Cisco ISE deployment for device administration only

mbolano · ‎06-04-2022

Dear Community, I'm desingning an ISE deployment for a regional company that have a big amount of network devices which they want to administrate using TACACS+ protocol, they want HA by installing 2 servers in 2 different locations separated 200km, I've thought to implement ISE with 2 Policy Service Nodes (PSN), mounted over a virtual appliance running on 2 phisical servers, one at each location, due to the user wants Device Administration only. My questions for you are:

1- Can 2 PSN be deployed and work in HA without install a Primary (and Secondary) Administration Node (PAN) and/or Monitoring Node (MtN)?

2- If the 2 PSN are implemented I know that 2 Device Admin licences are needed, however, I'm not sure how many virtual machine licenses I must to buy for both PSN, I mean, buying just one VM licence is enough and it can be installed twice (on each server), or I need to provide 2 VM licences, one for each server?

3- If we are going to deploy just PSN, what about the endpoints licences?, we need 50,000 sessions, Do we need buy licenses for those endpoints?

I'll be very glad of you can help me with this issue

Best regards

Marcelo Morais · ‎06-04-2022

Hi @mbolano ,

1st each ISE Deployment MUST have:

1. at least one PAN

2. at least one MnT

3. one or more PSN

Note: all this Personas may be in one Standalone Node (PAN + MnT + PSN)

2nd if you have 'X' Node then you need 'X' VM Common License

3rd ISE License Consumptions are based on Active Sessions. That is, any Endpoint without an Active Session is not counted !!!

Please take a look at: Performance and Scalability Guide for ISE.

Hope this helps !!!

mbolano · ‎06-04-2022

Hi Marcelo, thank you so much for your response, it has cleared most of my
doubts, but in my case we want HA, and we have 2 physical servers.. and as
you mention we can deploy a standalone node with 3 persons, PAN, MtN & PSN.
Could we deploy 2 nodes with those 3 persons for HA?.. if yes, how many VM
licenses we must to buy, 2 VM licenses?

Our need (currently) is Network Device Administration using TACACS+ with HA
by deploying 2 nodes located geografically separated. Is that posible ?

Finally, I'm trying to create an estimate on CCW, I need to be sure the
required licenses

Then licensing should be like:

1 subscription license
1 essentials license? (Or 2 essentials lic)?
2 VM licenses
2 Device Admin licenses
Service support

Right?

Best regards

Mario Bolaño

Marcelo Morais · ‎06-04-2022

Hi @mbolano ,

yes, it is the Small Deployment (2-Node Deployment. One Node as Primary and the Other Node as Secondary for redundancy).

Please take a look at ISE Data Sheet:

For TACACS+, a Device Admin license is required for each ISE PSN running TACACS+ service (in your case ... 2). Device Administration using TACACS+ does not consume Endpoints, and there is no limit on Network Devices for Device Administration. The User does not require an Essentials license.

Note: for RADIUS, Essential, Advantage and Premier are Subscription license and ISE License Consumptions are based on Active Sessions. That is, any Endpoint without an Active Session is not counted !!!

Hope this helps !!!