topic ISE VM Requirements clarification in Network Access Control

ISE VM Requirements clarification

erigglem — Wed, 02 Jan 2019 19:48:38 GMT

Team, I'm looking for clarification on the virtual machine CPU requirements for ISE

The ISE 2.4 installation guide states the following as CPU requirements for Medium Virtual Appliance:

Production

Clock Speed—2.0 GHz or faster
Number of Cores

SNS 3500 Series Appliance:
- `Medium—16 processors (8 cores with hyperthreading enabled

But later in the document it says:

Table 3. VM Appliance Specifications for a Production Environment

Platform

Medium VM Appliance (based on SNS-3595)

Processor

8 total cores (at 2.0 GHz or above) or a total minimum CPU allocation of 16000 MHz.

Note

You must enable hyperthreading and assign the resulting number of logical processors (16) to each server.

The "OR" in the above table is what is confusing.

Question: If the host is running 3.0Ghz clock-speed procs, will TAC support them if they run only 6 cores to achieve the >16000Mhz CPU reservation? This would contradict the core-count requirement of 8 total cores in the red-highlighted section above.

Re: ISE VM Requirements clarification

kthiruve — Wed, 02 Jan 2019 21:35:26 GMT

Hi,

This is a great question. In general when using multithreaded application more cores is better. Here is a reference article I found that would explain how it works.

https://create.pro/blog/cores-faster-cpu-clock-speed-explained/

I think this is a bug in the documentation. I will reach out to the relevant team.

Thank you for pointing this out.

-Krishnan

Re: ISE VM Requirements clarification

paul — Wed, 02 Jan 2019 21:44:54 GMT

The hyper threading thing is just confusing because it has nothing to do with the VM setup itself. If you load up the new OVAs Cisco provide a 3515 will be provisioned with 12 CPUs and 12,000 MHz of reservations and the 3595 will be setup with 16 CPUs and 16,000 MHz of reservations.

Now if the ESX host server has hyper threading enabled the 12 CPUs will only consume 6 CPUs and the 16 CPUs will only consume 8 CPUs, but this has absolutely nothing to do with the VM itself. The VM will always think it has 12 or 16 CPUs.

Re: ISE VM Requirements clarification

erigglem — Wed, 02 Jan 2019 21:45:34 GMT

Thanks Krishan - can you please reply back when you receive an answer from the relevant team? Much appreciated.

Re: ISE VM Requirements clarification

paul — Wed, 02 Jan 2019 21:47:07 GMT

Also, if you don't put the right number of CPUs in the VM, ISE won't detect the platform correctly and allocate resources. That was the whole issue with the OVAs since 2.2. The OVAs had the wrong number of CPUs causing ISE to not detect the correct platform.

Re: ISE VM Requirements clarification

Jason Kunst — Wed, 02 Jan 2019 21:54:16 GMT

Recommend looking at the performance and scale cisco live for deep details as well

https://community.cisco.com/t5/security-documents/ise-training/ta-p/3619944#toc-hId-1281981443

Re: ISE VM Requirements clarification

hslai — Thu, 03 Jan 2019 05:09:11 GMT

VMware ESXi - More cores or faster cores? : vmware is a good read. Certain tasks in ISE are more CPU-bound; e.g. massy re-profiling and during ISE service initialization. Best to monitor the work loads of various ISE nodes and adjust accordingly.

Re: ISE VM Requirements clarification

taasai — Mon, 29 Jul 2019 09:11:26 GMT

Hi, Have you gotten any updates about this? I run into the same question.

Re: ISE VM Requirements clarification

Damien Miller — Mon, 29 Jul 2019 15:40:19 GMT

Regardless of a follow up from Krishnan, I will say that you're going to want the correct number of vCPU/cores regardless of the MHz you configuration provides. The reason being is that the platform profile (3515 - 3695) won't be allocated correctly if the VM doesn't meet the template. ISE could boot up with a base/default/platform profile. From a VMware perspective, you are hard allocating between 12,000 and 24,000 Mhz now depending on the vm template. How many cores you assign is irrelevant to VMware, the vcpu is an entirely logical construct that you can over allocate, you cannot however over allocate the finite MHz reservations.

Licensing also looks at the vCPU mapping and memory in order to determine if you are licensed correctly, this might be less of an issue since reducing the number of cores should be covered by the larger license still.

I would however go out on a limb here and say that the physical appliances perform better than VM's for the sole reason that they are not bound to the VM reservation limit. The Cisco OVA templates have both a 12,000-24,000 MHz reservation, but they also have the exact same limit set. A 3595 had a single CPU with 8 x 2.6 GHz cores, this meant the physical appliance had 20800 MHz available, while our VM's only had 16,000 Mhz.

Re: ISE VM Requirements clarification

paul — Mon, 29 Jul 2019 16:52:01 GMT

Just a quick correction Damien. Cisco has removed the CPU max limit from their OVAs and admitted that it was a mistake to have those in there in the first place. 16,000 MHz is reserved for a 3595 but no upper limit. So the system can use more if needed.

Re: ISE VM Requirements clarification

Damien Miller — Mon, 29 Jul 2019 16:54:33 GMT

That's good to know, makes a lot more sense. Haven't deployed a new OVA myself in a while.