Solved: ISE licensing and ordering guide

raksec · ‎08-01-2019

Hello,

I am working on a requirement where customer is having 12K endpoints out of which 5K are laptop/desktop and rest 7K are non-dot1x devices (IP Phones, printers etc). For 5K laptop/desktop they want to do posture and for the rest 7K they wanna have AAA and profiling. Would it be wise to advise 12K base licenses, 7K plus licenses and 5K apex licenses?

I am a bit confused while looking at plus licensing in ordering guide which mentions the following "For all Plus features that do not directly consume sessions, it is required to still match the number of licenses with the number of Base licenses in the deployment."

Does it require to have the same number of base and plus licenses?

Thanks,

Rakesh Kumar

fmicucci1 · ‎08-01-2019

Hi Rakesh,

Apologies if my explanation wasn't really clear.

Ok let's take the Apex license away of the equation as this rule doesn't apply to it (of the same number for Base and Apex) and let's focus on the Base and Plus license:

From the ordering guide, the Plus features that does not consume license are:

PassiveID (Non-Cisco Subscribers)
Profiler feed service
My Devices portal* and NSP
Context sharing
Endpoint Protection Services (EPS)
Cisco TrustSec and ACI integration

If you require any of the above you will need to match the Base and Plus licenses (same number). In your specific case probably check if you need the 'Profiler feed service' for example. If none of the above is required then you can conveniently split in 12k and 7k.

Regards,

Fabrizio

View solution in original post

fmicucci1 · ‎08-01-2019

Hi Rakesh,

That's correct for features that do not consume licenses.

For example "Cisco TrustSec and ACI integration" require a Plus license but at the same time doesn't consume any, so how many Plus license I will need for that feature? The answer is that you will need to match the Base license number.

So this rule applies any time you need to enable a feature that per se doesn't consume a license.

From page 21 you can check the features that consume License or not:

https://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/guide_c07-656177.pdf

Hope this makes sense.

Regards,

Fabrizio

raksec · ‎08-01-2019

Thanks Fabrizio.

To be very specific to my query, could you suggest on below requirement?

Customer is having 12K endpoints out of which 5K are laptop/desktop and rest 7K are non-dot1x devices (IP Phones, printers etc). For 5K laptop/desktop they want to do posture and for the rest 7K they wanna have AAA and profiling. Would it be wise to advise 12K base licenses, 7K plus licenses and 5K apex licenses?

fmicucci1 · ‎08-01-2019

Hi Rakesh,

Apologies if my explanation wasn't really clear.

Ok let's take the Apex license away of the equation as this rule doesn't apply to it (of the same number for Base and Apex) and let's focus on the Base and Plus license:

From the ordering guide, the Plus features that does not consume license are:

PassiveID (Non-Cisco Subscribers)
Profiler feed service
My Devices portal* and NSP
Context sharing
Endpoint Protection Services (EPS)
Cisco TrustSec and ACI integration

If you require any of the above you will need to match the Base and Plus licenses (same number). In your specific case probably check if you need the 'Profiler feed service' for example. If none of the above is required then you can conveniently split in 12k and 7k.

Regards,

Fabrizio

raksec · ‎08-01-2019

Thanks Fabrizio. I understood it this time.

Charlie Moreton · ‎08-01-2019

Since you stated a need for Profiling, you would need the following licenses:

12,000 Base

12,000 Plus

5,000 Apex

This does NOT take into account VM licenses, Device Admin Licenses or AnyConnect Licenses (used for Posture).

raksec · ‎08-01-2019

Thanks Charlie. You have been very specific to the query.