I have done many deployments of ISE in VMs and I always do resource reservations. I have had a few customers recently looking at doing large ISE deployments, trying to mimic many 3595s in VMs, question the need for resource reservations. Here is how I typically answer the query, but I want to know what the BUs official stance on this issue is or what TACs support looks like if they find out a customer has not done resource reservations:
Thanks in advance.
Solved! Go to Solution.
I had a TAC on this same question, so here is what they responded with.
Basically they will only support VM's under the 4 VM specs.
4 core 16GB RAM (3415)
6 core 16GB RAM (3515)
8 core 32GB RAM (3495)
8 core 64GB RAM (3595)
HD seems more forgiving, but OAV's seem to be 200GB, 600GB, or 1.2TB.
It is supported to increase the VM resources when it comes to HDD, vRAM vCPU.
The caveat is that for vRAM and vCPU, you can only increase the resources, and you would need to match one of the OVAs for the product. You cannot create your own specs, they would need to match one of the OVAs we provide for the products.
For example, and I'm just making this scenario to get the point across
1K users uses 1vCPU and 4 GB of vRAM
2.5K users uses 2 vCPU and 6 GB of vRAM
If you want to change the specs from 1K to 2.5K, you simply need to change the specs from the VM, and IT IS SUPPORTED.
On the other hand, if you want to have that ISE with, I don't know, 6 vCPUs and 16 vRAM because you think that is better, that would NOT be supported, as those specs do not match any of the virtualization wiki.
As for HDD, that is supported, the applications now have the ability to increase the common partition size as required if you wish to have more data. What you CANNOT do in regards to HDD, is to add/remove HDDs, NOT THE SAME as increasing the size of the ones that come with the OVA specs. That should only be used in special circumstances, not an everyday procedure (for example, for upgrades.)
What was there thoughts on resource reservations though? VM specs are different than resource reservations. Customer is pushing back on being asked to reserve resources for ISE. For example if you have 4 3595s you would be reserving 256 GB of RAM and 64 MHz of processing that no other VMs can use.
Sent from my iPhone
Sorry Jason. On my phone the reply showed up as coming from you. What you said is exactly how I feel as well.
Dustin, in your discussion with TAC did they say anything about what would happen if they came across unreserved resources. Again using the four 3595s situation. If the customer has allocated 64 GB of RAM and 8 CPU core for each 3595 VM, but they did not setup any resource any reservations could that lead into a support issue with TAC?
Thanks again for the quick responses.
I'm not sure TAC could verify if it's allocated or reserved, so long as that's available. Now, as Jason said, they basically wouldn't help with resource errors then.
If they are concerned on the size of the VM's, have they looked at getting the Cisco hardware?
Where I work we currently run 2 VM's, but want to boost them for more connections instead of doing PSN's. So, we looked at the cost of a 3595 VM vs the hardware. The VM is cheap, but the HD space isn't if it's on a SAN. We calculated the recommended VM 8 core, 64GB RAM, 1.2.TB disk space would be around $19,000 per VM. We got quoted around $43,000 for 2x3595 for ISE and maintenance, so price may make us go hardware.
There is the trade offs of hardware going EOL, but so do the VM hosts. And price will vary by size of business etc.
I'm having this exact same challenge with a customer where we are looking at installing 9 - 15 ISE 3945 VM's to support over 350000 expected concurrently connected devices. I also have the same with up to 20 Virtual WSA's and up to 8 Stealthwatch VM's (FC / SMC / UDP / FS)
While having a statement in a community helps us, is it written anywhere in public documentation that TAC wont support the deployment unless the resources are available to the VM?
I used google search for ISE 2.3 resources reservation
Although oversubscription is not mentioned you have to provide feedback that if the resources aren’t available to ise then network connectivity for users maybe slowed or halted depending on the issue. At this point tac will not support until the resources are available.
They better know what they’re doing if they are going to attempt sacrifice of these critical resources due to not properly allocating what's needed
Cisco Identity Services Engine (ISE) can be installed on Cisco SNS hardware or virtual appliances. To achieve performance and scalability comparable to the Cisco ISE hardware appliance, the virtual machine should be allocated system resources equivalent to the Cisco SNS 3515 and 3595 appliances. This section lists the hardware, software, and virtual machine requirements required to install Cisco ISE.
I would also say this is a discussion you should be having in the presales cycle. If the VM team pushes back again resource reservations then you quote out an all appliance option. Then they can compare ESX host cost with resource reservations vs. hardware and the associated maintenance.