Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3567
Views
2
Helpful
10
Replies

ISE Licensing Requirements in a Distributed HA Deployment

Go to solution
ADEDEJDA
Level 1
Level 1

‎03-30-2022 12:12 AM

Dear Community Support.
1. I have a need for only a Wired NAC, no wireless or Mobile Device Management. I am trying to understand /clarify what licenses I need to procure.


2. I will be deploying two PAN Nodes in a central Data Centre - Primary and Secondary in a Failover configuration.

 

3. There will be 32 distributed PSN Nodes at various remote locations. At each remote location with PSN, there will be around 250 endpoint devices - Workstation/IP Phones. Each of the remote PSN site will be connected to a separate Identity source - Active Directory Domain Controller.

 

4. The PSN does not have a failover at the remote sites but x2 PSN is to be deployed at the Data Centre alongside the PAN to support the failover of any of the remote 32 PSN's. There are no endpoint devices in the central DC.

 

5. All of the Nodes - PAN, PSN, MnT, pxGrid will be deployed in a VM. There will also a pxGrid in the Data Centre to support integration with a SIEM solution as well as the Monitoring and Troubleshooting Nodes (MnT) in the Data Centre.

 

Summary of ISE Nodes IN HA Configuration (All to be deployed in a Virtual Machine).
A. PAN Nodes - Primary/Secondary in high-availability configuration = x2
B. PSN Nodes (in Remote Sites) = x32 + (in central Data Centre) = x2 = 34
C. pxGrid = x2
D. Monitoring (MnT) - Primary/Secondary = x2
E. Each PSN is will have = 250 endpoints.

 

I have established that I need at least the following:-
Cisco Identity Service Engine (250 x32) = 8750 Endpoint Base (Perpetual) License
Cisco Identity Service Engine (250 x32) = 8750 Endpoint Plus Subscription License 3-Years

 

I  am not certain about what remains in terms of VM licensing.


I creating a Bill-of-Material, what are my product licensing requirement for Cisco ISE please?

Thank you.

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎04-01-2022 10:03 AM - edited ‎04-01-2022 10:03 AM

You are no longer able to order Cisco ISE Base/Plus/Apex licenses, these went end of sale. They were replaced with Essentials/Advantage/Premier licensing tiers and they work in similar ways. Because you built yours out with plus, I will use the appropriate Advantage licenses that replaced them. 

I count 40 ISE VM's, and 8750 endpoints based upon your description. Your BOM would be similar to this. 

Line Number Item Name Description Quantity
1.0 ISE-SEC-SUB Cisco Identity Service Engine Subscription 1
1.1 ISE-A-LIC Cisco Identity Service Engine Advantage Subscription 8750
1.2 SVS-ISE-SUP-B Basic Support for Identity Service Engine Subscription 1
       
2.0 R-ISE-VMC-K9= Cisco ISE Virtual Machine Common PID 40
2.0.1 CON-ECMUS-RISE9KVM SOLN SUPP SWSS Cisco ISE Virtual Machine Common PID 40

 

If you want to run TACACS for device admin logins, then you can add L-ISE-TACACS-ND= for each PSN you will enabled the TACACS features on. So if you use 4 VM's to run TACACS authentications through, then you need 4x L-ISE-TACACS-ND=. 

View solution in original post

10 Replies 10

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎03-30-2022 04:43 AM

check this :

 

https://ise-bom.cisco.com/

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
ADEDEJDA
Level 1
Level 1
In response to balaji.bandi

‎04-01-2022 07:26 AM

Hello Balaji Bandi,

 

Many thanks for providing a guidance to my enquiry.

I am unable to access the site using my Cisco ID.

I was presented with the error message below.

 

ADEDEJDA_0-1648823119295.png

 

 

I don’t understand the issue. Are you able to look into this for me please.

Thank you,

 

Best regards,

Dami

0 Helpful

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎04-01-2022 10:03 AM - edited ‎04-01-2022 10:03 AM

You are no longer able to order Cisco ISE Base/Plus/Apex licenses, these went end of sale. They were replaced with Essentials/Advantage/Premier licensing tiers and they work in similar ways. Because you built yours out with plus, I will use the appropriate Advantage licenses that replaced them. 

I count 40 ISE VM's, and 8750 endpoints based upon your description. Your BOM would be similar to this. 

Line Number Item Name Description Quantity
1.0 ISE-SEC-SUB Cisco Identity Service Engine Subscription 1
1.1 ISE-A-LIC Cisco Identity Service Engine Advantage Subscription 8750
1.2 SVS-ISE-SUP-B Basic Support for Identity Service Engine Subscription 1
       
2.0 R-ISE-VMC-K9= Cisco ISE Virtual Machine Common PID 40
2.0.1 CON-ECMUS-RISE9KVM SOLN SUPP SWSS Cisco ISE Virtual Machine Common PID 40

 

If you want to run TACACS for device admin logins, then you can add L-ISE-TACACS-ND= for each PSN you will enabled the TACACS features on. So if you use 4 VM's to run TACACS authentications through, then you need 4x L-ISE-TACACS-ND=. 

Go to solution
ADEDEJDA
Level 1
Level 1
In response to Damien Miller

‎06-01-2022 05:31 AM

Hello Team,

 

I am doing a cost analysis to support a business case/ project proposal

How do I get a quote/prices for these line items in the below table please. 

I need to provide consideration for x1 year and x3 year subscription license.

 

Line NumberItem NameDescriptionQuantity
1.0ISE-SEC-SUBCisco Identity Service Engine Subscription1
1.1ISE-A-LICCisco Identity Service Engine Advantage Subscription8750
1.2SVS-ISE-SUP-BBasic Support for Identity Service Engine Subscription1
    
2.0R-ISE-VMC-K9=Cisco ISE Virtual Machine Common PID40
2.0.1CON-ECMUS-RISE9KVMSOLN SUPP SWSS Cisco ISE Virtual Machine Common PID40

 

Thank you.

Best regards

Dami

0 Helpful

Go to solution
Villager
Level 1
Level 1
In response to ADEDEJDA

‎02-09-2024 05:37 AM

How many ISE VM license require for HA and Fail Over to handle for all service. To be resolve with compliance issue as well. 

I met with Cisco Tac, he registered with 2vm license on Primary for Node and he mentioned me, require for one license to handle for Service.  Is it require 2 VM license or 3VM license. 

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to Villager

‎02-09-2024 06:09 AM

Each ISE VM node requires a VM license.

Go to solution
Villager
Level 1
Level 1
In response to Aref Alsouqi

‎02-09-2024 09:09 AM

Hello Aref,

but cisco tac says 2 vm license require for PAN and one vm licese require for SAN, Why need 3 vm licesesm

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to Villager

‎02-09-2024 09:32 AM

If you have 2 VM then you need 2 License here.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to Villager

‎02-09-2024 11:07 AM

"Cisco ISE VM License SKU (R-ISE-VMC-K9=): Purchase a license for each virtual machine or cloud-deployed ISE node in your deployment."

ArefAlsouqi_0-1707505611610.png

Cisco ISE Licensing Guide - Cisco

0 Helpful

Go to solution
Villager
Level 1
Level 1

‎02-26-2024 06:39 AM - edited ‎02-27-2024 04:56 PM

sorry for make your complex, may be smart license and SLR license are different when we implement for ISE. Currently, I'm using with SLR, 3 licenses are require for HA 2 nodes. 2 for PAN and 1 for SAN, for Enterprise Licenses are recommended with 80/20 ratio. 

0 Helpful
Customers Also Viewed These Support Documents