ISE 2.6 Re-Deployment Licensing / Sizing

Daniel Mayer · ‎02-27-2019

Hello guys,

we're currently planning to upgrade/re-deploy Cisco ISE from 2.1 to 2.6. Since this is a world wide deployment, we're using multiple PSNs. First of all I'd like to give you a short overview. All nodes are virtual and running on VMware ESX.

Current ISE Deployment SNS3495:

2x Admin Node (data center)

2x Monitoring Node (data center)

6x PSN (data center and hub locations)

Up to 20k active endpoints

First question is about the licensing part that has been introduced with ISE 2.4: What kind of licenses will we receive? I've read that Cisco is only providing medium licenses for the "old unlimited virtual" machines. Licenses have already been request by our partner, but we didn't get any information yet.

Second question is about the sizing. Multiple guides and Cisco tec sheets (TECSEC 3416) are always talking about a large deployment when the PSN count is above 5. The installation guide for 2.6 also only shows up 3595 or 3695 appliances for a dedicated deployment. I personally think that those requirements are set way to high for our purpose. Could we also deploy for example a virtual 3655 "large" dedicated deployment with 6 PSNs and is this supported by Cisco TAC?

If you need some more information, let me know.

Regards,
Daniel

Jesper Erbs · ‎02-27-2019

Hi Daniel,

1. Your pre-ISE 2.4 VM license will be converted to ISE 2.4 Medium Licenses. You will receive one VM license per pre-2.4 VM license.

'But if you purchased ISE VM
previously with no PAK or license key associated, please reach out to ise-vm-license@cisco.com with the
Sales Order (SO) number reflecting the VM purchases'

https://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/guide_c07-656177.pdf#page=7&zoom=100,0,657

2. I would install the Admin and MnT witn an 3595 ova, if you want to save hardware. The 3655 is the 'new' 3595. They were renamed(/numbered) to make room for the new 3695 large appliance. 3595 appliance (8 CPUs, 64GB) requires less hardware than the 3655 appliance(12 CPUs, 96GB).

https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/data_sheet_c78-726524.html

Keep in mind that future releases of ISE may not support 3595 or VM's based on the 3595 appliance, which may result in TAC not supporting it in the future.

Daniel Mayer · ‎02-27-2019

Hello Jesper,

thanks for your quick reply. I was already thinking of using the virtual 3595 appliance (with 8 cores/16 threads and 64 GB RAM), but as you already mentioned there may be a lack of support with upcoming releases in the future. That's also why I would prefer to go with the virtual 36XX series then. Regarding to that medium license we would have to deploy virtual 3655 (12cores/24threads and 96 GB RAM). The question with this solution is, if Cisco supports that 10 node deployment (including 6 PSNs) with virtual 3655.

In older installation guides (e.g. 2.1) Cisco always points out "Maximum Number of Dedicated Policy Service Nodes" that are supported. This is somehow missing in the installation guide for 2.6. I'd prefer to go with virtual 3655 nodes over 3595. Any experience with this?

Jesper Erbs · ‎02-28-2019

Hi Daniel,

That is a good question - My guess would be that Cisco may have forgotten to add a row to the documentation detailing the amount of Maximum sessions for a 3655 in a deployment with dedicated (PAN, MnT, PXG, and PSN Nodes), since the 3655 appliance easily should be able to handle the 500.000 sessions, if the smaller 3595 appliance can handle the load of 500K sessions. Mayby a Cisco TME can comment here?

In ISE 2.4 an VM appliance based on 3695 with 256GB RAM was only supported (to my knowledge) for the SuperMnT and therefore not in scope as an PAN node. I have not seen anywhere, whether this has changed.

It could also simply be part of a backlog of information that has to be updated for ISE 2.6. ISE 2.6 was only just released as was the information on the new appliances in the 36XX series, so I think you will be hard pressed to find anyone with much experience in implementing the 36XX series appliances. Implementing VMs based on the 36XX should not be much different from earlier.

But as Jason Kunst states, I would use the 3595 now and increase the hardware in the future, should the requirements change in future releases. ISE 2.6 is a long term release, so you should be good for a while.

Damien Miller · ‎02-28-2019

A 10 node deployment is supported with 3655, same as how it was in 2.4 but now on 2.6 and with slightly greater scale, this would still have to be a dedicated deployment.

Each 3655 on 2.6 will support 50k active endpoints when run in a dedicated deployment, so using 6 of them would result in 300k total, or 150k active if you consider N+1 HA.

If you wanted to resize, you could consider using 3615's PSNs or fewer 3655 PSNs if you are considering this for 20k active. Each 3615 PSN will support 10k active endpoints in a dedicated deployment. You could even get away with a 2 node standalone deployment on 3655's, that could handle 25K total and still 25k if one of the two nodes fail.

Be very sure that you test your use cases on 2.6. Even though it goes through internal testing, it's hard to catch bugs that impact production systems. It's been in the wild for 10 days, there will be many bugs found over the next few months.

Jason Kunst · ‎02-27-2019

You will have years to move away from the old appliances

The VMs will still run and you can always tweak them for more memory and CPU if needed to make sure supported resources available