topic ISE VM resource best practices in Network Access Control

ISE VM resource best practices

tostraus — Wed, 11 Jul 2018 12:21:39 GMT

I could use some guidance for ISE VMs. A Partner has a customer who wants to be flexible in how he deploys the VMs in VMware. I would love to talk to someone about best practices vs what is supported. I am a little unclear with the documentation I have read.

Questions they have, just snipping a little of a long detailed e-mail, Partner would love to have a discussion.

Call Bridge VM or Combined VM (Edge + Call Bridge):

Running a single VMWhen running a single virtual machine on a host, one physical core per host must be left unused by apps for ESXi scheduler. With a single VM, it is possible to use hyper-threading to increase the available capacity. In this case the number of available vCPUs is double the number of physical cores in use. So a two socket system which has 20 physical cores will have 19 available to the application. With hyper-threading enabled, 38vCPUs can be used, which should be allocated to the CMS VM, and the other 2 left unused. If an option is available to choose both number of sockets and number of cores per socket, then these should mirror the underlying hardware.

Running multiple VMs co-resident on a single host
When running multiple virtual machine on a single host,

When using VMware 5.5+ with multiple VMs and the Latency Sensitivity feature,

Although not recommended, it is possible to run other VMs alongside the Cisco Meeting Server

VM as long as CPU isolation domains are created to prevent contention.

Re: ISE VM resource best practices

howon — Wed, 11 Jul 2018 20:21:25 GMT

Sharing resources is not supported between ISE and any other guest OS. Also, it is required to enable hyper threading, but you should not count additional CPU as result of HT in terms of allocation. In other words, to get 3595 equivalent specification, you need to dedicate 16 vCore (When HT enabled) and 64GB RAM.

Re: ISE VM resource best practices

Damien Miller — Wed, 11 Jul 2018 20:53:06 GMT

As Howon stated, you don't want to be sharing resources.

VMware lets you over allocate vcpu because they are virtual, they don't really exist, it's an arbitrary number. An example of this would be the ability to assign two vm's 32 vcpu each on a box with only 2 cpu of 4 cores each. The issue you will run in to is when you try and make a CPU MHz reservation. ISE requires either a 12,000 or 16,000 MHz reservation according to the recommendations, this requires 6 or 8 physical cores of at least 2 GHz each. You can't over allocate MHz because there is a physical and finite supply of real compute.

ESXi requires at least part of 1 core for host operations, this will require X Mhz, it also requires memory for the host. The ability to run more VM's and still be in "compliance" with Cisco's ISE recommendations relies on the available resources reservations on the host.

Take this host for example, from the host resource allocation tab we can see that there is room for two more 3595 VM's.

Now take this piece how you want but I don't think anyone recommends it. Cisco "officially" says you can install ISE vm's without the reservations but they leave you with a warning. I can also say that one of the first things TAC will call out is when the resource reservations don't match the recommendations.

"If you choose to deploy Cisco ISE manually without the recommended reservations, you must assume the responsibility to closely monitor your appliance’s resource utilization and increase resources, as needed, to ensure proper health and functioning of the Cisco ISE deployment."

3/4 the way down the page

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24…

in other words, don't run production ISE vm's without the reservations.

Re: ISE VM resource best practices

tostraus — Wed, 11 Jul 2018 21:04:05 GMT

Thanks for the info!