Hardware and Virtual Appliance Requirements for Cisco ISE
Cisco Identity Services Engine (Cisco ISE) can be installed on Cisco Secure Network Server (SNS) hardware or virtual appliances. To achieve performance and scalability comparable to the Cisco ISE hardware appliance, the virtual machine should be allocated system resources equivalent to the Cisco SNS hardware appliances. This section lists the hardware, software, and virtual machine requirements required to install Cisco ISE.
Note |
Harden your virtual environment and ensure that all the security updates are up-to-date. Cisco is not liable for any security issues found in hypervisors. |
Note |
Cisco ISE does not support VM snapshots for backing up ISE data on any of the virtual environments (VMware, Linux KVM, Microsoft Hyper-V, and Nutanix AHV) because a VM snapshot saves the status of a VM at a given point in time. In a multi-node Cisco ISE deployment, data in all the nodes are continuously synchronized with current database information. Restoring a snapshot might cause database replication and synchronization issues. We recommend that you use the backup functionality included in Cisco ISE for archival and restoration of data. Using snapshots to back up ISE data results in stopping Cisco ISE services. A reboot is required to bring up the ISE node. |
Caution |
If the Snapshot feature is enabled on the VM, it might corrupt the VM configuration. If this issue occurs, you might have to reimage the VM and disable VM snapshot. |
Cisco Secured Network Server Hardware Appliances
For Cisco Secured Network Server (SNS) hardware appliance specifications, see "Table 1, Product Specifications" in the Cisco Secure Network Server Data Sheet.
For Cisco SNS 3600 series appliances, see Cisco SNS-3600 Series Appliance Hardware Installation Guide.
For Cisco SNS 3700 series appliances, see Cisco SNS-3700 Series Appliance Hardware Installation Guide.
For information about the supported hardware platforms for Cisco ISE 3.3, see Supported Hardware.
Support for Cisco Secure Network Server 3700 Series Appliance
The Cisco Secure Network Server (SNS) 3700 series appliances are based on the Cisco Unified Computing System (Cisco UCS) C220 Rack Server and are specifically configured to support Cisco ISE. Cisco SNS 3700 series appliances are designed to deliver high performance and efficiency for a wide range of workloads.
The Cisco SNS 3700 series appliances are available in the following models:
-
Cisco SNS 3715 (SNS-3715-K9)
-
Cisco SNS 3755 (SNS-3755-K9)
-
Cisco SNS 3795 (SNS-3795-K9)
The Cisco SNS 3715 appliance is designed for small deployments. Cisco SNS 3755 and Cisco SNS 3795 appliances have several redundant components such as hard disks and power supplies and are suitable for larger deployments that require highly reliable system configurations. Cisco SNS 3795 is recommended for PAN and MnT personas.
Cisco ISE Release 3.1 Patch 6 and above and Cisco ISE Release 3.2 Patch 2 and above versions support Cisco SNS 3700 series appliances.
The following table describes the hardware specifications of Cisco SNS 3700 series appliances.
Cisco SNS 3700 Series Appliance |
Hardware Specifications |
---|---|
Cisco SNS-3715-K9 |
|
Cisco SNS-3755-K9 |
|
Cisco SNS-3795-K9 |
|
Note |
|
For more information, see the Cisco SNS-3700 Series Appliance Hardware Installation Guide.
Trusted Platform Module
Cisco SNS 3700 series appliances have pre-built Trusted Platform Module (TPM) adapter that can securely store artifacts used to authenticate the server. These artifacts can include passwords, certificates, or encryption keys. TPM is also used for random number generation for improved security.
You can configure Virtual Trusted Platform Module (vTPM) on VMware ESXi server (ESXi 7.0 update 3 or later). To do this:
-
Install vCenter version 7 update 3 or later.
While installing vCenter, you must configure the FQDN properly. The DNS server must be able to resolve the FQDN.
-
Configure Native Key Provider:
-
In the vCenter GUI, choose vCenter IP > Configure > Security > Key Provider > Add Key Provider.
-
Click Native Key Provider and enter a name for the key provider.
-
Click Take Backup.
Ensure that the key provider status is displayed as Active.
-
-
Create a cluster on vCenter and add the ESXi host to the cluster.
-
Create a new VM in the cluster.
-
In the Customize Hardware window, choose Add New Device > Trusted Platform Module.
You must disable the Secure Boot option. Ensure that the Encryption option is set as Required.
-
Map the Cisco ISE ISO to the new VM and complete the installation.
VMware Virtual Machine Requirements for Cisco ISE
You can use the VMware migration feature to migrate virtual machine (VM) instances (running any persona) between hosts. Cisco ISE supports both hot and cold migration.
-
Hot migration is also called live migration or vMotion. Cisco ISE need not be shutdown or powered off during the hot migration. You can migrate the Cisco ISE VM without any interruption in its availability.
-
Cisco ISE must be shutdown and powered off for cold migration. Cisco ISE does not allow to stop or pause the database operations during cold migration. Hence, ensure that Cisco ISE is not running and active during the cold migration.
Note
You must use the application stop command before using the halt command or powering off the VM to prevent database corruption issues.
The 300 GB OVA templates are sufficient for Cisco ISE nodes that serve as dedicated Policy Service or pxGrid nodes.
The 600 GB and 1.2 TB OVA templates are recommended to meet the minimum requirements for ISE nodes that run the Administration or Monitoring persona.
If you need to customize the disk size, CPU, or memory allocation, you can manually deploy Cisco ISE using the standard .iso image. However, it is important that you ensure the minimum requirements and resource reservations specified in this document are met. The OVA templates simplify ISE virtual appliance deployment by automatically applying the minimum resources required for each platform.
OVA Template Type |
Number of CPUs |
CPU Reservation (In GHz) |
Memory (In GB) |
Memory Reservation (In GB) |
---|---|---|---|---|
Evaluation |
4 |
No reservation. |
16 |
No reservation. |
Extra Small |
8 |
8 |
32 |
32 |
Small (SNS 3615) |
16 |
16 |
32 |
32 |
Medium (SNS 3655) |
24 |
24 |
96 |
96 |
Large (SNS 3695) |
24 |
24 |
256 |
256 |
Small (SNS 3715) |
24 |
24 |
32 |
32 |
Medium (SNS 3755) |
40 |
40 |
96 |
96 |
Large (SNS 3795) |
40 |
40 |
256 |
256 |
Note |
|
We strongly recommend that you reserve CPU and memory resources to match the resource allocation. Failure to do so may significantly impact ISE performance and stability.
For information about the supported operating systems, see Supported Operating System for Virtual Machines.
For information about the product specifications for Cisco SNS appliance, see Cisco Secure Network Server Data Sheet.
The following table lists the VMware virtual machine requirements.
Requirement Type |
Specifications |
||||
---|---|---|---|---|---|
CPU |
|
||||
Memory |
|
||||
Hard Disks |
|
||||
Storage and File System |
The storage system for the Cisco ISE virtual appliance requires a minimum write performance of 50 MB per second and a read performance of 300 MB per second. Deploy a storage system that meets these performance criteria and is supported by VMware server. You can use the show tech-support command to view the read and write performance metrics. We recommend the VMFS file system because it is most extensively tested, but other file systems, transports, and media can also be deployed provided they meet the above requirements. |
||||
Disk Controller |
Paravirtual or LSI Logic Parallel For best performance and redundancy, a caching RAID controller is recommended. Controller options such as RAID 10 (also known as 1+0) can offer higher overall write performance and redundancy than RAID 5, for example. Additionally, battery-backed controller cache can significantly improve write operations.
|
||||
NIC |
1 NIC interface required (two or more NICs are recommended; six NICs are supported). Cisco ISE supports E1000E and VMXNET3 adapters.
|
||||
VMware Virtual Hardware Version/Hypervisor |
|
Linux KVM Requirements for Cisco ISE
Requirement Type |
Minimum Requirements |
||||
---|---|---|---|---|---|
CPU |
|
||||
Memory |
|
||||
Hard disks |
|
||||
KVM Disk Device |
Disk bus - virtio, cache mode - none, I/O mode - native Use preallocated RAW storage format. |
||||
NIC |
1 NIC interface required (two or more NICs are recommended; six NICs are supported). Cisco ISE supports VirtIO drivers. We recommend VirtIO drivers for better performance. |
||||
Hypervisor |
KVM on QEMU 2.12.0-99 or above |
Microsoft Hyper-V Requirements for Cisco ISE
Requirement Type |
Minimum Requirements |
||||
---|---|---|---|---|---|
CPU |
|
||||
Memory |
|
||||
Hard disks |
|
||||
NIC |
1 NIC interface required (two or more NICs are recommended; six NICs are supported). |
||||
Hypervisor |
Hyper-V (Microsoft) |
Nutanix AHV Requirements for Cisco ISE
Cisco ISE must be deployed on Nutanix AHV using the standard Cisco ISE .iso image. Deploying Cisco ISE using OVA templates is not supported on Nutanix AHV.
The following table specifies the recommended resource reservations for different types of deployment on Nutanix AHV:
Type | Number of CPUs | CPU Reservation (In GHz) | Memory (In GB) | Memory Reservation (In GB) | Hard Disks |
Evaluation |
4 |
No reservation |
16 |
No reservation |
300 GB |
Extra Small |
8 |
8 |
32 |
32 |
300 GB |
Small | 16 | 16 | 32 | 32 | 600 GB |
Medium | 24 | 24 | 96 | 96 | 1.2 TB |
Large | 24 | 24 | 256 | 256 | 2.4 TB (4*600 GB) |
You must do the following configuration on Nutanix AHV before proceeding with Cisco ISE installation:
-
Create a virtual machine (VM) on Nutanix AHV and keep the VM powered off.
-
Access the Nutanix CVM using ssh login and run the following commands:
-
$acli
-
<acropolis> vm.serial_port_create <Cisco ISE VM Name> type=kServer index=0
-
<acropolis> vm.update <Cisco ISE VM Name> disable_branding=true
-
<acropolis> vm.update <Cisco ISE VM Name> extra_flags=”enable_hyperv_clock=False”
-
-
Exit Acropolis CLI and power on the VM to proceed with Cisco ISE installation using the standard .iso image.
Requirement Type |
Minimum Requirements |
||
---|---|---|---|
CPU |
Cisco ISE supports Hyperthreading. We recommend that you enable Hyperthreading, if it is available.
|
||
Memory |
|
||
Hard disks |
|
||
KVM Disk Device |
Disk bus - SCSI |
||
NIC |
1 GB NIC interface required (two or more NICs are recommended; six NICs are supported). Cisco ISE supports VirtIO drivers. We recommend VirtIO drivers for better performance. |
||
Hypervisor |
AOS - 6.8, Nutanix AHV - 20230302.100169 |