Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
836
Views
0
Helpful
5
Replies

Cisco ISE License Query

Go to solution
sondevi
Cisco Employee
Cisco Employee

‎03-26-2019 10:03 AM

Hi Team,

 

In CU environment, there are 8 ISE nodes(2.4version) in distributed deployment, two PAN+MnT(primary PAN+Secondary MnT) and rest six are used as PSN. Out of six PSN, one node is isolated(have evaluation license now) to have some testing and finalize the configuration. All the configuration has been done and tested on isolated standalone node, want to use it as PAN+MnT and register all node one-by-one from distributed deployment including existing PAN+MnT node. My Query is regarding the licenses which are used by existing PAN node, can i use the same license(Base+Device admin only) now on the isolated node(planning to set as primary admin node) and go further as mentioned above for migrating all nodes. I have PAK files generated from Cisco license tool, so the license is bounded to existing ISE HW and will be any issue if use with another node or it should work fine?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎03-26-2019 10:29 AM - edited ‎03-26-2019 10:30 AM

I'll point something out right off the bat. The hybrid shared PAN/MNT deployment model is only certified for up to 5 PSN's. In the case of the 8 node deployment you describe, it's technically not supported (but runs). If you wan't to run 6 PSN's, you are supposed to run the PAN and MNT roles on their own servers, making it a 10 node deployment (with PAN/MNT HA).

 

The licenses on the standalone node will be shared with any nodes you join to the deployment. I would recommend rehosting them to include the UDI of the secondary admin node though. Since you did this via the Cisco licensing portal, you can rehost them and add the second admin node, or change the primary without involving TAC.


Select the licenses and then from the drop down select rehost.  

117265_rehost.jpg

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎03-26-2019 10:29 AM - edited ‎03-26-2019 10:30 AM

I'll point something out right off the bat. The hybrid shared PAN/MNT deployment model is only certified for up to 5 PSN's. In the case of the 8 node deployment you describe, it's technically not supported (but runs). If you wan't to run 6 PSN's, you are supposed to run the PAN and MNT roles on their own servers, making it a 10 node deployment (with PAN/MNT HA).

 

The licenses on the standalone node will be shared with any nodes you join to the deployment. I would recommend rehosting them to include the UDI of the secondary admin node though. Since you did this via the Cisco licensing portal, you can rehost them and add the second admin node, or change the primary without involving TAC.


Select the licenses and then from the drop down select rehost.  

117265_rehost.jpg

0 Helpful

Go to solution
sondevi
Cisco Employee
Cisco Employee
In response to Damien Miller

‎03-27-2019 03:52 AM

Thanks for the quick reply over License query. Same i was looking to have.
For 6 PSN nodes into deployment, its working fine as of now in CU environment without any issue. is it supported by TAC or makes any issue on later stage?
0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to sondevi

‎03-27-2019 07:04 AM

as damien said only 5 PSN in that deployment are supported. TAC won't support adding a 6th PSN if you run into performance scaling issues
0 Helpful

Go to solution
sondevi
Cisco Employee
Cisco Employee
In response to Damien Miller

‎03-28-2019 12:32 AM

Hi Damien,
mentioning the CU environment more specifically:
Eight ISE HW 3595/ OS 2.4 into distributed deployment, there are 8 nodes- 2 PAN+MnT (1 node – Primary PAN & Standby MnT, 1 node – Secondary PAN and primary MnT) and rest six are dedicated PSN nodes. CU is using only the TACACS services.
1> in Case of TACACS, 20K endpoint limits is applicable even Device admin license is uncounted? means session count is limited in case of only TACACS features also?
2> If 2 PAN+MnT (1 node – Primary PAN & Standby MnT, 1 node – Standby PAN and primary MnT) is used, still it is counted as shared PAN and MnT services? if yes, 6th PSN node can create any technical issues into network or just not documented so can't be used.
0 Helpful

Go to solution
Jason Kunst
Cisco Employee
Cisco Employee
In response to sondevi

‎03-28-2019 09:18 AM

as stated before a 6th PSN is not supported.

1> in Case of TACACS, 20K endpoint limits is applicable even Device admin license is uncounted? means session count is limited in case of only TACACS features also?
Endpoint counts only apply to RADIUS. TACACS cares about amount of Network Access Devices and TPS
I would suggest looking to the Cisco live slides about this as well and listen to recording.
https://community.cisco.com/t5/security-documents/ise-performance-amp-scale/ta-p/3642148
Look at the training section under sources

0 Helpful
Customers Also Viewed These Support Documents