cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

5732
Views
20
Helpful
9
Replies
rshehov
Cisco Employee

ISE 2.4 VM License

Hi there,

 

I would like to get more info in regards of the new ISE 2.4 VM license. What will happen to existing ISE customer who are going to ISE 2.4 ? I am interested to know how the new VM license will looks like.

 

Thanks in advance

 

Regards

 

Ross

1 ACCEPTED SOLUTION

Accepted Solutions
Damien Miller
VIP Advisor

Ross,

All existing customers should have bought traditional VM licenses when and if they deployed their pre v2.4 ISE VM's. When an ISE environment is upgraded to v2.4 you email ise-vm-license@cisco.com and either provide the Cisco sales order number the traditional VM licenses were purchased on or attach the original SO if you have it. I think this is the hardest part for some customers, often these things get lost with time.

The ISE BU will take however many VM licences were bought in the past and convert them one to one for R-ISE-VMM-K9=. So the complications are going to be if a customer only bought 2 VM licenses and have since grown their deployment and are now using more. The new licenses will be issued as a PAK key and can be fufilled online via the licensing portal, you then install the VM licenses just like endpoint licenses.

ISE v2.4 is not enforcing VM licensing today but it does nag you in the GUI and also with alarms in the dashboard if you are not compliant. Expect this to change in the future where customers will be given a grace period for extra VM's and then there will eventually be a hard enforcement.

Not mentioned by those above is that TACACS licensing has also changed to per node. Each VM you enable the TACACS device admin persona will require a TACACS node license. If you existing pre v2.4 ISE deployment has a TACACS license then this will automatically convert during the upgrade and grant you a 50 TACACS node licenses. Existing deployment require no action on TACACS licensing to keep functioning like they have in the past.
It is a very simple process assuming you have the sales order numbers.

View solution in original post

9 REPLIES 9
amaertens
Beginner

Hi Ross,

 

you will receive Medium VM licenses. Which means that customers having bought VMs earlier will and installed large appliances will still get licensing warnings.

 

Since the customer did not have a choice of VMs when ordering this does not seem acceptable to me. But I am still waiting for reply from vm-licensing team.

 

Regards,

Axel

Hello Ross,

 

The "Medium" VM license covers anything up to 16 CPU cores and 64 GB Ram. This is the same size as the SNS3595 ISE appliance and is the largest VM supported until they released the Super MnT in version 2.4. So prior to 2.4 there was nothing larger than the "Medium" sized VM that is permitted by the new 2.4 "Medium" VM License. 

 

If you migrate to 2.4, they upgrade you to the "Medium" VM license. You will not get any VM warnings as it covers the Large sized OVA from 2.3 and below. To clear up any confusion with the new VM Licenses they also removed the "Large" and "Small" wording from the OVA Names. 

 

download.png

 

 

Damien Miller
VIP Advisor

Ross,

All existing customers should have bought traditional VM licenses when and if they deployed their pre v2.4 ISE VM's. When an ISE environment is upgraded to v2.4 you email ise-vm-license@cisco.com and either provide the Cisco sales order number the traditional VM licenses were purchased on or attach the original SO if you have it. I think this is the hardest part for some customers, often these things get lost with time.

The ISE BU will take however many VM licences were bought in the past and convert them one to one for R-ISE-VMM-K9=. So the complications are going to be if a customer only bought 2 VM licenses and have since grown their deployment and are now using more. The new licenses will be issued as a PAK key and can be fufilled online via the licensing portal, you then install the VM licenses just like endpoint licenses.

ISE v2.4 is not enforcing VM licensing today but it does nag you in the GUI and also with alarms in the dashboard if you are not compliant. Expect this to change in the future where customers will be given a grace period for extra VM's and then there will eventually be a hard enforcement.

Not mentioned by those above is that TACACS licensing has also changed to per node. Each VM you enable the TACACS device admin persona will require a TACACS node license. If you existing pre v2.4 ISE deployment has a TACACS license then this will automatically convert during the upgrade and grant you a 50 TACACS node licenses. Existing deployment require no action on TACACS licensing to keep functioning like they have in the past.
It is a very simple process assuming you have the sales order numbers.

View solution in original post

I can vouch for that @Damien Miller.

 

I just upgraded a customer to 2.4 recently and the Cisco licensing team provided the new PAKs within hours of the request. They installed just like any other license and the messages went away.

 

I have yet to try it with a Smart License ISE installation....

Hi there,

 

Thank you so much for your great input. However my case is a bit complex :) 

 

My customer got old ISE hardware appliance. They bought the appliance in 2014/2015. Is it still possible to get some credit for this appliance when we are moving to virtual ISE appliance ? We will need Medium Size ISE VM :) 

 

I am aware of the TACACS+ story. However I should admit that the sizing of TACACS+ is just nightmare :) 

 

Regards

 

Ross

Marvin Rhoads
VIP Community Legend

There's not currently any published trade-in credit or entitlement for an old hardware appliance. 

 

Of course the Account Manager and Cisco sales team always have some latitude to make exceptions depending on the opportunity. You would work with them internally.

 

An SNS-3415 or above is perfectly fine to run all current versions of ISE though.

Hi Marvin,

 

I got 3395 SNS appliance.

 

Regards

 

Ross

Marvin Rhoads
VIP Community Legend

Yes, unfortunately you need the 3415 or higher for the newer ISE releases (2.0 or later).

I opened a TAC case and easily converted an ISE HW license to a VM license.  The 3515 and 3595 have been announced EoL.  So, now I don't have to worry about replacing the HW.  Also, the customer was moving to data centers and going virtual with everything.  They didn't want the appliance anymore.

Create
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: pxGrid (38%)

Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel