Solved: ISE 2.1 Deployment Models

GRANT3779 · ‎02-02-2017

We currently have 2 VMs setup in a "Small" 2 Node Deployment. I believe one server acts as the Primary PAN, and the other acts as the secondary PAN. Also, Primary / Secondary for Monitoring. Both act as PSN nodes.

Checking Licensing, there is a Base and a Plus.Would these have been installed on the Primary PAN only, or do they need to be installed on Secondary PAN? Unsure if they are mirrored from the Primary PAN in a HA deployment.

What I would like to do is introduce more nodes in my deployment and have these be specific PSNs and to then remove these PSN personas from the current Active/Secondary PANs. What are the licensing implications for this? Do the PSNs need additional licenses or are licenses only required on PANs, as long as everything is part of same deployment?

Any further info would be appreciated as from the reading I am doing some of the licensing queries are not to clear...

Many Thanks

Rahul Govindan · ‎02-02-2017

Once part of deployment, all licenses only need to be applied to the primary admin node. It is applied to the entire deployment.

If you want increase the number of nodes, you can add up to 5 dedicated psn's if you have 2 dedicated pan+mnt nodes, a medium deployment. Again same license logic holds true as before.

View solution in original post

Rahul Govindan · ‎02-02-2017

Once part of deployment, all licenses only need to be applied to the primary admin node. It is applied to the entire deployment.

If you want increase the number of nodes, you can add up to 5 dedicated psn's if you have 2 dedicated pan+mnt nodes, a medium deployment. Again same license logic holds true as before.

GRANT3779 · ‎02-02-2017

Thanks for the info Rahul,

Are there any implications of removing the PSN persona from the current PANs, or is is just a case of unticking relevant boxes and the assigning PSN persona to my new nodes?

Rahul Govindan · ‎02-02-2017

Yeah its basically unchecking the persona's from the deployment. But the order in which you perform is important. In a small deployment, there is no support for dedicated PSN.

http://www.cisco.com/c/en/us/td/docs/security/ise/2-1/install_guide/b_ise_InstallationGuide21/b_ise_InstallationGuide21_chapter_00.pdf

I was thinking about the process and here is what I could come up with:

1) Remove PSN persona from primary node.

2) Remove PAN and MNT persona from secondary node. Now you have Primary node as Admin and MNT and Secondary as PSN alone.

3) Add more PSN's to deployment (total upto 5).

4) Change secondary node with PAN and MNT persona (or add a new node as PAN and MNT).

Hope this helps.

GRANT3779 · ‎02-02-2017

Thanks for taking the time to provide the info Rahul. Good to get some things confirmed after reading the ISE admin guides.

GRANT3779 · ‎02-02-2017

Looking at the delivery I see we purchased x 2 - R-ISE-VM-K9.

If I need to install more nodes to act as PSN, then do I need to purchase more of the above or can I fire up new ISE VM and join it to deployment? It is not clear if each node needs to be purchased individually.

Rahul Govindan · ‎02-02-2017

The ISE VM SKU are Right to Use and have no PAK associated with it. You can technically use the same image as before, but it is recommended that you purchase the right amount of VM images for audit and legal reasons.

http://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/guide_c07-656177.pdf