02-28-2018 02:10 AM
Dear Colleagues,
One of our defense customers has multiple separate networks so they need at least two separate ISE deployments per site.
They would however like to share or at least move licenses across deployments as per the real- currently not fully foreseeable consumption.
As I read in a previous community article we cannot have two ISE deployments connecting to the same Smart Software Manager Virtual Account which makes automated consumption alignment across the two deployments impossible. Am I correct so far?
So let us say the customer creates two CSSM Virtual Accounts with 500 BASE/PLUS/APEX licenses added into each.
In what steps can we move licenses across the Virtual Accounts? If there were two 500 pcs. licenses bought, could we move 100 licenses only from one Virtual Account to another?
Your timely response would be highly appreciated.
Best regards,
Istvan
Istvan Segyik
Escalations Engineer, Security
CCIE Security #47531
Global Virtual Engineering
WW Partner Organization
Cisco Systems, Inc
Email: isegyik@cisco.com
Work: +36 1 2254604
Monday - Friday, 8:30 am-17:30 pm - UTC+2 (CEST)
Solved! Go to Solution.
03-07-2018 01:02 AM
For everyone's benefit here is the answer from the ISE licensing Product Manager:
"
Confirmed with both ISE engineering and Smart licensing team.
1. Yes you can operate across multiple deployments with the same virtual account
2. Minimum license can be as small as 1
"
02-28-2018 02:22 PM
Hi Istvan
I was not aware that one should not point more than one deployment to the same Virtual Account. If that is true then it makes a complete farse out of this Smart Licensing concept. In fact, I have pointed my production deployment AND my pre-production deployment to the same Virtual Account and they are both feeding happily from the same bucket. My pre-prod hardly consumes any licenses anyway and it's a great way to share resources.
Why else would I want to use Smart Licensing? Just the pain alone of getting my PAN's taking to tools.cisco.com was tricky enough. ISE is not very smart when it comes to how it connects to the internet (esp when customer uses authenticated proxies)
regards
Arne
02-28-2018 09:21 PM
Maybe I’m wrong, but even if you cant map more than one deployment to a given VA, you can certainly move licenses between VAs as they are tied up to the smart account.
03-01-2018 04:30 AM
Hi Arne,
Thank you for your response. Unfortunately all my lab resources are occupied with Firepower related things so I can't test myself.
An earlier community article said that licenses that you purchase for a single deployment are mapped to that deployment even if you put them into a Smart License Virtual Account:
I will try to clarify this internally...
03-01-2018 09:03 AM
Adding our ISE Licensing PM, pjatapro to provide you an answer.
03-07-2018 01:02 AM
For everyone's benefit here is the answer from the ISE licensing Product Manager:
"
Confirmed with both ISE engineering and Smart licensing team.
1. Yes you can operate across multiple deployments with the same virtual account
2. Minimum license can be as small as 1
"
03-20-2018 09:28 AM
I am still confused amount how the internal implementation is within ISE and smart licensing.
Lets say i buy 1000 base license (single one) and then let two ISE deployments (clusters) use the same 1000 license.
I would think any realtime consumption is very challenging. What if I get 1000 connections from both deployments at the same time? Does it just allow some grace period ? i would not think there is realtime reservation happening from ISE to the smart account ? Any insights on this ?
03-20-2018 10:19 AM
ISE takes a license consumption sample in every 30 minutes. Then it takes the peak sample for a 24 hours period and at 1:00 AM every day it aligns license consumption in Cisco Smart Software Manager (CSSM).
In case of non-compliance because of insufficient number of licenses it will start sending alarms in both ISE console and in CSSM and to all related external alerting targets.
If non-compliance caused by expired licenses, configuration of the affected functions would be blocked. In that scenario (expiring licenses) there are alarms sent 90, 60 and 30 days in advance and there is no grace period.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide