cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
995
Views
0
Helpful
3
Replies

Does Active and Secondary ISEs share a license?

I want to connect two ISE devices.

 

As far as I know, I know that when I connect two ISEs, one is active and one is standby.

 

Do I have to buy a license each? Or does Active ISE only buy licenses and share licenses with Standby?

 

 

giheung-VPN.png

https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/admin_guide/b_ise_admin_guide_23/b_ise_admin_guide_22_chapter_010.html#ID59

1 Accepted Solution

Accepted Solutions

Arne Bier
VIP
VIP

Hi 

 

When you create any ISE license in the traditional Cisco Licensing Portal, then you must specify the UDI (serial number details) of BOTH PAN servers - just the PAN servers, and not any standalone MnT or PSN nodes.  This UDI data is baked into the single license file that you then upload to the active PAN.  The PAN takes care of synchronizing the license file to the other PAN (standby PAN).  If that standby PAN should ever be promoted to Active mode, then it will need the licenses to be present.  So don't forget to do this when you create your license! 

With Smart Licensing you don't need to care about this - just point the deployment to Smart Licensing and it will take care of the details.

 

As for what licenses to buy.  For a deployment you need just the # of base licenses you expect to use.  Let's say 1000 base licenses.  This is consumed by any nodes that have Policy Services enabled.  You can have up to 50 PSN nodes.  Again - when you generate the base license, specify BOTH PAN nodes' UDI details (get it from the GUI under Licenses, or on the CLI via the command:  show udi)

Same applies to VM licenses, TACACS, Plus and Apex.

 

Does that help?

View solution in original post

3 Replies 3

Arne Bier
VIP
VIP

Hi 

 

When you create any ISE license in the traditional Cisco Licensing Portal, then you must specify the UDI (serial number details) of BOTH PAN servers - just the PAN servers, and not any standalone MnT or PSN nodes.  This UDI data is baked into the single license file that you then upload to the active PAN.  The PAN takes care of synchronizing the license file to the other PAN (standby PAN).  If that standby PAN should ever be promoted to Active mode, then it will need the licenses to be present.  So don't forget to do this when you create your license! 

With Smart Licensing you don't need to care about this - just point the deployment to Smart Licensing and it will take care of the details.

 

As for what licenses to buy.  For a deployment you need just the # of base licenses you expect to use.  Let's say 1000 base licenses.  This is consumed by any nodes that have Policy Services enabled.  You can have up to 50 PSN nodes.  Again - when you generate the base license, specify BOTH PAN nodes' UDI details (get it from the GUI under Licenses, or on the CLI via the command:  show udi)

Same applies to VM licenses, TACACS, Plus and Apex.

 

Does that help?

Hello.

 

Tank you for your kind reply.

 

The purchased license is as follows.

 

L-ISE-BSE-P4
Cisco ISE Base License - Sessions 1000 to 2499
1500
L-ISE-TACACS-ND=
Cisco ISE Device Admin Node License
1
L-AC-APX-5Y-S2
Cisco AnyConnect Apex License, 5YR, 100-249 Users
100

 

 

Is it correct to place a license on only one ISE?

 

I understood your answer as above.

 

I can not speak English very well. Is it true that I understood it correctly?

Hi @JustTakeTheFirstStep 

 

How many ISE appliances do you have?  Are they hardware or VM appliances?  If Hardware appliances then it looks like you're good to go.  If VM, then you need VM licenses too.

 

If you have only one ISE node, then create the license only for that one ISE node (go to CLI and issue command "show UDI" and then create the license on the Cisco Licensing Portal https://software.cisco.com/ - then install the license on the PAN GUI.

 

If you have two ISE nodes, then create a deployment as usual (i.e. join the two nodes together into an ISE Deployment) and get the show UDI from both boxes and create the license.  Install the license into the PAN GUI - you can only do this on the active PAN

 

regards

Arne

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: