cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3409
Views
9
Helpful
7
Replies

Moving Smart Licenses across ISE deployments

Istvan Segyik
Cisco Employee
Cisco Employee

Dear Colleagues,

One of our defense customers has multiple separate networks so they need at least two separate ISE deployments per site.

They would however like to share or at least move licenses across deployments as per the real- currently not fully foreseeable consumption.

As I read in a previous community article we cannot have two ISE deployments connecting to the same Smart Software Manager Virtual Account which makes automated consumption alignment across the two deployments impossible. Am I correct so far?

So let us say the customer creates two CSSM Virtual Accounts with 500 BASE/PLUS/APEX licenses added into each.

In what steps can we move licenses across the Virtual Accounts? If there were two 500 pcs. licenses bought, could we move 100 licenses only from one Virtual Account to another?

Your timely response would be highly appreciated.

Best regards,

Istvan

Istvan Segyik

Escalations Engineer, Security

CCIE Security #47531

Global Virtual Engineering

WW Partner Organization

Cisco Systems, Inc

Email: isegyik@cisco.com

Work: +36 1 2254604

Monday - Friday, 8:30 am-17:30 pm - UTC+2 (CEST)

1 Accepted Solution

Accepted Solutions

Istvan Segyik
Cisco Employee
Cisco Employee

For everyone's benefit here is the answer from the ISE licensing Product Manager:

"

Confirmed with both ISE engineering and Smart licensing team.

1. Yes you can operate across multiple deployments with the same virtual account

2. Minimum license can be as small as 1

"


View solution in original post

7 Replies 7

Arne Bier
VIP
VIP

Hi Istvan

I was not aware that one should not point more than one deployment to the same Virtual Account.  If that is true then it makes a complete farse out of this Smart Licensing concept.  In fact, I have pointed my production deployment AND my pre-production deployment to the same Virtual Account and they are both feeding happily from the same bucket.  My pre-prod hardly consumes any licenses anyway and it's a great way to share resources.

Why else would I want to use Smart Licensing?  Just the pain alone of getting my PAN's taking to tools.cisco.com was tricky enough.  ISE is not very smart when it comes to how it connects to the internet (esp when customer uses authenticated proxies)

regards

Arne

Maybe I’m wrong, but even if you cant map more than one deployment to a given VA, you can certainly move licenses between VAs as they are tied up to the smart account.

Hi Arne,

Thank you for your response. Unfortunately all my lab resources are occupied with Firepower related things so I can't test myself.

An earlier community article said that licenses that you purchase for a single deployment are mapped to that deployment even if you put them into a Smart License Virtual Account:

Re: ISE & Smart Licensing

I will try to clarify this internally...

thomas
Cisco Employee
Cisco Employee

Adding our ISE Licensing PM, pjatapro to provide you an answer.

Istvan Segyik
Cisco Employee
Cisco Employee

For everyone's benefit here is the answer from the ISE licensing Product Manager:

"

Confirmed with both ISE engineering and Smart licensing team.

1. Yes you can operate across multiple deployments with the same virtual account

2. Minimum license can be as small as 1

"


I am still confused amount how the internal implementation is within ISE and smart licensing.

Lets say i buy 1000 base license (single one) and then let two ISE deployments (clusters) use the same 1000 license.

I would think any realtime consumption is very challenging. What if I get 1000 connections from both deployments at the same time? Does it just allow some grace period ? i would not think there is realtime reservation happening from ISE to the smart account ? Any insights on this ?

ISE takes a license consumption sample in every 30 minutes. Then it takes the peak sample for a 24 hours period and at 1:00 AM every day it aligns license consumption in Cisco Smart Software Manager (CSSM).

In case of non-compliance because of insufficient number of licenses it will start sending alarms in both ISE console and in CSSM and to all related external alerting targets.

If non-compliance caused by expired licenses, configuration of the affected functions would be blocked. In that scenario (expiring licenses) there are alarms sent 90, 60 and 30 days in advance and there is no grace period.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: