs) 400 (2 pairs)

3655 as PAN and MnT 50 350,000 (1 pair) 200 (1 pair)

500,000 (2 pairs) 400 (2 pairs)

3695/3755/3795 as PAN 50 350,000 (1 pair) 200 (1 pair)

and Large MnT
700,000 (2 pairs) 400 (2 pairs)
1,050,000 (3 pairs) 600 (3 pairs)
1,400,000 (4 pairs) 800 (4 pairs)

Cisco ISE pxGrid Direct Scaling

This section specifies the time taken for Cisco ISE pxGrid Direct connector integration via URL Fetcher and URL Pusher for different
scales of endpoints.

Table 11: Cisco ISE pxGrid Direct connector integration via URL Fetcher

Scenario Cisco ISE 3.2 Patch 2/3.3 Cisco ISE 3.4

Time taken in minutes to download and 120 20

replicate 500,000 endpoints with total data
size of 500 MB from configuration
management database (CMDB) server to
all PSN nodes

Time taken in minutes to download and 360 30

replicate 1,000,000 endpoints with total
data size of 1 GB from CMDB server to all
PSN nodes

Time taken in minutes to download and 480 60

replicate 2,000,000 endpoints with total
data size of 2 GB from CMDB server to all
PSN nodes

17
 Note • The above values are applicable only when the network latency between Cisco ISE and CMDB is less than 50 milliseconds.
• The above data is applicable for endpoints with 15 attributes each.
• Data size for each endpoint with its attributes should not exceed 5 GB.
• Timeout for Full Sync download is 120 minutes.
• It is highly recommended to schedule synchronization during off-peak hours.
• Cisco ISE can fetch data from 5 connectors simultaneously.

Table 12: Cisco ISE pxGrid Direct connector integration via URL Pusher

Scenario Time in minutes

Time taken to download and replicate 500,000 endpoints data to 30

all PSN nodes

Note • The URL Pusher data is applicable only from Cisco ISE Release 3.4.
• Each push API request payload size should not exceed 5 MB.
• It is recommended to schedule large synchronization tasks during off-peak hours.

Cisco ISE and Cisco Application Centric Infrastructure Scaling

The context learned from Cisco Application Centric Infrastructure (Cisco ACI) can be shared with Cisco Catalyst Center, network
devices, SD-WAN components, and any other pxGrid subscribers. This section describes the scale and performance limits when
Cisco ISE is integrated with Cisco ACI.
The following table describes supported Cisco ACI cluster scale for different Cisco ISE clusters and maximum SXP bindings supported
for respective deployments.

Table 13: Cisco ISE and Cisco ACI Scale

Deployment Type Maximum ACI Maximum SXP bindings

Clusters
Small deployment with Cisco SNS 3615/3715 as PAN/MnT 3 For lab purposes only
Small deployment with Cisco SNS 3655/3755/3695/3795 as PAN/MnT 3 40,000
Medium deployment with Cisco SNS 3655/3755 or Cisco SNS 3695/3795 as 10 200,000
PAN and MnT
Large deployments with Cisco SNS 3655/3755 as PAN and MnT 20 400,000
Large deployments with Cisco SNS 3695/3795 as PAN and MnT 75 1,400,000

18
Note the following points while integrating Cisco ISE with Cisco ACI:
• It is recommended to integrate scaled ACI Fabric during off-peak hours. If the RADIUS traffic rate is high in the Cisco ISE
deployment, TrustSec traffic enforcement might be delayed.
• Maximum SXP binding values specified in the above table are applicable for both deployments using only IPv4 addresses and
deployments using a combination of IPv4 and IPv6 addresses.
• Time taken for an ACI connection with 20,000 to 32,000 endpoints to reach the Connected state can be up to 5 minutes and time
taken to download the bindings can be up to 10 minutes.
• The initial time taken to download EPG endpoints or create SXP bindings can increase if the overall load on the Cisco ISE
system is increased.
• The total number of SXP bindings in the Cisco ISE deployment must not exceed 1,400,000. This count includes:
• SXP bindings created by SGT assignment in authorization policies for RADIUS workload
• SXP bindings received from SXP speakers
• SXP bindings from IP-EPG mappings learned from Cisco ACI or SXP bindings created for workloads from all the Workload
Connections
• SXP bindings created by evaluating the Inbound SGT Domain rules
• SXP bindings created by the Workload Classification rules

Following are few examples for calculating the number of Cisco ACI connections that can be integrated with Cisco ISE based on
scale:
Example 1
If the total number of SXP bindings created by SGT assignment in an authorization policy for RADIUS workload is 1,000,000, the
total number of ACI connections that can be created is:
• If each ACI Fabric has 20,000 endpoints to be shared with Cisco ISE, total number of ACI Fabrics that can be integrated =
(1,400,000-1,000,000) / 20,000 = 20
• If each ACI Fabric has 32,000 endpoints to be shared with Cisco ISE, total number of ACI connections that can be integrated
= (1,400,000-1,000,000) / 32,000 = 12 or 13

Example 2
If the total number of SXP bindings created by SGT assignment in an authorization policy for RADIUS workload is 50,000, the total
number of ACI connections that can be created is:
• If each ACI Fabric has 20,000 endpoints to be shared with Cisco ISE, the total number of ACI connections that can be integrated
= (1,400,000-50,000) / 20,000 = 67 or 68
• If each ACI Fabric has 32,000 endpoints to be shared with Cisco ISE, the total number of ACI connections that can be integrated
= (1,400,000-50,000) / 32000 = 42

Example 3
In a small deployment with Cisco SNS 3655/3755/3695/3795 as PAN/MnT, if the:
• Total number of SXP bindings created by SGT assignment in an authorization policy for RADIUS workload is 10,000
• Total SXP bindings for this deployment is 40,000

19
 • Total ACI Connections is 3

Maximum endpoints per ACI connection = (Total SXP bindings in deployment - Total SXP bindings)/Number of connectors for
deployment = (40,000-10,000)/3 = 10,000

Cisco ISE Workload Connector Scaling

From Cisco ISE Release 3.4 Patch 1, Cisco ISE can be integrated with the following Workload Connectors, in addition to Cisco ACI:
• AWS
• Azure
• GCP
• vCenter

Table 14: Cisco ISE Workload Connector Scaling for Azure, AWS, GCP, and vCenter Connections

Deployment Platform Maximum Workload Maximum Workload SGT

Type Connectors* bindings
Small Cisco SNS 3615 / 3715 1 For lab purposes only
Cisco SNS 3655 / 3695 3 10,000
Medium Cisco SNS 3655/3755 or Cisco SNS 3695/3795 10 20,000
Large Cisco SNS 3655/3755 40 20,000
Cisco SNS 3695/3795 50 20,000

*This could be a combination of different workload connections like AWS, GCP, Azure, and vCenter, or of same type. For example,
if the maximum workload connection value is specified as 10, this deployment can include 3 GCP connections, 4 AWS connections,
and 3 Azure connections, or 10 Azure connections.

Deployment requirements while integrating Cisco ISE with Cisco ACI and Workload Connectors
• Small deployments with Cisco SNS 3615/3715 or Medium deployments with Cisco SNS 3615/3715 acting as PAN/MnT are
not recommended for production use.
• Instances of the SXP persona must be configured as dedicated nodes for optimal performance in Medium and Large deployments.
• When Inbound SGT domain rules are configured, additional SXP bindings might be created for specific endpoints.
• While creating the Outbound SGT Domain rules, ensure that the maximum number of SGTs from all the rules and filters does
not exceed 500. For example, if there are 5 Outbound SGT Domain rules, the number of SGTs per rule can be up to 100. It is
recommended to have less than 10 Outbound SGT Domain rules in a deployment.
• The maximum number of SXP bindings includes:
• SXP bindings created by SGT assignment in authorization policies for RADIUS workload
• SXP bindings received from SXP speakers
• Static IP-SGT bindings

20
 • SXP bindings from IP-EPG mappings learned from Cisco ACI or SXP bindings created for workloads from all the Workload
Connections
• SXP bindings created by evaluating the Inbound SGT domain rules
• SXP bindings created by the Workload Classification rules

• It is strongly recommended to add scaled workload connections to Cisco ISE during the off-peak hours. If the RADIUS traffic
rate is high in the Cisco ISE deployment, SXP binding creation might be delayed.

Configuration Best Practices

This section lists the best practices recommended while configuring the network devices and Cisco ISE for better performance.
Some of the factors that affect authentications are:
• Network adapter disconnecting or reconnecting and leading to new authentication process
• Network switches configured with very less session time
• Network switches configured with frequent accounting interim updates
• Power outages
• Automated scripts requiring mass reboot of systems

Each of above event results in new authentication (Access-Request), accounting-interim update, or accounting stops.

Table 15: Configuration Best Practices for Cisco ISE

Attribute Recommendation

Profiling probes If you are not using the profiling feature, turn off all the profiling probes.

Endpoint Attribute filter This filter is disabled by default. We recommend that you enable this filter.

MnT suppression Ensure that the Suppress Repeated Passed and Failed Clients option in the RADIUS Settings
page is enabled.
This option is enabled by default.

EAP-FAST reconnect and session Enable this option in the Policy > Results > Allowed Protocols > Allow EAP-FAST page.
resume
This helps client devices to reduce the load on Cisco ISE for EAP. In case of BYOD flow where
remote management of client device is not possible, this feature has minimal impact.

DNS caching If Remote Logging Targets (Administration > System > Logging > Remote Logging Targets)
are used with FQDN, DNS caching must be enabled. Set Time To Live value as 180 by using
the following command in the command line interface:
configure terminal
service cache enable hosts ttl 180

21
Table 16: Configuration Best Practices for Network Devices

Attribute Recommendation

RADIUS timeout Recommended range is from 5 to 10 seconds. This range will help the endpoints to boot
without causing the DHCP requests to expire and will also avoid latency between Cisco
ISE and network devices.

RADIUS interim accounting This option must be disabled or set to more than 24 hours for wireless and wired devices.
This limits the interim accounts from the network devices when there is no significant
change in the network. This also limits the incoming data to Cisco ISE, thereby reducing
the RADIUS accounting updates and logs and allowing PSNs to effectively process the
new incoming authentication requests.
If the ratio of authentication to accounting interim updates is more than 1:5, we strongly
recommended that you check the network connectivity and the network device
configuration for accounting updates. You must update the configuration to reduce the
frequent interim updates from the network access devices.
If you have enabled automated turning off for the network devices in large scale, we
recommend that you do this operation in batches. In addition, ensure that each batch
does not include more than 500 devices. Otherwise, this operation might cause delay
in incoming authentications.

Client exclusion This configuration is applicable for wireless IOS devices. Set the value to 60 seconds.

Session timeout Recommended value is more than 24 hours for both wired and wireless devices, unless
your security policy dictates that you must perform authentication more frequently.

Inactivity timeout Set the value to 300 seconds or more. This helps reduce the number of reauthentication
requests.

RADIUS device sensor If profiling is required, use the device sensor instead of other probes. While using the
device sensor, other probes can be disabled for wireless devices.

RADIUS Dead Timer Recommended range is from 10 to 15 minutes. This ensures that the RADIUS server
marked down is not used for the specified interval.

Guest Anchoring If WLAN is anchored, RADIUS accounting must be disabled in the WLAN settings on
the anchor controller.

Polling interval for SNMP We recommend that you set the SNMP Polling Interval value (Administration >
Network Resources > Network Devices > Add > SNMP Settings) to 8 hours or higher
to reduce performance impact due to large number of SNMP events. Setting a lower
value might create large profiling events and impact system performance.

Cisco ISE Hardware Appliances

Cisco SNS hardware appliances support the Unified Extensible Firmware Interface (UEFI) secure boot feature. This feature ensures
that only a Cisco-signed Cisco ISE image can be installed on the Cisco SNS hardware appliances, and prevents the installation of
any unsigned operating system even with physical access to the device.

22
Table 17: Specifications for Cisco SNS 3500/3600 Series Hardware Appliances

Specifications Cisco SNS 3615 Cisco SNS 3595 Cisco SNS 3655 Cisco SNS 3695
Processor Intel Xeon 2.10 Intel Xeon 2.60 Intel Xeon 2.10 Intel Xeon 2.10
GHz 4110 GHz E5-2640 GHz 4116 GHz 4116

Cores per Processor 8 Cores and 16 8 Cores and 16 12 Cores and 24 12 Cores and 24
Threads Threads Threads Threads

Memory 32 GB (2x16 GB) 64 GB (4x16 96 GB (6x16 256 GB (8x32

GB) GB) GB)

Storage 1 x 600-GB 6 Gb 4 x 600-GB 6 Gb 4 x 600-GB 6 Gb 8 x 600-GB 6 Gb

SAS 10K RPM SAS 10K RPM SAS 10K RPM SAS 10K RPM

Hardware RAID — Level 10 Level 10 Level 10

Cisco 12G SAS Cisco 12G SAS Cisco 12G SAS
Modular RAID Modular RAID Modular RAID
Controller Controller Controller

Network Interfaces 2 X 10 Gbase-T 6 x 1 GBase-T 2 X 10 Gbase-T 2 X 10 Gbase-T

4 x 1 GBase-T 4 x 1 GBase-T 4 x 1 GBase-T

Power Supplies 1 x 770W 2 x 770W 2 x 770W 2 x 770W

Table 18: Specifications for Cisco SNS 3700 Series Hardware Appliances

Specifications Cisco SNS 3715 Cisco SNS 3755 Cisco SNS 3795
Processor Intel Xeon 2.1 GHz 4310 Intel Xeon 2.3 GHz 4316 Intel Xeon 2.3 GHz 4316

Cores per 12 Cores and 24 Threads 20 Cores and 40 Threads 20 Cores and 40 Threads
processor

Memory 32 GB 96 GB 256 GB
2 x 16GB 6 x 16GB 8 x 32GB

Storage 1 4 8
60012G SAS 10K RPM SFF HDD 60012G SAS 10K RPM SFF HDD 60012G SAS 10K RPM SFF HDD
Or Or Or
800 GB 2.5in Enterprise 800 GB 2.5in Enterprise Performance 800 GB 2.5in Enterprise Performance
Performance 12G SAS SSD (3x 12G SAS SSD (3x endurance) 12G SAS SSD (3x endurance)
endurance)

Hardware RAID Level 0 Level 10 Level 10

Cisco 12G SAS Modular RAID Cisco 12G SAS Modular RAID
Controller Controller

23
Specifications Cisco SNS 3715 Cisco SNS 3755 Cisco SNS 3795
Network interface 2 x 10Gbase-T 2 x 10Gbase-T 2 x 10Gbase-T
4 x 10GE SFP 4 x 10GE SFP 4 x 10GE SFP

Power supplies 1 x 1050W 2 x 1050W 2 x 1050W

TPM chip Yes Yes Yes

Note • Cisco ISE Release 3.1 Patch 6 and later and Cisco ISE Release 3.2 Patch 2 and later versions support Cisco SNS 3700
series appliances.
• You cannot add additional hardware resources like memory, processor, or storage to a Cisco SNS hardware appliance.
• Mixing SAS/SATA hard drives and SAS/SATA SSDs is not supported. You must use either SAS/SATA hard drives or
SAS/SATA SSDs.
• SSD offers improved performance in disk read/write operations and other Cisco ISE operations like boot, installation
(up to 10% improvement), and upgrade database intensive tasks like backup and reports generation (up to 20%
improvement). Note that the PSN performance for RADIUS and TACACS+ operations will remain the same as described
in preceding sections.
• Additional power supplies can be ordered separately for SNS 3615 and SNS 3715. For component part numbers, see the
Cisco Secure Network Server Data Sheet.

Cisco ISE Virtual Machine and Cloud Platforms

Cisco ISE can be installed on VMware servers, KVM hypervisors, Hyper-V (Windows Server and Azure Stack HCI), and Nutanix
AHV. To achieve performance and scalability comparable to Cisco ISE hardware appliances, virtual machines must be allocated
system resources equivalent to the Cisco SNS appliances as described in table below.
It is recommended that you reserve CPU and memory resources that match the resource allocation. Failure to do so may significantly
impact Cisco ISE performance and stability.
For a VM deployment, the number of cores is twice the number of cores in a physical appliance due to hyperthreading. For example,
in case of a small network deployment, allocate 16 vCPU cores to meet the CPU specification of SNS 3615, which has 8 CPU cores
or 16 threads.
Deploy dedicated VM resources and do not share or oversubscribe resources across multiple guest VMs.
Cisco ISE is now available from the cloud, enabling you to scale your Cisco ISE deployments quickly and easily to meet changing
business needs.
Cisco ISE is available as an Infrastructure as Code solution, helping you to rapidly deploy network accesses and control services
anywhere.
Extend the Cisco ISE policies in your home network to new remote deployments securely through Amazon Web Services (AWS),
Azure Cloud Services, or Oracle Cloud Infrastructure (OCI). AWS supports Cisco ISE Release 3.1 and later releases.
OCI and Azure Cloud support is available from Cisco ISE Release 3.2 and later releases.

24
See Deploy Cisco ISE Natively on Cloud Platforms and respective cloud documentations for resource specifications of supported
instances.
Table below describes matrix of VM specification, cloud instances to their equivalent Cisco SNS appliances.

Table 19: Specifications for Cisco ISE VM and Cloud Instances

Models Cisco SNS Cisco SNS Cisco SNS Cisco SNS Cisco SNS Cisco SNS Cisco SNS
3615 3595 3655 3695 3715 3755 3795
VM 16vCPU 16vCPU 24vCPU 24vCPU 24vCPU 40vCPU 40vCPU
Specification
32 GB 64 GB 96 GB 256 GB 32GB 96GB 256GB

AWS c5.4xlarge* m5.4xlarge c5.9xlarge* m5.16xlarge c5.9xlarge* — m5.16xlarge

m5.8xlarge m5.8xlarge

Azure Standard_F16s_v2* Standard_D16s_v4 Standard_F32s_v2* Standard_D64s_v4 Standard_F32s_v2* — Standard_D64s_v4

Standard_D32s_v4 Standard_D32s_v4

OCI Optimized3.Flex* Standard3.Flex Optimized3.Flex Standard3.Flex Optimized3.Flex — Standard3.Flex

(8 OCPU** (8 OCPU and (16 OCPU and (16 OCPU and (16 OCPU and (32 OCPU and
and 32 GB) 64 GB) 64 GB)* 256 GB) 64 GB)* 256 GB)
Standard3.Flex Standard3.Flex
(16 OCPU and (16 OCPU and
128 GB) 128 GB)

*This instance is compute-optimized and provides better performance compared to the general purpose instances.
**In OCI, you choose CPU in terms of Oracle CPU (OCPU). Each OCPU provides CPU capacity equal to one physical core of an
Intel Xeon processor with hyper-threading enabled. Each OCPU equals two hardware execution threads known as vCPUs.

Note There is no equivalent cloud profile for Cisco SNS 3755. We recommend that you use the cloud instances that are specified
for Cisco SNS 3795.

Extra Small Form Factor for Cisco ISE VM and Cloud Instances
Extra Small VM specification is available only on virtualization platforms such as VMware, KVM, Hyper-V, Nutanix AHV hypervisors,
and Cloud instances.
This form factor is not supported for SNS appliances.

Table 20: Extra Small Form Factor for Cisco ISE VM and Cloud Instances

Virtual Machines Specifications

VM 8 vCPU 32GB RAM

AWS m5.2xlarge

Azure Standard_D8s_v4

25
Virtual Machines Specifications

OCI Standard3.Flex (4 OCPU and 32 GB)

Extra Small form factor supports the following two deployment types:
• PSNLite: The node can be deployed as a dedicated PSN persona in a medium deployment. PSNLite is not supported for large
deployments.
Performance for RADIUS and TACACS+ authentication is around 50 percent of that of Cisco SNS 3615. For example, if the
RADIUS authentication rate of Cisco SNS 3615 for PEAP-MSCHAP2 with internal user database is 150, this value will be 75
(50% of 150) for the PSNLite.
• ISELite: The node can be deployed as a standalone Cisco ISE node. It is not recommended to use ISELite for Small (HA)
deployments.
ISELite is optimized to run only for small office scenario supporting up to a maximum of 1000 concurrently active endpoints
with an optimal RADIUS performance at 50 TPS.
ISELite is recommended only for RADIUS or TACACS+ traffic. It is not recommended to enable advanced services like SXP,
PassiveID, pxGrid Direct , pxGrid Cloud, TC-NAC, Log Analytics, and Cisco AI Analytics on an ISELite node.
Ensure that the Log Analytics option (under Operations > System 360) is disabled in the ISELite node.

Table 21: Extra Small Form Factor Supported Deployment Types

Name Deployment Type Storage Maximum Concurrent Active Sessions Notes

PSNLite Dedicated PSN only 300 12000 Supported from Cisco ISE 3.2 onwards
GB
ISELite Standalone Cisco ISE node 600 1000 Supported from Cisco ISE 3.4 onwards
GB

26
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,
INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.

THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH
THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,
CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.

The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of
the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.

NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS.
CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.

IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT
LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network
topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional
and coincidental.

All printed copies and duplicate soft copies of this document are considered uncontrolled. See the current online version for the latest version.

Cisco has more than 200 offices worldwide. Addresses and phone numbers are listed on the Cisco website at www.cisco.com/go/offices.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL:
https://www.cisco.com/c/en/us/about/legal/trademarks.html. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a
partnership relationship between Cisco and any other company. (1721R)
© 2021 Cisco Systems, Inc. All rights reserved.
 Americas Headquarters Asia Pacific Headquarters Europe Headquarters
Cisco Systems, Inc. CiscoSystems(USA)Pte.Ltd. CiscoSystemsInternationalBV
San Jose, CA 95134-1706 Singapore Amsterdam,TheNetherlands
USA

Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the
Cisco Website at www.cisco.com/go/offices.