09-22-2023 05:23 AM - edited 09-22-2023 05:24 AM
Hello Cisco ISE experts,
we would like to replace a VM-based ISE 2.4 HA pair with current ISE 3.2 software.
I would like to setup two new VM-based ISE-boxes for this.
Your download page offers two different versions for an OVA-file 600GB disk:
ISE-3.2.0.542a-virtual-SNS3615-SNS3655-600.ova
ISE-3.2.0.542b-virtual-SNS3715-SNS3755-600.ova
What is the difference between the two files in regards to a virtual installation ?
Which one would You recommend ?
Also a much smaller ISO-image is available:
ise-3.2.0.542a.SPA.x86_64.iso
What is the difference between ISO- and OVA-files ?
Which one would You recommend ?
Thank You for any tipps
Kind regads
Wini
Solved! Go to Solution.
09-22-2023 05:31 AM
37XX (new OVAs based on 37XX appliances) vs 36XX (OVAs based on the now EoS 36XX appliances). No reason not to deploy 37XX in new deployments.
ISO can be used where/if you can't use an OVA file for whatever reason (VM permissions, re-imaging an SNS appliance, etc). I would recommend always using the OVA when possible.
09-22-2023 05:31 AM
37XX (new OVAs based on 37XX appliances) vs 36XX (OVAs based on the now EoS 36XX appliances). No reason not to deploy 37XX in new deployments.
ISO can be used where/if you can't use an OVA file for whatever reason (VM permissions, re-imaging an SNS appliance, etc). I would recommend always using the OVA when possible.
10-04-2023 05:15 PM
@ahollifield I don't see the point of deploying OVAs based on 37xx (24 vCPU) for customers that don't have the need for a lot of processing. The number of vCPUs is stupidly high, and it's all reserved as well. The 16 vCPU is good enough for a lot of small/medium use cases. I am not saying that there is not a use case for 37xx - but in my opinion, it's not the "new normal" for me.
At the end of the day, Cisco asks for # of vCPU (threads). And assuming that hyperthreading is enabled on the hypervisor (which is generally the case), then nailing up 12 cores for a VM is not insubstantial. Also, these cores can operate at various frequencies depending on the CPUs in use. Therefore, an 8 cores of the latest gen CPU(s) might even outperform when using 12 cores of older gen CPU(s).
Just throwing resources and money at the issue, because Cisco "recommends it" is not a considered approach. Start with less and monitor via vCenter - you'll notice that in small/medium deployments, if you follow the vendor recommendations, you're reserving a lot of expensive resources for no benefit at all. That's my experience anyway. Those resources can be put to better use. Cisco doesn't want us to oversubscribe ISE on the hypervisor - fair enough - that entitles the customer to TAC support, but to most VM admins out there it's not how the world works.
I am thinking about #savetheplanet and #letsbereal
12-18-2023 10:58 AM - edited 12-18-2023 11:04 AM
I'm glad I found your answer here because I needed to make a decision and was thinking the same thing. I'm looking to upgrade a deployment that doesn't go past 1500 sessions. In this case, the 12,500 session limit on the small 3615 should be more than enough unless I'm missing something. I don't see the need for the 25,000-session capable small 3715 in my use case.
12-18-2023 11:08 AM
This should be fine. The only call-out would be the eventual EOL of the 3615 appliance/VM. Granted, that won't happen for a number of years but if your goal is overall longevity/future proofing with minimal changes, you may want to consider going 3715 now. https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/secure-network-server-3615-3655-3695-eol.html
12-18-2023 11:10 AM
That makes sense. Thank you!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide