Solved: Re: ISE Distributed Deployment Licensing

fatalXerror · ‎02-10-2019

Hi Guys,

I have an ISE distributed deployment and I want to replace of its PSN. Do I still need to re-host the license for that PSN?

Thanks

hslai · ‎02-10-2019

No, unless the PSN also acting as a PAN. The ISE licensing is based on the UDI of the primary PAN and, optionally, that of the secondary PAN, in case that the secondary PAN promoted to primary.

View solution in original post

hslai · ‎02-10-2019

No, unless the PSN also acting as a PAN. The ISE licensing is based on the UDI of the primary PAN and, optionally, that of the secondary PAN, in case that the secondary PAN promoted to primary.

fatalXerror · ‎02-18-2019

Hi @hslai,

But what if I want to add a PSN in my distributed deployment, still no need for additional license?

Thanks

Damien Miller · ‎02-18-2019

Adding additional PSN nodes only requires additional licensing if you are using virtual machines for ISE. If you are using physical SNS appliances then there isn't node licensing requirements.

If you are using VM's for ISE, then you are supposed to purchase an ISE VM license per node. They come in three sizes.
ISE-VMS-K9= - Small
ISE-VMM-K9= - Medium
ISE-VML-K9= - Large

fatalXerror · ‎02-18-2019

Hi @Damien Miller,

Thanks for replying.

Because I have a situation right now that the appliance will need to be changed into a VM. Technically, my PANs are running in VM but the PSN are running in appliance. Meaning if I change my PSN from appliance to VM, I need those licenses?

Thanks

Damien Miller · ‎02-18-2019

So what hslai posted still holds true, if you are not replacing the PAN's then your existing licensing will remain.

When you decommission the physical appliance (PSN) and replace it with a VM PSN, you are supposed to buy a VM node license that matches the size you deploy.

fatalXerror · ‎02-18-2019

Hi @Damien Miller

Thans for the feedback.

Yes, the PAN which is currently running as VM will not be replaced but we will replace the PSN running in appliance and making it into a VM.

So I need to buy a separate license for my PSN? The existing license which installed in the PAN will not suffice?

Thanks

Damien Miller · ‎02-18-2019

You are supposed to purchase a VM license per virtual node you deploy. There is no enforcement of this today but I would not count on that being the case in the future. In 2.4 you receive licensing out of compliance warnings when you don't have enough VM node licenses installed.

The existing base, plus, apex endpoint licensing is not related to node type or count. They will remain in your case.

fatalXerror · ‎02-18-2019

Hi @Damien Miller,

Sorry but I am still a bit confused.

I though PAN is the one governing the license, right? Since PAN is a VM already and not be replaced, I still not get it why the PSN needs a license?

Thanks

hslai · ‎02-19-2019

Primary PAN is where we import licenses for the deployment. Since ISE 2.4, VM licenses should match the VM sizes and numbers in the deployment. Yuval explained the licensing changes at ISE License Evolution Starts NOW (updated)

fatalXerror · ‎02-19-2019

Hi @hslai,

I raised a TAC case for this and they told me no need for a VM license since my administration node will govern the licenses. I told the TAC also that I will be upgrading from older ISE version to 2.4 and changing my PSN from hardware to VM.

What will happen if I don't load the VM license? Thanks

hslai · ‎02-20-2019

For ISE 2.4 and 2.6, we will receive only alarms and notifications when not enough VM licenses allocated to an ISE deployment but no enforcement on VM licenses. This could change in the future.