cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1576
Views
21
Helpful
9
Replies
Highlighted
Beginner

Cisco ISE Licensing

Hi.

I want to buy license for Cisco ISE. I searched and found 3 different part number for Cisco ISE Virtual Machines:

small, medium and large. 

I dont know  shoud I order icense according to VM size or the Session counts?

 

best regard

3 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
VIP Advisor

If you do not already have ISE deployed then the licenses sizes you order will depend on the deployment specifics, session count and the VM resources required. From there you have to break it down based on the scaling requirements. 

 

For small deployments up to 7500 active sessions you could utilize the small 3515 vm templates and licenses.

For deployments greater than 7500 active sessions you would require medium 3595 vm templates licenses. 

 

The number of VM's will also be determined by the requirements to surpass 20,000 active endpoints or if there is a requirement to have more than 5 PSN nodes. Beyond 20,000 endpoints you must run the admin and monitoring personas on dedicated nodes.

 

With ISE 2.4 the license requirements would be as follows;

  • R-ISE-VMS-K9= - A VM with up to12 vCPU and 16 GB RAM (typical 3515 spec 12 vcpu and 16 GB RAM)
  • R-ISE-VMM-K9= - A VM between 13 and 16 vCPU and 64 GB RAM (typical 3595 spec 16 vcpu 64 GB RAM)
  • R-ISE-VML-K9= Cisco ISE Virtual Machine Large At least 16 CPU and 256 GB RAM (Large 3595 VM, currently only applicable if you deploy two "super MNT" nodes)

 

So as Clark just mentioned, if you provide further deployment details, we could help you select the appropriate licensing.  If you already have an ISE deployment and bought VM licensing in the past, then the BU will be able to migrate those.  

 

The links in google no longer work with the board migration this past week.  Here is the scaling guide if this will be a new ISE deployment.
https://community.cisco.com/t5/security-documents/ise-performance-scale/ta-p/3642148

View solution in original post

Highlighted

Just noted 2 below points :

1) Licenses are counted against concurrent, active sessions.

2) Licenses are released for all features when the endpoint's session ends.

 

If you new to ISE, deploy your ISEv first and go with 90 days evaluation then look at Administrator -> System -> License to find out your usage. Specially in ISE the features you are using has immediate impact on your license usage.

 

And here is the updated doc for your original questions,https://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/guide_c07-656177.pdf

Hamid

View solution in original post

Highlighted

That depends on the client. I like to use a 1/2/5 rule of thumb where a 1x type of client would be a wired/vpn client. A 2x would represent a laptop on wireless (some roaming) and a 5x would be a mobile device on wireless (this because of the behavior of these devices with respect to lots of roaming and wake/sleep cycles). So, if the node says it supports 20k endpoints, that would be 20k on wired/vpn, 10k (laptops) on wireless and 4k mobile devices (think iPad, Android, mobile phones). It really depends on how chatty an endpoint is. You have to coonsider that with 802.1x in wireless (without a key caching mechanism) each roam requires a full authentication. In 802.1x the encryption is between the endpoint and the currently connected access point. The encryption keys are derived from the authentication in 802.1x. So, every roam to a new AP requires a full auth. These appliances/VMs are spec to a maximum concurrent endpoint count. (Your mileage may vary but will be close to my statement).

View solution in original post

9 REPLIES 9
Highlighted
Cisco Employee

Sure, I will try to help. Can you tell me a little more about your deployment? The new licenses came into effect for the 2.4 version. The small is equivalent to a 3515 physical appliance, the medium is the 3595 appliance and the large is more for like “super MnT”.
Highlighted

Hi

thank you so much 

I dont want to use SNS appliances and need the informations about VMware installation and their licenses.

I read the documents and found that the license for different VMware deployment size differs. 

My network has 300 client, I dont know each licenses are suitable for how many of session.

 

Best regard

Highlighted

Look at your OVA filename that you deployed to find out what you installed. Then request license based on that which is Small, Medium or Enterprise.

Hamid
Highlighted
VIP Advisor

If you do not already have ISE deployed then the licenses sizes you order will depend on the deployment specifics, session count and the VM resources required. From there you have to break it down based on the scaling requirements. 

 

For small deployments up to 7500 active sessions you could utilize the small 3515 vm templates and licenses.

For deployments greater than 7500 active sessions you would require medium 3595 vm templates licenses. 

 

The number of VM's will also be determined by the requirements to surpass 20,000 active endpoints or if there is a requirement to have more than 5 PSN nodes. Beyond 20,000 endpoints you must run the admin and monitoring personas on dedicated nodes.

 

With ISE 2.4 the license requirements would be as follows;

  • R-ISE-VMS-K9= - A VM with up to12 vCPU and 16 GB RAM (typical 3515 spec 12 vcpu and 16 GB RAM)
  • R-ISE-VMM-K9= - A VM between 13 and 16 vCPU and 64 GB RAM (typical 3595 spec 16 vcpu 64 GB RAM)
  • R-ISE-VML-K9= Cisco ISE Virtual Machine Large At least 16 CPU and 256 GB RAM (Large 3595 VM, currently only applicable if you deploy two "super MNT" nodes)

 

So as Clark just mentioned, if you provide further deployment details, we could help you select the appropriate licensing.  If you already have an ISE deployment and bought VM licensing in the past, then the BU will be able to migrate those.  

 

The links in google no longer work with the board migration this past week.  Here is the scaling guide if this will be a new ISE deployment.
https://community.cisco.com/t5/security-documents/ise-performance-scale/ta-p/3642148

View solution in original post

Highlighted

Thank you so much for you help and answer, I found the my answer.

Can you tell me how can I calculate the number of session that about 300 client generate?

Highlighted

Just noted 2 below points :

1) Licenses are counted against concurrent, active sessions.

2) Licenses are released for all features when the endpoint's session ends.

 

If you new to ISE, deploy your ISEv first and go with 90 days evaluation then look at Administrator -> System -> License to find out your usage. Specially in ISE the features you are using has immediate impact on your license usage.

 

And here is the updated doc for your original questions,https://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/guide_c07-656177.pdf

Hamid

View solution in original post

Highlighted

Thanks so much

best regard

Highlighted

That depends on the client. I like to use a 1/2/5 rule of thumb where a 1x type of client would be a wired/vpn client. A 2x would represent a laptop on wireless (some roaming) and a 5x would be a mobile device on wireless (this because of the behavior of these devices with respect to lots of roaming and wake/sleep cycles). So, if the node says it supports 20k endpoints, that would be 20k on wired/vpn, 10k (laptops) on wireless and 4k mobile devices (think iPad, Android, mobile phones). It really depends on how chatty an endpoint is. You have to coonsider that with 802.1x in wireless (without a key caching mechanism) each roam requires a full authentication. In 802.1x the encryption is between the endpoint and the currently connected access point. The encryption keys are derived from the authentication in 802.1x. So, every roam to a new AP requires a full auth. These appliances/VMs are spec to a maximum concurrent endpoint count. (Your mileage may vary but will be close to my statement).

View solution in original post

Highlighted

You should really be working with experienced partner and local sales team on what to install as they should help with design

For 300 endpoints you can run a small VM. 1 box will run tour while network

Another VM for HA
Content for Community-Ad