TACACS Deployment Scale
Once a right deployment method is chosen, think about number of PSNs you need for TACACS+ and for other services.
Tip: For TACACS+ only deployment, if using ACS now, you can replace each ACS authentication server with an ISE PSN node. This is a simple, fool proof approach. ACS supports?100k Network devices, 22 total servers in a deployment. If ACS is oversubscribed beyond its limit, understand the constraints, then use?ISE performance guideline?for reference.
If your environment uses other TACACS+ servers then first step is to determine the number of Transactions Per Second. Here is a quick set of questions you can use to gather the information from customers.
Remember, this is design and we need certain inputs to determine scalability of Device administration services. For example number of network devices in your network, number of human administrators managing the environment or how many commands they execute every time they login to a network device.
Calculate the Number of Transactions per Second (TPS)
Calculate the number of Transactions per second using a simple formula based on the inputs from questions above
#_Transactions_per_session = #_network_devices x (3 + 2 x Number of commands executed).
Now you can use this formula to plug in the numbers you received from questions above. A quick note?about the next paragraph “If you are a thinker and your cerebral cortex does not allow you to proceed without understanding the reasoning behind formula continue reading the next paragraph, if not skipâ€.
This formula helps you calculate number of transactions for each TACACS+ session. This is based on the 5 TACACS+ transactions we saw before (Authentication, Authorization, Accounting, Command authorization and command accounting). The number 3 in the formula is for Authentication, Authorization and Accounting transactions in TACACS+ that is specific to every session. The multiplier 2 in the formula is for Command Authorization and Command accounting transaction that happens when every command is executed per session. So when you combine both you get the total number of transaction per command per session. Now if you scale the session to x number of network devices, you need to use the ‘number of network devices’ as a multiplier to calculate TPS for the deployment per session.
Let us consider this scenario. A customer is managing 10,000 network devices. A script or human admin logs into all the network devices 4 times a day executing 10 commands to gather information from the network device. Let us assume Customer has turned on command authorization and command accounting. Note that command accounting is different than session accounting that is part of AAA transaction.
Then based on the formulae,
#_transactions_per_day = 10,000 x (3 + 2x10) = 230k logs/session = 920k logs for 4 sessions.
Now that you have done the first step, rest is easy. The script that is used to gather information is usually fast and takes just few minutes to execute and gather information from 10 commands. Let us say it takes 20 minutes to gather all the information for four session.
Peak TPS needs to be calculated for the 20 minute time the script runs to gather with an overall transaction of 920k.
So, Peak TPS = 920k / (20*60sec) = 767 TPS
Now that we know the Peak TPS the network consumes, it becomes much easier.
?Calculate Number of PSNs
The next step is to calculate number of PSNs.
Here is a chart that will help you determine number of PSNs needed as you scale the number of network devices in your network and also tracks logs consumed by MnT. The number of PSNs for a certain number of network devices is based on TPS calculated above. Following chart is made for 3595 appliance that supports 1500 TPS.
Let us examine the chart closer. From the chart, you can see that for 10000 network devices, you need one PSN dedicated for TACACS+ in your network. You can look at the logs/day for 10k network devices amounting to 0.92million logs/day. As you increase the scale of the network devices just above 30k you see that the log consumption is around 3M logs/ day. This is a limit for standard MnT before it shows performance drops. Beyond this, you may need to forward the logs to an external logging server or Super MnT that is introduced in ISE 2.4. Super MnT provides twice the size of standard MnT in terms of disk capacity. It increases the log retention.
Let us discuss another example, what happens if your scripts runs more than 4 times a day or your admin user executes less command per session?. That’s easy, you can extrapolate the result from the above chart easily.
This chart was created based on 4 TACACS+ session each day and 10 commands/session for x number of Network devices. So what happens if you have 10 sessions per day? Simple, logs generated per day will be 2.5 times the number of sessions (10 sessions divided by 4 sessions) used in the chart that is 2.3M logs for 10000 network devices. This increases the number of transactions and number of PSNs needed to support the transactions. You can observe that from the graph if your scripts generate 2.3M logs then you need 2 PSNs to support the number of transactions. Similarly if you have less commands executed per session, say 5 commands. It cuts down the number of transactions for TACACS+ to approximately 0.57.
领英推è
Finally, if you want to use 3515 as your PSN you need 0.7 PSN for every 1 PSN supported in 3595 appliance. 3515 supports 1000 TPS as against 3595 that supports 1500 TPS. This might save you some cost but additional capacity may be needed for future. So choose your appliance/ VM size for PSN wisely based on your current and future needs.
?How to Size ISE Nodes for Maximum Log Retention
Hardware and Software Requirements:
In ISE, monitoring persona (MnT) is responsible for collecting logs, generating reports and for troubleshooting ISE deployments. Based on the logging needs of an enterprise you can choose remote syslog servers for log storage.
Tip: Hard disk capacity is relatively inexpensive these days, you can choose up to 2.4TB capacity with ISE MnT. For a 3595 appliance or VM equivalent, you would have a 4 x 600-GB 10k SAS HDDs. With RAID 10, the HDD capacity comes to 1.2TB. This applies for standalone ISE deployment with HA or medium deployment (with 5 PSNs). If you have fully distributed deployment with independent MnT and you have log storage requirements due to audit, then do the same.
If you are sizing ISE VM please make sure the VM resources are dedicated. If it is a shared environment then resource reservation should be made available for ISE VM’s so that performance is similar to Hardware. Choosing a 3515 or its VM equivalent will get you only 16GB RAM, that is not sufficient to handle large reports, log refresh etc. Remember, we are speaking about Device administration and logs are critical part of it, you do not want your helpdesk folks complain that it takes a while to do a log refresh while they are troubleshooting an issue. So choose your VM sizing wisely. Also dedicate the number of CPU cores for optimum performance based on the hardware appliance.
ISE 2.3 supports new Policy UI, IPv6 capability for TACACS+ and options to include IP ranges in all octets when creating Network device, import/export command sets. ISE 2.4 is a more robust version in terms of stability with superior MnT performance. ISE 2.2 with latest patch is the recommended stable release. If you are looking for latest ISE version the move to ISE 2.4 that is the latest patch (Patch 5 or above).
Note: ISE 2.4 made significant performance improvements in-terms of better process and memory utilization and faster response. So you will see significant improvements in logs, reports and export capability in a standard MnT with 64MB memory.
?
Step 1: Choose the Hardware (appliance/VM) for ISE MnT and choose the software version for ISE.
If you have specific TACACS+ logging requirements, there are two use cases to consider based on device administration performed either by a human administrator or by an automated script/ robot logs are collected in the MnT and purged based on the log retention needs and hard disk size. Here is a sample log size calculation per day for these scenarios:
- Scenario 1:?Human administrator managing devices: For e.g.: 50 Administrators opening 50 sessions per day with 10 commands/session; Log size per day = 50 * 50 * (5k +10*3k) = 87500KB = 85.4MB per day.
- Scenario 2:?Managing devices using scripted device administration: An automated script that runs against 30K network devices. For e.g.: @ 4 times per day with 10 commands per session; Log size per day = (5K +10 * 3K) * 30000 * 4 = 4.1GB approx. per day.
Here is simple chart that relates the log size and log retention based on certain parameters as mentioned. This will give you an idea how long you will have the ISE MnT logs before it gets overwritten.
Based on the chart above, if your network has 30k network devices assuming you consume the same amount of logs as mentioned here then your logs can be retained for 143 days that is close to 4 2/3 months.
Step 2: Once you choose the deployment design, calculated number of PSNs and sized out the hardware and software for VM/appliance, next step is to account for service availability and redundancy across locations. We have seen that you can have different levels of redundancy to help with failure scenarios. We have two options here
- First option is having a PSN pair for network devices to failover for each location or each site/region.
- Second one is for every 5 PSNs you can setup 1 or 2 backup PSN in a central location. Choose the latter that gives value for the money but make sure your central location PSN is not across a slow WAN link. Your network device talks to PSN via TACACS+ which is a TCP protocol that is more reliable across connections but your scripts may timeout.
Step 3: Placement of PSNs are very important. It is highly recommended for Active Directory server that authenticates the domain users to be co-located with PSN in the same site. ISE has a robust Active Directory connector, however we have seen that when Active directory needs to gather user related information such as groups and in certain cases if these is a large blob of data, it takes time for AD to respond to ISE while the user authentication times out due to this delay. This is more pronounced when AD authentication server is across a WAN link from PSN.
Step 4: Now recall the deployment model discussion, choose the appropriate deployment model based on the number of PSNs and log capacity. If you have scripts generating Millions of logs recommend having a fully distributed deployment with 2 PAN and 2 MnTs. If your log exceed 3M logs then consider external log repository. Once you have everything designed, make sure to create a network topology diagram with details on placement of all ISE nodes with failover so that you can visualize it and change it as needed. Next step is configuration.
Step 5: Before that you need to get the right license for the device administration service and for the appliances. For newer deployments, Device administration requires a node license based on the number of PSNs in the deployment. You need a minimum 100 base license to get access to the UI and the services. Check out the?ISE ordering guide?for more information.