Cisco Identity Services Engine Installation Guide, Release 2.4

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

• Network Deployments in Cisco ISE
• Cisco Secured Network Server 3500/3600 Series Appliances and Virtual Machine Requirements
• Install Cisco ISE
• Additional Installation Information
• Installation Verification and Post-Installation Tasks
• Common System Maintenance Tasks
• Cisco ISE Ports Reference

Book Title

Cisco Identity Services Engine Installation Guide, Release 2.4

Cisco Secured Network Server 3500/3600 Series Appliances and Virtual Machine Requirements

• PDF - Complete Book (4.38 MB)PDF - This Chapter (1.14 MB) View with Adobe Reader on a variety of devices

Results

Chapter: Cisco Secured Network Server 3500/3600 Series Appliances and Virtual Machine Requirements

• Cisco Secured Network Server 3500/3600 Series Appliances and Virtual Machine Requirements
• Hardware and Virtual Appliance Requirements for Cisco ISE
  • Cisco Secured Network Server Hardware Appliances
  • VMware Virtual Machine Requirements for Cisco ISE
  • Linux KVM Requirements for Cisco ISE
  • Microsoft Hyper-V Requirements for Cisco ISE

  Cisco Secured Network Server 3500/3600 Series Appliances and Virtual Machine Requirements

  Hardware and Virtual Appliance Requirements for Cisco ISE

  Cisco Identity Services Engine (Cisco ISE) can be installed on Cisco Secure Network Server (SNS) hardware or virtual appliances. To achieve performance and scalability comparable to the Cisco ISE hardware appliance, the virtual machine should be allocated system resources equivalent to the Cisco SNS hardware appliances. This section lists the hardware, software, and virtual machine requirements required to install Cisco ISE.

  For Cisco SNS 3600 series appliance support (SNS-3615-K9, SNS-3655-K9, and SNS-3695-K9), you must use only the new ISO file (ise-2.4.0.357.SPA.x86_64_SNS-36x5_APPLIANCE_ONLY.iso). Cisco ISE 2.4 Patch 9 or above must be applied after installation. We recommend that you do not use this ISO file for SNS 3500 series appliance, VMware, KVM, or Hyper-V installation.

  Harden your virtual environment and ensure that all the security updates are up-to-date. Cisco is not liable for any security issues found in hypervisors.

  Cisco ISE does not support VM snapshots for backing up ISE data on any of the virtual environments (VMware, Linux KVM, Microsoft Hyper-V, and Nutanix AHV) because a VM snapshot saves the status of a VM at a given point in time. In a multi-node Cisco ISE deployment, data in all the nodes are continuously synchronized with current database information. Restoring a snapshot might cause database replication and synchronization issues. We recommend that you use the backup functionality included in Cisco ISE for archival and restoration of data. Using snapshots to back up ISE data results in stopping Cisco ISE services. A reboot is required to bring up the ISE node.

  If the Snapshot feature is enabled on the VM, it might corrupt the VM configuration. If this issue occurs, you might have to reimage the VM and disable VM snapshot.

  Cisco Secured Network Server Hardware Appliances

  For Cisco Secured Network Server (SNS) hardware appliance specifications, see "Table 1, Product Specifications" in the Cisco Secure Network Server Data Sheet.

  VMware Virtual Machine Requirements for Cisco ISE

  Cisco ISE supports the following VMware servers and clients:

  VMware Version 8 (default) for ESXi 5.x (5.1 U2 minimum)

  Note	If you are installing Cisco ISE on an ESXi 5.x server, to support RHEL 7 as the Guest OS, update the VMware hardware version to 9 or later. RHEL 7 is supported with VMware hardware version 9 and later.

  Cisco ISE supports the VMware cold migration feature that allows you to migrate virtual machine (VM) instances (running any persona) between hosts. For the cold migration feature to be functional, the following condition must be met:

  Cisco ISE must be shutdown and powered off: Cisco ISE does not allow to stop or pause the database operations during migration. This might lead to data corruption issues. Hence, ensure that Cisco ISE is not running and active during the migration.

  • You must use the application stop command before using the halt command or powering off the VM to prevent database corruption issues.
  • Cisco ISE VM does not support hot migration (vMotion).

  Refer to your VMware documentation for more information on vMotion requirements.

  Cisco ISE offers the following OVA templates that you can use to install and deploy Cisco ISE on virtual machines (VMs):

  • ISE-2.4.0.xxx-virtual-Eval.ova
  • ISE-2.4.0.xxx-virtual-SNS3515-Small-200GBHD-16GBRAM-12CPU.ova
  • ISE-2.4.0.xxx-virtual-SNS3515-Small-600GBHD-16GBRAM-12CPU.ova
  • ISE-2.4.0.xxx-virtual-SNS3595-Medium-200GBHD-64GBRAM-16CPU.ova
  • ISE-2.4.0.xxx-virtual-SNS3595-Medium-1200GBHD-64GBRAM-16CPU.ova
  • ISE-2.4.0.xxx-virtual-SNS3595-Large-1200GBHD-256GBRAM-16CPU.ova

  The 200 GB OVA templates are sufficient for Cisco ISE nodes that serve as dedicated Policy Service or pxGrid nodes.

  The 600 GB and 1.2 TB OVA templates are recommended to meet the minimum requirements for ISE nodes that run the Administration or Monitoring persona.

  If you need to customize the disk size, CPU, or memory allocation, you can manually deploy Cisco ISE using the standard .iso image. However, it is important that you ensure the minimum requirements and resource reservations specified in this document are met. The OVA templates simplify ISE virtual appliance deployment by automatically applying the minimum resources required for each platform.

  The OVA template reservations for the base SNS platforms are provided in the table below.

  Virtual Eval OVA

  2300 MHz (no reservation)

  Virtual SNS-3515 OVA (Small)

  Virtual SNS-3595 OVA (Medium)

  Virtual SNS-3595 OVA (Large)

  The large node is only for use as a performance-enhanced MnT node. You cannot use the Large VM as a PAN, PSN, or pxGrid node.

  We strongly recommend that you reserve CPU and memory resources to match the resource allocation. Failure to do so may significantly impact ISE performance and stability.

  For information about the product specifications for Cisco SNS appliance, see Cisco Secure Network Server Data Sheet.

  The following table lists the VMware virtual machine requirements.

  Note	The number of cores is twice of that present in equivalent of the Cisco Secure Network Server 3500 series, due to hyperthreading. For example, in case of Small network deployment, you must allocate 16 vCPU cores to meet the CPU specification of SNS 3515, which has 8 CPU Cores or 16 Threads.

  • Evaluation: 16 GB
  • Production
    • Small: 16 GB for SNS 3515 and 32 GB for SNS 3615
    • Medium: 64 GB for SNS 3595 and 96 GB for SNS 3655
    • Large: 256 GB for SNS 3695 The Large memory size is only for use as a performance-enhanced MnT node. You cannot use the Large VM as a PAN, PSN, or pxGrid node.

    See OVA Template Reservations for Memory Reservations.

    • Evaluation: 200 GB
    • Production 200 GB to 2.4 TB of disk storage (size depends on deployment and tasks). See the recommended disk space for VMs in the following link: Disk Space Requirements . We recommend that your VM host server use hard disks with a minimum speed of 10,000 RPM.

    Note	When you create the Virtual Machine for Cisco ISE, use a single virtual disk that meets the storage requirement. If you use more than one virtual disk to meet the disk space requirement, the installer may not recognize all the disk space.

    Storage and File System

    The storage system for the Cisco ISE virtual appliance requires a minimum write performance of 50 MB per second and a read performance of 300 MB per second. Deploy a storage system that meets these performance criteria and is supported by VMware server.

    You can use the show tech-support command to view the read and write performance metrics.

    We recommend the VMFS file system because it is most extensively tested, but other file systems, transports, and media can also be deployed provided they meet the above requirements.

    Paravirtual (default for RHEL 7 64-bit) or LSI Logic Parallel

    For best performance and redundancy, a caching RAID controller is recommended. Controller options such as RAID 10 (also known as 1+0) can offer higher overall write performance and redundancy than RAID 5, for example. Additionally, battery-backed controller cache can significantly improve write operations.

    Updating the disk SCSI controller of an ISE VM from another type to VMware Paravirtual may render it not bootable.

    1 NIC interface required (two or more NICs are recommended; six NICs are supported). Cisco ISE supports E1000 and VMXNET3 adapters.

    We recommend that you select E1000 to ensure correct adapter order by default. If you choose VMXNET3, you might have to remap the ESXi adapter to synchronize it with the ISE adapter order.

    VMware Virtual Hardware Version/Hypervisor

    VMware Virtual Machine Hardware Version 8 or higher on ESXi 5.x (5.1 U2 minimum) and 6.x.

    If you are installing Cisco ISE on an ESXi 5.x server, to support RHEL 7 as the Guest OS, update the VMware hardware version to 9 or later. RHEL 7 is supported with VMware hardware version 9 and later.

    Linux KVM Requirements for Cisco ISE

    Note	The number of cores is twice of that present in equivalent of the Cisco Secure Network Server 3500 series, due to hyperthreading. For example, in case of Small network deployment, you must allocate 16 vCPU cores to meet the CPU specification of SNS 3515, which has 8 CPU Cores or 16 Threads.

    See OVA Template Reservations for Memory Reservations.

    • Evaluation: 200 GB
    • Production 200 GB to 2.4 TB of disk storage (size depends on deployment and tasks). See the recommended disk space for VMs in the following link: Disk Space Requirements . We recommend that your VM host server use hard disks with a minimum speed of 10,000 RPM.

    Note	When you create the Virtual Machine for Cisco ISE, use a single virtual disk that meets the storage requirement. If you use more than one virtual disk to meet the disk space requirement, the installer may not recognize all the disk space.

    KVM Disk Device

    Disk bus - virtio, cache mode - none, I/O mode - native

    Use preallocated RAW storage format.

    1 NIC interface required (two or more NICs are recommended; six NICs are supported). Cisco ISE supports VirtIO drivers. We recommend VirtIO drivers for better performance.

    Microsoft Hyper-V Requirements for Cisco ISE

    • Evaluation
      • Clock speed: 2.0 GHz or faster
      • Number of cores: 2 CPU cores
      • Clock speed: 2.0 GHz or faster
      • Number of Cores:
        • SNS 3500 Series Appliance:
          • Small: 12
          • Medium: 16
          • Large: 16 The number of cores is twice of that present in equivalent of the Cisco Secure Network Server 3500 series, due to hyperthreading. For example, in case of Small network deployment, you must allocate 16 vCPU cores to meet the CPU specification of SNS 3515, which has 8 CPU Cores or 16 Threads.
          • Evaluation: 16 GB
          • Production
            • Small: 16 GB for SNS 3515 and 32 GB for SNS 3615
            • Medium: 64 GB for SNS 3595 and 96 GB for SNS 3655
            • Large: 256 GB for SNS 3695

            See OVA Template Reservations for Memory Reservations.

            • Evaluation: 200 GB
            • Production 200 GB to 2.4 TB of disk storage (size depends on deployment and tasks). See the recommended disk space for VMs in the following link: Disk Space Requirements . We recommend that your VM host server use hard disks with a minimum speed of 10,000 RPM.

            When you create the Virtual Machine for Cisco ISE, use a single virtual disk that meets the storage requirement. If you use more than one virtual disk to meet the disk space requirement, the installer may not recognize all the disk space.

            1 NIC interface required (two or more NICs are recommended; six NICs are supported).

            Virtual Machine Appliance Size Recommendations for Cisco ISE

            Cisco ISE 2.4 introduces a large VM for Monitoring nodes. Deploying a Monitoring persona on a large VM offers the following advantages:

            • Improves performance in terms of faster response to live log queries and report completion.
            • Will be able to support the deployments that can handle more than 500, 000 sessions when the support is provided in future ISE releases.

            This form factor is available only as a VM in Release 2.4 and later, and requires a large VM license.

            The virtual machine (VM) appliance specifications should be comparable with physical appliances run in a production environment.

            Keep the following guidelines in mind when allocating resources for the appliance:

            Failure to allocate the specified resources might result in performance degradation or service failure. We highly recommend that you deploy dedicated VM resources and not share or oversubscribe resources across multiple guest VMs. Deploying Cisco ISE virtual appliances using the OVF templates ensures that adequate resources are assigned to each VM. If you do not use OVF templates, then ensure that you assign the equivalent resource reservations when you manually install Cisco ISE using the ISO image.

            Note	If you choose to deploy Cisco ISE manually without the recommended reservations, you must assume the responsibility to closely monitor your appliance’s resource utilization and increase resources, as needed, to ensure proper health and functioning of the Cisco ISE deployment.

            • Ensure that you assign the resource reservations that are specified in the VMware Virtual Machine Requirements for Cisco ISE section in the CPU/Memory Reservation field (under the Virtual Hardware tab in the Edit Settings window) to ensure proper health and functioning of the Cisco ISE deployment.
            • Ensure that the CPU usage in the CPU Limit field (under the Virtual Hardware tab in the Edit Settings window) is set to Unlimited. Setting a limit for CPU usage (for example, setting the CPU usage limit as 12000 MHz) will impact the system performance. If limit has been set, you must shutdown the VM client, remove the limit, and the restart the VM client.
            • Ensure that the memory usage in the Memory Limit field (under the Virtual Hardware tab in the Edit Settings window) is set to Unlimited. Setting a limit for memory usage (for example, setting the limit as 12000 MB) will impact the system performance.
            • Ensure that the Shares option is set as High in the Hard Disk area (under the Virtual Hardware tab in the Edit Settings window). Admin and MnT nodes rely heavily on disk usage. Using shared disk storage VMware environment might affect the disk performance. You must increase the number of disk shares allocated to a node to increase the performance of the node.

            RAM and CPU adjustments on VM do not require re-image.

            Disk Space Requirements for VMs in a Cisco ISE Deployment

            The following table lists the Cisco ISE disk-space allocation recommended for running a virtual machine in a production deployment.

            You must change the firmware from BIOS to EFI in the boot mode of VM settings to boot GPT partition with 2 TB or above.

            Table 5. Recommended Disk Space for Virtual Machines

            Cisco ISE Persona

            Minimum Disk Space for Evaluation

            Minimum Disk Space for Production

            Recommended Disk Space for Production

            Maximum Disk Space

            Standalone Cisco ISE

            600 GB to 2.4 TB

            Distributed Cisco ISE, Administration only

            Distributed Cisco ISE,Monitoring only

            600 GB to 2.4 TB

            Distributed Cisco ISE,Policy Service only

            Distributed Cisco ISE, pxGrid only

            Distributed Cisco ISE, Administration and Monitoring (and optionally, pxGrid)

            600 GB to 2.4 TB

            Distributed Cisco ISE, Administration, Monitoring, and Policy Service (and optionally, pxGrid)

            600 GB to 2.4 TB

            Additional disk space is required to store local debug logs, staging files, and to handle log data during upgrade, when the Primary Administration node temporarily becomes a Monitoring node.

            Disk Space Guidelines for Cisco ISE

            Keep the following guidelines in mind when deciding the disk space for Cisco ISE:

            • Cisco ISE must be installed on a single disk in virtual machine.
            • Disk allocation varies based on logging retention requirements. On any node that has the Monitoring persona enabled, 60 percent of the VM disk space is allocated for log storage. A deployment with 25,000 endpoints generates approximately 1 GB of logs per day. For example, if you have a Monitoring node with 600-GB VM disk space, 360 GB is allocated for log storage. If 100,000 endpoints connect to this network every day, it generates approximately 4 GB of logs per day. In this case, you can store 76 days of logs in the Monitoring node, after which you must transfer the old data to a repository and purge it from the Monitoring database.

            For extra log storage, you can increase the VM disk space. For every 100 GB of disk space that you add, you get 60 GB more for log storage.

            If you increase the disk size of your virtual machine after initial installation, perform a fresh installation of Cisco ISE. A fresh installation helps properly detect and utilize the full disk allocation.

            The following table lists the number of days that RADIUS logs can be retained on your Monitoring node based on the allocated disk space and the number of endpoints that connect to your network. The numbers are based on the following assumptions: Ten or more authentications per day per endpoint with logging suppression enabled.