cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
644
Views
0
Helpful
7
Replies

Benefit of upgrading to 2.6 instead of 2.4 - vCPU costs?

Madura Malwatte
Enthusiast
Enthusiast

Trying to decide for my customer the benefit of upgrade to 2.6 instead of 2.4. They are currently on 2.2. I'm am trying to see if the benefits outweighs the extra VM resourcing requirements (2.6 uses extra vCPU which comes at an increased cost).

I understand that 2.6 is the recommended, and the new features with IoT this customer won't be using. Is there any other real benefit with going to 2.6 which would outweigh the extra vCPU costs?

7 Replies 7

Damien Miller
VIP Advisor VIP Advisor
VIP Advisor
You can run 2.6 on the 3515 and 3595 templates that 2.4 was introduced alongside. The only caveat is that you don't get to take advantage of the 36x5 template scale, you remain with the same scale you had on 2.4/35x5 templates.

One thing I'll note, it's reccomended to run 300 GB minimum hard disk for any dedicated PSNs in 2.6+. This means you will have to deploy nodes from the ISO, or modify the deployed ova resources back to a 35x5 memory/cpu.

So being on 2.2, if you have any dedicated nodes, just ensure you're 300gb +.

Hi @Damien Miller thanks for your response. Is the 300 GB min hard disk for dedicated PSN's the offical recommendation from Cisco? There is no mention of this as the mimimum requirement. The ova file for PSN on version 2.6 to download mentions 200 GB and so does the documentation - https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/install_guide/b_ise_InstallationGuide26/b_ise_InstallationGuide_26_chapter_01.html

Can you please clarify the reason for 300GB hard disk minimum for PSN?

It looks like Cisco has flip flopped on this again.  The admin guide has been changed again to reflect 200 GB minimum.  For the last six months they listed 300 GB as the minimum dedicated node disk in the install guide chart.  

There is still a warning listed here:
https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/upgrade_guide/b_ise_upgrade_guide_26/b_ise_upgrade_guide_26_chapter_01.html
"Cisco ISE, Release 2.4 and later requires a minimum disk size of 300GB for virtual machines as the local disk allocation is increased to 29GB."


If you deploy the recommended OVA's found on cisco.com downloads, the smallest is 600 GB.  Many people have had issues with 200 GB PSN's with 2.2 and 2.4 nodes.  Each time a patch is installed more of the disk space is consumed for required patch and roll back files.   The problem that this has caused is when you go to do an inline upgrade, the patch files have consumed too much of the disk, and the next upgrade fails because there is not enough disk space.  It's been an issue with 2.2 and 2.4 because the life space of these releases has resulted in a lot of patch files.  If you install each patch, then you use more disk space each time. 


Greg Gibbs
Cisco Employee
Cisco Employee

There are various reasons to consider upgrading the VM specs to meet the 36xx platforms and using 2.6 including:

  1. Increased scale - ISE 2.6 with 36xx specs can support more sessions per PSN; potentially allowing you to use fewer PSN nodes
  2. Increased performance - ISE 2.6 introduces some performance improvements (like the Lite Session Directory). You should also see performance improvements from the increased CPU/Memory resources.
  3. Lifecycle longevity - ISE 2.4 was released in March 2018. By the general lifecycle support guidelines, you will likely see the End of Software Maintenance announced around the time of the next ISE release with another 8-12 months of software maintenance releases. ISE 2.6 was released Feb 2019, so you'll have a longer support lifecyle.

Cheers,

Greg

Hi @Greg Gibbs thanks for the response. I think longevity case is a good one.

Madura Malwatte
Enthusiast
Enthusiast

Hi @Damien Miller @Greg Gibbs 

Another question, besides not getting template scale is there a downside to having ISE 2.6 VM's spec'd same as the 35xx? Will this cause problems later on (in 6-18months time) with new patches or a new version of ISE, where it won't support 35xx spec'd VM's? I am just trying to think ahead while also keeping to the compute budget.

Can we have have PSN's spec'd with 35xx in the same deployment with PAN/MnT spec'd for 36xx appliances?

No there wouldn't be an issue with this. Assuming the 35x5 appliances go end of life, changing a VM template is easy. You can shut down an ISE VM, add vcpu and memory, then boot it back up. The only piece you can't adjust without reinstalling is the disk space.

There is no issue mixing appliance sizes in a deployment, the only consideration is if you had mixed sizes behind the same load balancer. Scaling depends on PAN/MNT templates, and then PSN templates, the lower being the accepted value.

If you had a physical appliance SNS 35x5, there is a end of life announcement posted, but 2.6 will run and is supported on 35x5 vm templates until it itself goes end of life.
https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/eos-eol-notice-c51-742122.html
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers