Solved: Re: ISE 3.2 Difference between OVA-Files ise-3.2.0.542a & ise-3.2.

UKW-NK-Cisco · ‎09-22-2023

Hello Cisco ISE experts,

we would like to replace a VM-based ISE 2.4 HA pair with current ISE 3.2 software.

I would like to setup two new VM-based ISE-boxes for this.

Your download page offers two different versions for an OVA-file 600GB disk:

ISE-3.2.0.542a-virtual-SNS3615-SNS3655-600.ova

ISE-3.2.0.542b-virtual-SNS3715-SNS3755-600.ova

What is the difference between the two files in regards to a virtual installation ?

Which one would You recommend ?

Also a much smaller ISO-image is available:

ise-3.2.0.542a.SPA.x86_64.iso

What is the difference between ISO- and OVA-files ?

Which one would You recommend ?

Thank You for any tipps

Kind regads

Wini

ahollifield · ‎09-22-2023

37XX (new OVAs based on 37XX appliances) vs 36XX (OVAs based on the now EoS 36XX appliances). No reason not to deploy 37XX in new deployments.

ISO can be used where/if you can't use an OVA file for whatever reason (VM permissions, re-imaging an SNS appliance, etc). I would recommend always using the OVA when possible.

View solution in original post

ahollifield · ‎09-22-2023

37XX (new OVAs based on 37XX appliances) vs 36XX (OVAs based on the now EoS 36XX appliances). No reason not to deploy 37XX in new deployments.

ISO can be used where/if you can't use an OVA file for whatever reason (VM permissions, re-imaging an SNS appliance, etc). I would recommend always using the OVA when possible.

Arne Bier · ‎10-04-2023

@ahollifield I don't see the point of deploying OVAs based on 37xx (24 vCPU) for customers that don't have the need for a lot of processing. The number of vCPUs is stupidly high, and it's all reserved as well. The 16 vCPU is good enough for a lot of small/medium use cases. I am not saying that there is not a use case for 37xx - but in my opinion, it's not the "new normal" for me.

At the end of the day, Cisco asks for # of vCPU (threads). And assuming that hyperthreading is enabled on the hypervisor (which is generally the case), then nailing up 12 cores for a VM is not insubstantial. Also, these cores can operate at various frequencies depending on the CPUs in use. Therefore, an 8 cores of the latest gen CPU(s) might even outperform when using 12 cores of older gen CPU(s).

Just throwing resources and money at the issue, because Cisco "recommends it" is not a considered approach. Start with less and monitor via vCenter - you'll notice that in small/medium deployments, if you follow the vendor recommendations, you're reserving a lot of expensive resources for no benefit at all. That's my experience anyway. Those resources can be put to better use. Cisco doesn't want us to oversubscribe ISE on the hypervisor - fair enough - that entitles the customer to TAC support, but to most VM admins out there it's not how the world works.

I am thinking about #savetheplanet and #letsbereal

wgomez · ‎12-18-2023

I'm glad I found your answer here because I needed to make a decision and was thinking the same thing. I'm looking to upgrade a deployment that doesn't go past 1500 sessions. In this case, the 12,500 session limit on the small 3615 should be more than enough unless I'm missing something. I don't see the need for the 25,000-session capable small 3715 in my use case.

ahollifield · ‎12-18-2023

This should be fine. The only call-out would be the eventual EOL of the 3615 appliance/VM. Granted, that won't happen for a number of years but if your goal is overall longevity/future proofing with minimal changes, you may want to consider going 3715 now. https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/secure-network-server-3615-3655-3695-eol.html

wgomez · ‎12-18-2023

That makes sense. Thank you!

ISE 3.2 Difference between OVA-Files ise-3.2.0.542a & ise-3.2.0.542b