ISE - What we need to know about SNS / VM

Marcelo Morais · ‎03-21-2025

Introduction
SNS (Secure Network Server) Appliance
Hardware
Update
End of Sale & End of Support
License
Characteristics
Cisco ISE Compatibility
Particularities
VM (Virtual Machine)
License
Particularities
Clone
Create a VM Template
Deploy a VM Template
ZTP (Zero Touch Provisioning)
Cloud
Cloud - Load Balancer
References

The Portuguese version of this Article can be found at: ISE - O que precisamos saber sobre SNS / VM .

For an offline or printed copy of this document, simply choose ⋮ Options > Printer Friendly Page. You may then Print > Print to PDF or Copy & Paste to any other document format you like.

Introduction

Before Cisco ISE can be configured, it must first be installed, either on a Physical Appliance or a Virtual Appliance.

The Physical Appliance is called a Cisco SNS (Secure Network Server).

A Virtual Appliance is different from a traditional VM. A Virtual Appliance is an exact replica of a Physical Appliance, meaning that the hardware cannot be overloaded and the RAM and CPU reserves must be set to the same values as the Physical Appliance. A traditional VM is designed to utilize the shared resources of a Host Server.

SNS (Secure Network Server) Appliance

Hardware

The SNS Appliance has undergone a number of hardware upgrades over the years, from the SNS 33xx to the current SNS 37xx.

The SNS Appliance is based on the Cisco UCS (Cisco Unified Computing System) C220 Rack Server and is specifically configured to support the Cisco ISE.

The SNS 37xx is based on a Cisco UCS C220 M6, available in the SNS 3715, SNS 3755 and SNS 3795 models.

The SNS 36xx is based on a Cisco UCS C220 M5, available in the SNS 3615, SNS 3655 and SNS 3695 models.

The SNS 35xx is based on a Cisco UCS C220 M4, available in the SNS 3515 and SNS 3595 models.

The SNS Appliance supports the UEFI (Unified Extensible Firmware Interface) Secure Boot feature, which ensures that only a signed Cisco ISE image can be installed.

Additional hardware resources such as RAM, CPU, or HDD cannot be added to an SNS Appliance.

The SNS 3x15 is designed for Small Deployments, while the SNS 3x55 and SNS 3x95 (which have multiple redundant components such as Hard Drives and Power Supplies) are designed for Medium / Large Deployments (which require highly reliable system configurations).

Update

Cisco HUU (Host Upgrade Utility) assists in simultaneously upgrading the BIOS, CIMC (Cisco Integrated Management Controller) and other firmware of the SNS Appliance.

The software can be obtained from:

It is possible to update BIOS and CIMC firmware via CIMC GUI or CLI.

When updating BIOS firmware, CIMC firmware must be updated to the corresponding version, otherwise the Server will not boot.

End of Sale & End of Support

SNS 36xx

End Of Sale: April 28, 2025

End of Support: April 30, 2030

SNS 35xx

End Of Sale: June 15, 2019

End of Support: June 30, 2024

License

The Cisco SNS Appliance does not have Licenses.

Characteristics

The SNS 35xx / 36xx / 37xx do not have built-in DVD drives. To reimage the Cisco ISE Hardware Appliance, you must perform one of the following:

via the CIMC Interface to map the .ISO Installation File to the Virtual DVD Device.
creating a DVD with the .ISO Installation File, connecting an external USB DVD drive, and booting the device from the DVD drive.
creating a bootable USB device using the .ISO Installation File and booting the device from the USB drive.

.ISO Installation File:

ISE 3.4:

ise-3.4.0.608a.SPA.x86_64.iso of December 18, 2024.

ISE 3.3:

Cisco-ISE-3.3.0.430.SPA.x86_64.iso of July 11, 2023.

ISE 3.2:

ise-3.2.0.542a.SPA.x86_64.iso of October 27, 2022.

ISE 3.1:

ise-3.1.0.518b.SPA.x86_64.iso of August 22, 2022.

ise-3.1.0.518c.SPA.x86_64_SNS-37x5_APPLIANCE_ONLY.iso of March 20, 2023 (specific for SNS 37xx)

ISE 3.0:

ise-3.0.0.458.SPA.x86_64.iso of September 14, 2020.

Before any update it is highly recommended to check for the most updated Software !!!

Cisco ISE Compatibility

The SNS 37xx supports ISE 3.1 P6+ and ISE 3.2 P2+.

The SNS 36xx supports ISE 2.4+.

The SNS 35xx supports ISE 2.0.1 up to ISE 3.0.

The SNS 3595 is supported up to ISE 3.2.

Particularities

The SNS 3795 is equipped with more RAM and better Disk Read / Write performance which makes it more suitable for the Personas of: Dedicated PAN, Dedicated MNT or PAN / MNT and provides no added value when deployed as a Dedicated PSN !!!

Disk size changes will never be updated on ISE without a reimage !!!

If you decrease the RAM or CPU allocation for a VM, you need to reimage Cisco ISE with the changed VM configuration. However, increasing the RAM or CPU capacity does not require reimage.

VM (Virtual Machine)

The VM specifications should be comparable to those of the SNS Appliance in a Production Environment.

Cisco ISE can be installed on the following hypervisors:

VMware Servers
KVM Hypervisors
Hyper-V (Windows Server e Azure Stack HCI)
Nutanix AHV

Cisco ISE cannot be installed on OpenStack.

License

VM and Cloud platforms require the VM Common license (R-ISE-VMC-K9=). Single, perpetual license required for each ISE Node in your Deployment.

The Classic VM Licenses (VM Small, VM Medium or VM Large) reaches EOL on Sep/21 and was replaced by the VM Common License.

You MUST migrate from the Classic VM Licenses to the VM Common License before you upgrade to ISE 3.1+.

Particularities

Hot Migration (vMotion) supported in ISE 3.1+.

Cisco ISE does not support VM Snapshots.

Extra Small VM are only supported for PSNs.

Clone

You can clone a Cisco ISE VMware VM (via VMware vCenter) to create an exact replica of a Cisco ISE Node.

Cloning must be done before you run the Setup program and after you shut down the Cisco ISE VM that you are going to clone.

It's recommended to clone the Cisco ISE Node to a Template (a two-step process) to create multiple new Cisco ISE Nodes.

Create a VM Template

After installing the ISE ISO (for example: ise-3.4.0.608a.SPA.x86_64.iso) and before you run the Setup program:

ISE ISO - Setup screen.png

In the VMware vCenter:

Shut down the Cisco ISE VM, Power > Shut Down Guest.
Right-click the Cisco ISE VM that you want to clone and choose Clone > Clone to Template.

Use the Same Format as Source radio button in the Disk Format dialog box.

Deploy a VM Template

In the VMware vCenter:

Right-click the Cisco ISE VM Template that you have created and choose Deploy Virtual Machine from this Template.

Use the Same Format as Source radio button in the Disk Format dialog box.

ZTP (Zero Touch Provisioning)

ZTP refers to the uninterrupted provisioning mechanism that helps to automate the installation of Cisco ISE, Infrastructure Services enablement, Patching, and Hot Patching without manual intervention.

There are two options available:

Mapping .IMG File

Supported in VM automatic installations, Appliances and OVA installations.

You cannot use an .IMG File for ZTP in Microsoft Hyper-V, in this case you need to use a .ISO File to create a Generation 2 VM.

VM User Data

Supported in automatic OVA and VM installations, when User Data is configured.

In ISE 3.2+ if you provision Cisco ISE through ZTP, the following two security features are available:

Public Key Authentication

Users can be Auhenticated using Public Key Authentication, instead of Password-based Authentication.

First Login Password Change

When you login in to the Cisco ISE GUI for the first time after successfully installing Cisco ISE using ZTP, you will be prompted to perform a Password reset.

Mandatory Parameters: Hostname, IP Address, Mask, Default Gateway, DNS Domain, Primary Name Server, NTP Server, System Timezone, SSH Username & Password to be configured.

Optional Parameters: IPV6, Patch, Hot Patch, Services and Repository details can also be configured.

TFTP, HTTP, HTTPS and NFS are supported Repositories for installing Patches and Hot Patches on Cisco ISE as part of the ZTP process. These Repositories will not be visible or usable in the Cisco ISE GUI and must be used via Anonymous Access.

ZTP is supported on ISE 3.1+.

Cloud

Cisco ISE is available from the Cloud,

natively on the following Cloud Platforms:
- ISE 3.1+:

AWS (Amazon Web Services)

- ISE 3.2+:

Azure Cloud Services

OCI (Oracle Cloud Infrastructure)

ISE Deploys Natively on Public Clouds.png

not natively:
- The process of installing ISE on VMware Cloud is exactly the same as that of installing ISE on VMware VM. The Google Cloud VMware Engine runs Software-Defined Data Centers by VMware.

Cisco ISE upgrade workflow is not available in Cisco ISE on AWS, Azure or OCI. Only fresh installs are supported. However, you can carry out Backup & Restore of Configuration Data.

There is no equivalent Cloud profile for SNS 3755, for these cases it is recommended to use a Cloud instance specified for SNS 3795.

The default Username for Cisco ISE instances that are launched through Cloud Platforms is iseadmin.

For ISE 3.1 instances that are launched through AWS, the default Username is admin.

ISE Journey on Public Cloud.png

Cloud - Load Balancer

Only the Network Load Balancer offers support for UDP packets, so you MUST choose it for RADIUS traffic.

Load Balancer Types.png

Load Balancer - Session Persistence, also known as Session Affinity or Session Stickiness, ensures that a Client's subsequent requests are routed to the same Backend Server that initially handled their Session (creating an affinity between a Client and a specific Network Server for the duration of a Session).

Session Persistence Distribution Algorithms.png