CEPM Capacity Planning Guide V3.3.1.0
Distributed Architecture Deployment
Download this chapter
Distributed Architecture DeploymentDistributed Architecture Deployment
Download the complete book
CEPM Capacity Planning GuideCEPM Capacity Planning Guide (PDF - 260 KB)
 Feedback

Table Of Contents

Scenario 1: Distributed Architecture Deployment

Shared-PAP and Shared-entitlement-repository

Shared-PAP only


Scenario 1: Distributed Architecture Deployment

The distributed architecture deployment model is supported by the Cisco Enterprise Policy Manager (CEPM) with a loosely coupled architecture that allows Policy Administration Points (PAPs) and Policy Decision Points (PDPs) to be distributed over a wide area network (WAN). Policy changes configured at the PAP are propagated to the PDPs through various protocols. Administrators can log in to the PAPs and the entitlement infrastructure transparently handles policy propagation across geographies.

Note CEPM supports a rich entitlement policy model. The sizing estimates described here are based on the complexity of policies being resolved.

Users: 50,000 users with 5,000 concurrent queries.

Resources: 1,000 hierarchical resources each with multiple actions.

Latency required: User-level queries of less-than-0.2-second-per-query response time for role- and rule-based decisions.

Distribution: Four target production sites, Asia, Europe, Australia, and United States for distributed architecture. For the workload described in this chapter, the PDP in the United States must be deployed over four servers, and the PDPs in Asia and Europe must be deployed over two servers each. Because the PAP is not involved in critical-path decisions, the PAP can be deployed in a cluster of two servers for high availability.

A Distributed Architecture in CEPM can be achieved in one of the following ways:

Shared-PAP and Shared-entitlement-repository

Shared-PAP only

Shared-PAP and Shared-entitlement-repository

In this scenario, the PDPs are distributed, but all of the PDPs share a common entitlement repository with the PAP. The entitlement repository is typically a database co-hosted in the same data center as the PAP. This option has the advantage of easing management of entitlement data that is not replicated across multiple environments. The PDPs also do not need any other communication channel with the PAP for policy update notifications, which can be handled at the database level.

Figure 1-1 Shared-PAP and Shared-entitlement-repository

Shared-PAP only

In the shared-PAP only deployment model, the entitlement repository is managed in a replicated fashion across geographies. Policy changes are communicated from the PAP to the PDPs using database-level replication.

Database-level replication is transparent to CEPM. In this approach, a custom or pluggable persistence layer can be introduced that handles database replication without the involvement of any CEPM components. This approach is useful when you apply proprietary data replication algorithms and technologies for managing entitlement data. Figure 1-2 depicts a database-level replication deployment:

Figure 1-2 Database-level Replication Deployment