cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3360
Views
21
Helpful
9
Replies

Cisco ISE Licensing

atiye.bigdeli
Level 1
Level 1

Hi.

I want to buy license for Cisco ISE. I searched and found 3 different part number for Cisco ISE Virtual Machines:

small, medium and large. 

I dont know  shoud I order icense according to VM size or the Session counts?

 

best regard

3 Accepted Solutions

Accepted Solutions

Damien Miller
VIP Alumni
VIP Alumni

If you do not already have ISE deployed then the licenses sizes you order will depend on the deployment specifics, session count and the VM resources required. From there you have to break it down based on the scaling requirements. 

 

For small deployments up to 7500 active sessions you could utilize the small 3515 vm templates and licenses.

For deployments greater than 7500 active sessions you would require medium 3595 vm templates licenses. 

 

The number of VM's will also be determined by the requirements to surpass 20,000 active endpoints or if there is a requirement to have more than 5 PSN nodes. Beyond 20,000 endpoints you must run the admin and monitoring personas on dedicated nodes.

 

With ISE 2.4 the license requirements would be as follows;

  • R-ISE-VMS-K9= - A VM with up to12 vCPU and 16 GB RAM (typical 3515 spec 12 vcpu and 16 GB RAM)
  • R-ISE-VMM-K9= - A VM between 13 and 16 vCPU and 64 GB RAM (typical 3595 spec 16 vcpu 64 GB RAM)
  • R-ISE-VML-K9= Cisco ISE Virtual Machine Large At least 16 CPU and 256 GB RAM (Large 3595 VM, currently only applicable if you deploy two "super MNT" nodes)

 

So as Clark just mentioned, if you provide further deployment details, we could help you select the appropriate licensing.  If you already have an ISE deployment and bought VM licensing in the past, then the BU will be able to migrate those.  

 

The links in google no longer work with the board migration this past week.  Here is the scaling guide if this will be a new ISE deployment.
https://community.cisco.com/t5/security-documents/ise-performance-scale/ta-p/3642148

View solution in original post

Just noted 2 below points :

1) Licenses are counted against concurrent, active sessions.

2) Licenses are released for all features when the endpoint's session ends.

 

If you new to ISE, deploy your ISEv first and go with 90 days evaluation then look at Administrator -> System -> License to find out your usage. Specially in ISE the features you are using has immediate impact on your license usage.

 

And here is the updated doc for your original questions,https://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/guide_c07-656177.pdf

Hamid

View solution in original post

That depends on the client. I like to use a 1/2/5 rule of thumb where a 1x type of client would be a wired/vpn client. A 2x would represent a laptop on wireless (some roaming) and a 5x would be a mobile device on wireless (this because of the behavior of these devices with respect to lots of roaming and wake/sleep cycles). So, if the node says it supports 20k endpoints, that would be 20k on wired/vpn, 10k (laptops) on wireless and 4k mobile devices (think iPad, Android, mobile phones). It really depends on how chatty an endpoint is. You have to coonsider that with 802.1x in wireless (without a key caching mechanism) each roam requires a full authentication. In 802.1x the encryption is between the endpoint and the currently connected access point. The encryption keys are derived from the authentication in 802.1x. So, every roam to a new AP requires a full auth. These appliances/VMs are spec to a maximum concurrent endpoint count. (Your mileage may vary but will be close to my statement).

View solution in original post

9 Replies 9

cgambrel
Cisco Employee
Cisco Employee
Sure, I will try to help. Can you tell me a little more about your deployment? The new licenses came into effect for the 2.4 version. The small is equivalent to a 3515 physical appliance, the medium is the 3595 appliance and the large is more for like “super MnT”.

Hi

thank you so much 

I dont want to use SNS appliances and need the informations about VMware installation and their licenses.

I read the documents and found that the license for different VMware deployment size differs. 

My network has 300 client, I dont know each licenses are suitable for how many of session.

 

Best regard

Look at your OVA filename that you deployed to find out what you installed. Then request license based on that which is Small, Medium or Enterprise.

Hamid

Damien Miller
VIP Alumni
VIP Alumni

If you do not already have ISE deployed then the licenses sizes you order will depend on the deployment specifics, session count and the VM resources required. From there you have to break it down based on the scaling requirements. 

 

For small deployments up to 7500 active sessions you could utilize the small 3515 vm templates and licenses.

For deployments greater than 7500 active sessions you would require medium 3595 vm templates licenses. 

 

The number of VM's will also be determined by the requirements to surpass 20,000 active endpoints or if there is a requirement to have more than 5 PSN nodes. Beyond 20,000 endpoints you must run the admin and monitoring personas on dedicated nodes.

 

With ISE 2.4 the license requirements would be as follows;

  • R-ISE-VMS-K9= - A VM with up to12 vCPU and 16 GB RAM (typical 3515 spec 12 vcpu and 16 GB RAM)
  • R-ISE-VMM-K9= - A VM between 13 and 16 vCPU and 64 GB RAM (typical 3595 spec 16 vcpu 64 GB RAM)
  • R-ISE-VML-K9= Cisco ISE Virtual Machine Large At least 16 CPU and 256 GB RAM (Large 3595 VM, currently only applicable if you deploy two "super MNT" nodes)

 

So as Clark just mentioned, if you provide further deployment details, we could help you select the appropriate licensing.  If you already have an ISE deployment and bought VM licensing in the past, then the BU will be able to migrate those.  

 

The links in google no longer work with the board migration this past week.  Here is the scaling guide if this will be a new ISE deployment.
https://community.cisco.com/t5/security-documents/ise-performance-scale/ta-p/3642148

Thank you so much for you help and answer, I found the my answer.

Can you tell me how can I calculate the number of session that about 300 client generate?

Just noted 2 below points :

1) Licenses are counted against concurrent, active sessions.

2) Licenses are released for all features when the endpoint's session ends.

 

If you new to ISE, deploy your ISEv first and go with 90 days evaluation then look at Administrator -> System -> License to find out your usage. Specially in ISE the features you are using has immediate impact on your license usage.

 

And here is the updated doc for your original questions,https://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/guide_c07-656177.pdf

Hamid

Thanks so much

best regard

That depends on the client. I like to use a 1/2/5 rule of thumb where a 1x type of client would be a wired/vpn client. A 2x would represent a laptop on wireless (some roaming) and a 5x would be a mobile device on wireless (this because of the behavior of these devices with respect to lots of roaming and wake/sleep cycles). So, if the node says it supports 20k endpoints, that would be 20k on wired/vpn, 10k (laptops) on wireless and 4k mobile devices (think iPad, Android, mobile phones). It really depends on how chatty an endpoint is. You have to coonsider that with 802.1x in wireless (without a key caching mechanism) each roam requires a full authentication. In 802.1x the encryption is between the endpoint and the currently connected access point. The encryption keys are derived from the authentication in 802.1x. So, every roam to a new AP requires a full auth. These appliances/VMs are spec to a maximum concurrent endpoint count. (Your mileage may vary but will be close to my statement).

You should really be working with experienced partner and local sales team on what to install as they should help with design

For 300 endpoints you can run a small VM. 1 box will run tour while network

Another VM for HA
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: