Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1214
Views
0
Helpful
3
Replies

Does Active and Secondary ISEs share a license?

Go to solution
JustTakeTheFirstStep
Level 4
Level 4

‎06-11-2019 12:29 AM

I want to connect two ISE devices.

 

As far as I know, I know that when I connect two ISEs, one is active and one is standby.

 

Do I have to buy a license each? Or does Active ISE only buy licenses and share licenses with Standby?

 

 

giheung-VPN.png

https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_22_chapter_010.html#ID59

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP

‎06-11-2019 05:33 AM

Hi 

 

When you create any ISE license in the traditional Cisco Licensing Portal, then you must specify the UDI (serial number details) of BOTH PAN servers - just the PAN servers, and not any standalone MnT or PSN nodes.  This UDI data is baked into the single license file that you then upload to the active PAN.  The PAN takes care of synchronizing the license file to the other PAN (standby PAN).  If that standby PAN should ever be promoted to Active mode, then it will need the licenses to be present.  So don't forget to do this when you create your license! 

With Smart Licensing you don't need to care about this - just point the deployment to Smart Licensing and it will take care of the details.

 

As for what licenses to buy.  For a deployment you need just the # of base licenses you expect to use.  Let's say 1000 base licenses.  This is consumed by any nodes that have Policy Services enabled.  You can have up to 50 PSN nodes.  Again - when you generate the base license, specify BOTH PAN nodes' UDI details (get it from the GUI under Licenses, or on the CLI via the command:  show udi)

Same applies to VM licenses, TACACS, Plus and Apex.

 

Does that help?

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Arne Bier
VIP
VIP

‎06-11-2019 05:33 AM

Hi 

 

When you create any ISE license in the traditional Cisco Licensing Portal, then you must specify the UDI (serial number details) of BOTH PAN servers - just the PAN servers, and not any standalone MnT or PSN nodes.  This UDI data is baked into the single license file that you then upload to the active PAN.  The PAN takes care of synchronizing the license file to the other PAN (standby PAN).  If that standby PAN should ever be promoted to Active mode, then it will need the licenses to be present.  So don't forget to do this when you create your license! 

With Smart Licensing you don't need to care about this - just point the deployment to Smart Licensing and it will take care of the details.

 

As for what licenses to buy.  For a deployment you need just the # of base licenses you expect to use.  Let's say 1000 base licenses.  This is consumed by any nodes that have Policy Services enabled.  You can have up to 50 PSN nodes.  Again - when you generate the base license, specify BOTH PAN nodes' UDI details (get it from the GUI under Licenses, or on the CLI via the command:  show udi)

Same applies to VM licenses, TACACS, Plus and Apex.

 

Does that help?

0 Helpful

Go to solution
JustTakeTheFirstStep
Level 4
Level 4
In response to Arne Bier

‎06-11-2019 05:55 PM

Hello.

 

Tank you for your kind reply.

 

The purchased license is as follows.

 

L-ISE-BSE-P4
Cisco ISE Base License - Sessions 1000 to 2499
1500
L-ISE-TACACS-ND=
Cisco ISE Device Admin Node License
1
L-AC-APX-5Y-S2
Cisco AnyConnect Apex License, 5YR, 100-249 Users
100

 

 

Is it correct to place a license on only one ISE?

 

I understood your answer as above.

 

I can not speak English very well. Is it true that I understood it correctly?

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to JustTakeTheFirstStep

‎06-11-2019 08:02 PM

Hi @JustTakeTheFirstStep 

 

How many ISE appliances do you have?  Are they hardware or VM appliances?  If Hardware appliances then it looks like you're good to go.  If VM, then you need VM licenses too.

 

If you have only one ISE node, then create the license only for that one ISE node (go to CLI and issue command "show UDI" and then create the license on the Cisco Licensing Portal https://software.cisco.com/ - then install the license on the PAN GUI.

 

If you have two ISE nodes, then create a deployment as usual (i.e. join the two nodes together into an ISE Deployment) and get the show UDI from both boxes and create the license.  Install the license into the PAN GUI - you can only do this on the active PAN

 

regards

Arne

 

0 Helpful
Customers Also Viewed These Support Documents