Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
482
Views
5
Helpful
2
Replies

Cisco ISE Redesign and Licensing

Go to solution
Cobhamuser1
Level 1
Level 1

‎03-04-2019 02:17 AM

Hi

I currently have a distributed ISE deployment.

An ADMIN VM in a data centre

A monitoring VM in another date centre

I am considering expanding this, to include a PSN layer, as the size of the deployment has grown. I have a 5000 user base for each of my separate deployments.

Potentially x2 PSNs at each DC but I am not sure of the licensing model required.

Firstly, will the separate PSN layer improve performance? I am assuming it will but I need to sell it to management. What are people's experience and thoughts?

Secondly from a licensing point of view how does this work? When I read around this, it would appear that the licensing is based on endpoints?

Does this mean I can create the extra PSNs? Do I need to separately license them or are they covered under a wider endpoint license? What license would I need if they are to be separately licensed?

Thirdly, is there any value in moving the service behind load balancers? Specifically, F5

Thanks

Simon

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎03-04-2019 02:46 AM

Licensing is based on the number of active endpoints (individual mac addresses), the features being used to authenticate/authorize them, as well as VM licenses if you are using virtual appliances for your nodes. To deploy more VM's you're supposed to buy additional VM licenses.

In large deployments there is great value in moving the PSN's behind load balancers. It simplifies NAD configuration, for your case I wouldn't recommend introducing the added layer of complexity.

With ISE 2.4, you can support up to 20k active endpoints with a two node 3595 deployment, PAN/MNT/PSN on one node, and PAN/MNT/PSN on the other. This would allow for up to 20k endpoints in an HA fashion, one node could go down, and services would still be up. In ISE 2.6, it will be possible to run up to 50k active endpoints in a two node HA deployment with the 3695 appliances.

Expanding your deployment beyond two nodes would probably go unnoticed by the administrators, and the users definitely wont notice. If there is a performance issue with the current deployment that users are noticing then there is probably something going on that needs TAC's help, or you need to look at the template sizing that was deployed.

Here is a good link for performance and scale
https://community.cisco.com/t5/security-documents/ise-performance-amp-scale/ta-p/3642148

Reading the licensing guide might help you understand more around how ISE is licensed.
https://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/guide_c07-656177.pdf

View solution in original post

2 Replies 2

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎03-04-2019 02:46 AM

Licensing is based on the number of active endpoints (individual mac addresses), the features being used to authenticate/authorize them, as well as VM licenses if you are using virtual appliances for your nodes. To deploy more VM's you're supposed to buy additional VM licenses.

In large deployments there is great value in moving the PSN's behind load balancers. It simplifies NAD configuration, for your case I wouldn't recommend introducing the added layer of complexity.

With ISE 2.4, you can support up to 20k active endpoints with a two node 3595 deployment, PAN/MNT/PSN on one node, and PAN/MNT/PSN on the other. This would allow for up to 20k endpoints in an HA fashion, one node could go down, and services would still be up. In ISE 2.6, it will be possible to run up to 50k active endpoints in a two node HA deployment with the 3695 appliances.

Expanding your deployment beyond two nodes would probably go unnoticed by the administrators, and the users definitely wont notice. If there is a performance issue with the current deployment that users are noticing then there is probably something going on that needs TAC's help, or you need to look at the template sizing that was deployed.

Here is a good link for performance and scale
https://community.cisco.com/t5/security-documents/ise-performance-amp-scale/ta-p/3642148

Reading the licensing guide might help you understand more around how ISE is licensed.
https://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/guide_c07-656177.pdf

Go to solution
Cobhamuser1
Level 1
Level 1
In response to Damien Miller

‎03-04-2019 03:17 AM

Thank you for your advice. I will stick with my current design.

0 Helpful
Customers Also Viewed These Support Documents