cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8058
Views
2
Helpful
11
Replies

ISE VMWare Resource Reservations

paul
Level 10
Level 10

I have done many deployments of ISE in VMs and I always do resource reservations.  I have had a few customers recently looking at doing large ISE deployments, trying to mimic many 3595s in VMs, question the need for resource reservations.  Here is how I typically answer the query, but I want to know what the BUs official stance on this issue is or what TACs support looks like if they find out a customer has not done resource reservations:

  1. When I build an ISE VM, I look at how the Cisco ISE BU put together their OVAs as guidance on best practice setup for an ISE VM.  All Cisco OVAs for ISE, with the exception of the Eval OVA, have resource reservations setup for both memory and CPU processing.
  2. In the ISE 2.2 VM requirements documentation, Cisco makes the following statement, “If you need to customize the disk size, CPU, or memory allocation, you can manually deploy Cisco ISE using the standard .iso image. However, it is important that you ensure the minimum requirements and resource reservations specified in this document are met. The OVA templates simplify ISE virtual appliance deployment by automatically applying the minimum resources required for each platform.”
  3. I want to avoid a support situation where TAC says the can’t provide support because my VMs don’t have reserved resources. 

Thanks in advance.

1 Accepted Solution

Accepted Solutions

I think you are asking me?

The requirements (depending on what you are specs you are building to) are we need CPU, memory, and disk reserved exclusively for ISE. So that they are available whenever needed as it’s a critical service in your environment.

View solution in original post

11 Replies 11

I had a TAC on this same question, so here is what they responded with.

Basically they will only support VM's under the 4 VM specs.

4 core 16GB RAM (3415)

6 core 16GB RAM (3515)

8 core 32GB RAM (3495)

8 core 64GB RAM (3595)

HD seems more forgiving, but OAV's seem to be 200GB, 600GB, or 1.2TB.

http://www.cisco.com/c/en/us/td/docs/security/ise/2-0-1/install_guide/b_ise_InstallationGuide201/b_ise_InstallationGuide201_chapter_010.pdf

It is supported to increase the VM resources when it comes to HDD, vRAM vCPU.

The caveat is that for vRAM and vCPU, you can only increase the resources, and you would need to match one of the OVAs for the product. You cannot create your own specs, they would need to match one of the OVAs we provide for the products.

For example, and I'm just making this scenario to get the point across

1K users uses 1vCPU and 4 GB of vRAM

2.5K users uses 2 vCPU and 6 GB of vRAM

If you want to change the specs from 1K to 2.5K, you simply need to change the specs from the VM, and IT IS SUPPORTED.

On the other hand, if you want to have that ISE with, I don't know, 6 vCPUs and 16 vRAM because you think that is better, that would NOT be supported, as those specs do not match any of the virtualization wiki.

As for HDD, that is supported, the applications now have the ability to increase the common partition size as required if you wish to have more data. What you CANNOT do in regards to HDD, is to add/remove HDDs, NOT THE SAME as increasing the size of the ones that come with the OVA specs. That should only be used in special circumstances, not an everyday procedure (for example, for upgrades.)

Jason,

What was there thoughts on resource reservations though? VM specs are different than resource reservations. Customer is pushing back on being asked to reserve resources for ISE. For example if you have 4 3595s you would be reserving 256 GB of RAM and 64 MHz of processing that no other VMs can use.

Sent from my iPhone

I think you are asking me?

The requirements (depending on what you are specs you are building to) are we need CPU, memory, and disk reserved exclusively for ISE. So that they are available whenever needed as it’s a critical service in your environment.

Sorry Jason. On my phone the reply showed up as coming from you. What you said is exactly how I feel as well.

Dustin, in your discussion with TAC did they say anything about what would happen if they came across unreserved resources. Again using the four 3595s situation. If the customer has allocated 64 GB of RAM and 8 CPU core for each 3595 VM, but they did not setup any resource any reservations could that lead into a support issue with TAC?

Thanks again for the quick responses.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

The tac wouldn't support until the customer guarantee resources

If customer receiving alarms for CPU memory and even disk IO then customer would have to resolve resource reservations

I'm not sure TAC could verify if it's allocated or reserved, so long as that's available. Now, as Jason said, they basically wouldn't help with resource errors then.

If they are concerned on the size of the VM's, have they looked at getting the Cisco hardware?

Where I work we currently run 2 VM's, but want to boost them for more connections instead of doing PSN's. So, we looked at the cost of a 3595 VM vs the hardware. The VM is cheap, but the HD space isn't if it's on a SAN. We calculated the recommended VM 8 core, 64GB RAM, 1.2.TB disk space would be around $19,000 per VM. We got quoted around $43,000 for 2x3595 for ISE and maintenance, so price may make us go hardware.

There is the trade offs of hardware going EOL, but so do the VM hosts. And price will vary by size of business etc.

I am having the customer run that exact comparison, i.e. add more UCS resources to their VM environment vs buying ISE hardware.

Thanks for the feedback.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

In newer releases, TAC can verify if reservations are set if using VMware.  This can be found inside of a "show tech."

Darren Lynn
Cisco Employee
Cisco Employee

I'm having this exact same challenge with a customer where we are looking at installing 9 - 15 ISE 3945 VM's to support over 350000 expected concurrently connected devices. I also have the same with up to 20 Virtual WSA's and up to 8 Stealthwatch VM's (FC / SMC / UDP / FS)

While having a statement in a community helps us, is it written anywhere in public documentation that TAC wont support the deployment unless the resources are available to the VM?

I used google search for ISE 2.3 resources reservation

Although oversubscription is not mentioned you have to provide feedback that if the resources aren’t available to ise then network connectivity for users maybe slowed or halted depending on the issue. At this point tac will not support until the resources are available.

They better know what they’re doing if they are going to attempt sacrifice of these critical resources due to not properly allocating what's needed

https://www.cisco.com/c/en/us/td/docs/security/ise/2-3/install_guide/b_ise_InstallationGuide23/b_ise_InstallationGuide23_chapter_01.html

Cisco Identity Services Engine (ISE) can be installed on Cisco SNS hardware or virtual appliances. To achieve performance and scalability comparable to the Cisco ISE hardware appliance, the virtual machine should be allocated system resources equivalent to the Cisco SNS 3515 and 3595 appliances. This section lists the hardware, software, and virtual machine requirements required to install Cisco ISE.

I would also say this is a discussion you should be having in the presales cycle. If the VM team pushes back again resource reservations then you quote out an all appliance option. Then they can compare ESX host cost with resource reservations vs. hardware and the associated maintenance.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: