Additional Installation Information
SNS Appliance Reference
- Create a Bootable USB Device to Install Cisco ISE
- Reimage the Cisco SNS Hardware Appliance
VMware Virtual Machine
Linux KVM
- KVM Virtualization Check
- Install Cisco ISE on KVM
Microsoft Hyper-V
- Create a Cisco ISE Virtual Machine on Hyper-V

Additional Installation Information

SNS Appliance Reference

Create a Bootable USB Device to Install Cisco ISE

Before you begin

Use the Fedora Media Writer tool to create a bootable USB device from the Cisco ISE installation ISO file.

Download Fedora Media Writer https://github.com/lmacken/liveusb-creator/releases/tag/3.12.0 to the local system.

Note

Other USB tools might work, but we recommend that you use Fedora Media Writer 3.12.0 as it has been tested with Cisco ISE.

Download the Cisco ISE installation ISO file to the local system.
Use a 8-GB (or higher) USB device.

Procedure

Step 1	Reformat the USB device using FAT16 or FAT32 to free up all the space.
Step 2	Plug in the USB device to the local system and launch Fedora Media Writer.
Step 3	Click Browse from the Use existing Live CD area and choose the Cisco ISE ISO file.
Step 4	Choose the USB device from the Target Device drop-down list. If there is only one USB device connected to the local system, it is selected automatically.
Step 5	Click Create Live USB. The progress bar indicates the progress of the bootable USB creation. After this process is complete, the content of the USB drive is available in the local system that you used to run the USB tool. There are two text files that you must manually update before you can install Cisco ISE.
Step 6	From the USB drive, open the following text files in a text editor: isolinux/isolinux.cfg or syslinux/syslinux.cfg EFI/BOOT/grub.cfg
Step 7	Replace the term "cdrom" in both the files. If you have a SNS 3515, 3595, 3615, 3655, or 3695 appliance, replace the term "cdrom" with "hd:sdb1" in both the files. Specifically, replace all instances of the "cdrom" string. For example, replace *ks=cdrom/ks.cfg* with *ks=hd:sdb1:/ks.cfg*
Step 8	Save the files and exit.
Step 9	If you are using ise-2.4.0.357.SPA.x86_64_SNS-36x5_APPLIANCE_ONLY.iso to create Live USB, replace the BOOTX64.EFI and grub.efi files in the EFI/BOOT folder with the files available on the Cisco Software Download site and exit.
Step 10	Safely remove the USB device from the local system.
Step 11	Plug in the bootable USB device to the Cisco ISE appliance, restart the appliance, and boot from the USB drive to install Cisco ISE.

Reimage the Cisco SNS Hardware Appliance

The Cisco SNS hardware appliances do not have built-in DVD drives. Therefore, to reimage a Cisco ISE hardware appliance with Cisco ISE software, you can do one of the following:

Note

Cisco SNS hardware appliances support the Unified Extensible Firmware Interface (UEFI) secure boot feature. This feature ensures that only a Cisco-signed ISE image can be installed on the SNS hardware appliances, and prevents installation of any unsigned operating system even with physical access to the device. For example, generic operating systems, such as Red Hat Enterprise Linux or Microsoft Windows cannot boot on this appliance.

The SNS 3515 and SNS 3595 appliances support only Cisco ISE 2.0.1 or later releases. You cannot install a release earlier than 2.0.1 on the SNS 3515 or SNS 3595 appliance.

Use the Cisco Integrated Management Controller (Cisco IMC) interface to map the installation .iso file to the virtual DVD device.
Create an install DVD with the installation .iso file and plug in an USB external DVD drive and boot the appliance from the DVD drive.
Create a bootable USB device using the installation .iso file and boot the appliance from the USB drive.

VMware Virtual Machine

Virtual Machine Resource and Performance Checks

Before installing Cisco ISE on a virtual machine, the installer performs hardware integrity checks by comparing the available hardware resources on the virtual machine with the recommended specifications.

During a VM resource check, the installer checks for the hard disk space, number of CPU cores allocated to the VM, CPU clock speed, and RAM allocated to the VM. If the VM resources do not meet the basic evaluation specifications, the installation terminates. This resource check is applicable only for ISO-based installations.

When you run the Setup program, a VM performance check is done, where the installer checks for disk I/O performance. If the disk I/O performance does not meet the recommended specifications, a warning appears on screen, but it allows you to continue with the installation.

The VM performance check is done periodically (every hour) and the results are averaged for a day. If the disk I/O performance does not meet the recommended specification, an alarm is generated.

The VM performance check can also be done on demand from the Cisco ISE CLI using the show tech-support command.

The VM resource and performance checks can be run independent of Cisco ISE installation. You can perform this test from the Cisco ISE boot menu.

Deploy Cisco ISE on Virtual Machines Using OVA Templates

You can use OVA templates to install and deploy Cisco ISE software on a virtual machine. Download the OVA template from Cisco.com.

Before you begin

Note

When deploying Cisco ISE OVA files, we recommend that you remove or disconnect the unrequired network adapters after you complete the import, but before you run the setup for Cisco ISE. If you are using 4 or more network adapters, retain network adapter type E1000 to avoid interface reordering. If you are using up to 3 network adapters, you can delete all your E1000 network adapters and replace them with VMXNET3 ones.

Procedure

Step 1	Open VMware vSphere client.
Step 2	Log in to VMware host.
Step 3	Choose File > Deploy OVF Template from the VMware vSphere Client.
Step 4	Click Browse to select the OVA template, and click Next.
Step 5	Confirm the details in the OVF Template Details page, and click Next.
Step 6	Enter a name for the virtual machine in the Name and Location page to uniquely identify it, and click Next.
Step 7	Choose a data store to host the OVA.
Step 8	Click the Thick Provision radio button in the Disk Format page, and click Next. Cisco ISE supports both thick and thin provisioning. However, we recommend that you choose thick provisioning for better performance, especially for Monitoring nodes. If you choose thin provisioning, operations such as upgrade, backup and restore, and debug logging that require more disk space might be impacted during initial disk expansion.
Step 9	Verify the information in the Ready to Complete page. Check the Power on after deployment check box.
Step 10	Click Finish.

Install Cisco ISE on VMware Virtual Machine Using the ISO File

This section describes how to install Cisco ISE on a VMware virtual machine using the ISO file.

Prerequisites for Configuring a VMware ESXi Server

Review the following configuration prerequisites listed in this section before you attempt to configure a VMWare ESXi server:

Remember to log in to the ESXi server as a user with administrative privileges (root user).
Cisco ISE is a 64-bit system. Before you install a 64-bit system, ensure that Virtualization Technology (VT) is enabled on the ESXi server. Ensure that your Guest Operating System is set to Red Hat Enterprise Linux (RHEL) 7 (64-bit) or Red Hat Enterprise Linux (RHEL) 6 (64-bit).

For Red Hat Enterprise Linux 7, the default NIC type is VMXNET3 Adapter. You can add up to six NICs for your Cisco ISE virtual machine, but ensure that you choose the same Adapter for all the NICs. Cisco ISE supports the E1000 Adapter.

Note

If you choose the default network driver (VMXNET3 ) as the Network Adapter, check the physical adapter mappings. Ensure that you map the Cisco ISE GigabitEthernet 0 interface to the 4th interface (NIC 4) in ESXi server as listed in the following table.


ADE-OS	Cisco ISE	E1000	VMXNET3
eth0	GE0	1	4
eth1	GE1	2	1
eth2	GE2	3	2
eth3	GE3	4	3
eth4	GE4	5	5
eth5	GE5	6	6

If you choose the E1000 Adapter, by default, the ESXi adapters and Cisco ISE adapters are mapped correctly.

Ensure that you allocate the recommended amount of disk space on the VMware virtual machine.
If you have not created a VMware virtual machine file system (VMFS), you must create one to support the Cisco ISE virtual appliance. The VMFS is set for each of the storage volumes configured on the VMware host. For VMFS5, the 1-MB block size supports up to 1.999 TB virtual disk size.

Virtualization Technology Check

If you have an ESXi server installed already, you can check if Virtualization Technology is enabled on it without rebooting the machine. To do this, use the esxcfg-info command. Here is an example:


~ # esxcfg-info |grep "HV Support"
|----HV Support............................................3
|----World Command Line.................................grep HV Support

If HV Support has a value of 3, then VT is enabled on the ESXi server and you can proceed with the installation.

If HV Support has a value of 2, then VT is supported, but not enabled on the ESXi server. You must edit the BIOS settings and enable VT on the server.

Enable Virtualization Technology on an ESXi Server

You can reuse the same hardware that you used for hosting a previous version of Cisco ISE virtual machine. However, before you install the latest release, you must enable Virtualization Technology (VT) on the ESXi server.

Procedure

Step 1	Reboot the appliance.
Step 2	Press F2 to enter setup.
Step 3	Choose Advanced > Processor Configuration.
Step 4	Select Intel(R) VT and enable it.
Step 5	Press F10 to save your changes and exit.

Configure VMware Server Interfaces for the Cisco ISE Profiler Service

Configure VMware server interfaces to support the collection of Switch Port Analyzer (SPAN) or mirrored traffic to a dedicated probe interface for the Cisco ISE Profiler Service.

Procedure

Step 1

Choose Configuration > Networking > Properties > VMNetwork (the name of your VMware server instance)VMswitch0 (one of your VMware ESXi server interfaces) Properties Security.

Step 2

In the Policy Exceptions pane on the Security tab, check the Promiscuous Mode check box.

Step 3

In the Promiscuous Mode drop-down list, choose Accept and click OK.

Repeat the same steps on the other VMware ESXi server interface used for profiler data collection of SPAN or mirrored traffic.

Connect to the VMware Server Using the Serial Console

Procedure

Step 1	Power down the particular VMware server (for example ISE-120).
Step 2	Right-click the VMware server and choose Edit.
Step 3	Click Add on the Hardware tab.
Step 4	Choose Serial Port and click Next.
Step 5	In the Serial Port Output area, click the Use physical serial port on the host or the Connect via Network radio button and click Next. If you choose the Connect via Network option, you must open the firewall ports over the ESXi server. If you select the Use physical serial port on the host, choose the port. You may choose one of the following two options: /dev/ttyS0 (In the DOS or Windows operating system, this will appear as COM1). /dev/ttyS1 (In the DOS or Windows operating system, this will appear as COM2).
Step 6	Click Next.
Step 7	In the Device Status area, check the appropriate check box. The default is Connected.
Step 8	Click OK to connect to the VMware server.

Configure a VMware Server

Before you begin

Ensure that you have read the Prerequisites for configuring a VMware Server.

Procedure

Step 1

Step 2

In the VMware vSphere Client, in the left pane, right-click your host container and choose New Virtual Machine.

Step 3

In the Configuration dialog box, choose Custom for the VMware configuration and click Next.

Step 4

Enter a name for the VMware system and click Next.

Tip

Tip Use the hostname that you want to use for your VMware host.

Step 5

Choose a datastore that has the recommended amount of space available and click Next.

Step 6

(Optional) If your VM host or cluster supports more than one VMware virtual machine version, choose a Virtual Machine version such as Virtual Machine Version 7, and click Next.

Step 7

Choose Linux and select the supported Red Hat Enterprise Linux version from the Version drop-down list.

Step 8

Choose a value from the Number of virtual sockets and the Number of cores per virtual socket drop-down list. Total number of cores should be:

Small—12
Medium—16
Large—16

The number of cores is twice of that present in equivalent of the Cisco Secure Network Server 3500 series, due to hyperthreading. For example, in case of Small network deployment, you must allocate 16 vCPU cores to meet the CPU specification of SNS 3515, which has 8 CPU Cores or 16 Threads.

Note

We strongly recommend that you reserve CPU and memory resources to match the resource allocation. Failure to do so may significantly impact ISE performance and stability.

Step 9

Choose the amount of memory and click Next.

Step 10

Choose the NIC driver from the Adapter drop-down list and click Next.

Step 11

Choose Paravirtual as the SCSI controller and click Next.

Step 12

Choose Create a new virtual disk and click Next.

Step 13

In the Disk Provisioning dialog box, click Thick provisioned, eagerly zeroed radio button, and click Next to continue.

Cisco ISE supports both thick and thin provisioning. However, we recommend that you choose thick provisioned, eagerly zeroed for better performance, especially for Monitoring nodes. If you choose thin provisioning, operations such as upgrade, backup and restore, and debug logging that require more disk space might be impacted during initial disk expansion.

Step 14

Uncheck the Support clustering features such as Fault Tolerance check box.

Step 15

Choose the advanced options, and click Next.

Step 16

Verify the configuration details, such as Name, Guest OS, CPUs, Memory, and Disk Size of the newly created VMware system. You must see the following values:

Guest OS—Red Hat Enterprise Linux 7
Logical CPUs—12
Memory—16 GB or 16384 MB

For the Cisco ISE installation to be successful on a virtual machine, ensure that you adhere to the recommendations given in this document.

Step 17

Click Finish.

The VMware system is now installed.

What to do next

To activate the newly created VMware system, right-click VM in the left pane of your VMware client user interface and choose Power > Power On.

Increase Virtual Machine Power-On Boot Delay Configuration

On a VMware virtual machine, the boot delay by default is set to 0. You can change this boot delay to help you choose the boot options (while resetting the Administrator password, for example).

Procedure

Step 1	From the VSphere client, right click the VM and choose Edit Settings.
Step 2	Click the Options tab.
Step 3	Choose Advanced > Boot Options.
Step 4	From the Power on Boot Delay area, select the time in milliseconds to delay the boot operation.
Step 5	Check the check box in the Force BIOS Setup area to enter into the BIOS setup screen when the VM boots the next time.
Step 6	Click OK to save your changes.

Install Cisco ISE Software on a VMware System

Procedure

Step 1	Log in to the VMware client.
Step 2	For the VM to enter the BIOS setup mode, right-click the VM and select Edit Settings.
Step 3	Click the Options tab.
Step 4	Click Boot Options, and in the Force BIOS Setup area, check the BIOS check box to enter the BIOS setup screen when the VM boots.
Step 5	Click OK.
Step 6	Ensure that the Coordinated Universal Time (UTC) and the correct boot order are set in BIOS: If the VM is turned on, turn the system off. Turn on the VM. The system enters the BIOS setup mode. In the Main BIOS menu, using the arrow keys, navigate to the Date and Time field and press Enter. Enter the UTC/Greenwich Mean Time (GMT) time zone. This time zone setting ensures that the reports, logs, and posture-agent log files from the various nodes in your deployment are always synchronized with regard to the time stamps. Using the arrow keys, navigate to the Boot menu and press Enter. Using the arrow keys, select CD-ROM drive and press + to move the CD-ROM drive up the order. Using the arrow keys, navigate to the Exit menu and choose Exit Saving Changes. Choose Yes to save the changes and exit.
Step 7	Insert the Cisco ISE software DVD into the VMware ESXi host CD/DVD drive and turn on the virtual machine. When the DVD boots, the console displays: `Cisco ISE Installation (Serial Console) Cisco ISE Installation (Keyboard/Monitor) System Utilities (Serial Console) System Utilities (Keyboard/Monitor)`
Step 8	Use the arrow keys to select Cisco ISE Installation (Serial Console) or Cisco ISE Installation (Keyboard/Monitor) and press Enter. If you choose the serial console option, you should have a serial console set up on your virtual machine. See the VMware vSphere Documentation for information on how to create a console. The installer starts the installation of the Cisco ISE software on the VMware system. Allow 20 minutes for the installation process to complete. When the installation process finishes, the virtual machine reboots automatically. When the VM reboots, the console displays: `Type 'setup' to configure your appliance localhost:`
Step 9	At the system prompt, type setup and press Enter. The Setup Wizard appears and guides you through the initial configuration.

VMware Tools Installation Verification

Verify VMWare Tools Installation Using the Summary Tab in the vSphere Client

Go to the Summary tab of the specified VMware host in the vShpere Client. The value in the VMware Tools field should be OK.

This image shows how to verify whether VMware tools are installed using the vSphere client. — Figure 1. Verifying VMware Tools in the vSphere Client

Verify VMWare Tools Installation Using the CLI

You can also verify if the VMware tools are installed using the show inventory command. This command lists the NIC driver information. On a virtual machine with VMware tools installed, VMware Virtual Ethernet driver will be listed in the Driver Descr field.

NAME: "ISE-VM-K9 chassis", DESCR: "ISE-VM-K9 chassis"
PID: ISE-VM-K9       , VID: A0  , SN: FCH184X9XXX
Total RAM Memory: 65700380 kB
CPU Core Count: 16
CPU 0: Model Info: Intel(R) Xeon(R) CPU E5-2640 v3 @ 2.60GHz
CPU 1: Model Info: Intel(R) Xeon(R) CPU E5-2640 v3 @ 2.60GHz
CPU 2: Model Info: Intel(R) Xeon(R) CPU E5-2640 v3 @ 2.60GHz
CPU 3: Model Info: Intel(R) Xeon(R) CPU E5-2640 v3 @ 2.60GHz
CPU 4: Model Info: Intel(R) Xeon(R) CPU E5-2640 v3 @ 2.60GHz
CPU 5: Model Info: Intel(R) Xeon(R) CPU E5-2640 v3 @ 2.60GHz
CPU 6: Model Info: Intel(R) Xeon(R) CPU E5-2640 v3 @ 2.60GHz
CPU 7: Model Info: Intel(R) Xeon(R) CPU E5-2640 v3 @ 2.60GHz
CPU 8: Model Info: Intel(R) Xeon(R) CPU E5-2640 v3 @ 2.60GHz
CPU 9: Model Info: Intel(R) Xeon(R) CPU E5-2640 v3 @ 2.60GHz
CPU 10: Model Info: Intel(R) Xeon(R) CPU E5-2640 v3 @ 2.60GHz
CPU 11: Model Info: Intel(R) Xeon(R) CPU E5-2640 v3 @ 2.60GHz
CPU 12: Model Info: Intel(R) Xeon(R) CPU E5-2640 v3 @ 2.60GHz
CPU 13: Model Info: Intel(R) Xeon(R) CPU E5-2640 v3 @ 2.60GHz
CPU 14: Model Info: Intel(R) Xeon(R) CPU E5-2640 v3 @ 2.60GHz
CPU 15: Model Info: Intel(R) Xeon(R) CPU E5-2640 v3 @ 2.60GHz
Hard Disk Count(*): 1
Disk 0: Device Name: /xxx/abc
Disk 0: Capacity: 1198.00 GB
NIC Count: 6
NIC 0: Device Name: eth0:
NIC 0: HW Address: xx:xx:xx:xx:xx:xx
NIC 0: Driver Descr: Intel(R) Gigabit Ethernet Network Driver
NIC 1: Device Name: eth1:
NIC 1: HW Address: xx:xx:xx:xx:xx:xx
NIC 1: Driver Descr: Intel(R) Gigabit Ethernet Network Driver
NIC 2: Device Name: eth2:
NIC 2: HW Address: xx:xx:xx:xx:xx:xx
NIC 2: Driver Descr: Intel(R) Gigabit Ethernet Network Driver
NIC 3: Device Name: eth3:
NIC 3: HW Address: xx:xx:xx:xx:xx:xx
NIC 3: Driver Descr: Intel(R) Gigabit Ethernet Network Driver
NIC 4: Device Name: eth4:
NIC 4: HW Address: xx:xx:xx:xx:xx:xx
NIC 4: Driver Descr: Intel(R) Gigabit Ethernet Network Driver
NIC 5: Device Name: eth5:
NIC 5: HW Address: xx:xx:xx:xx:xx:xx
NIC 5: Driver Descr: Intel(R) Gigabit Ethernet Network Driver

(*) Hard Disk Count may be Logical.

Support for Upgrading VMware Tools

The Cisco ISE ISO image contains the supported VMware tools. Upgrading VMware tools through the VMware client user interface is not supported with Cisco ISE. If you want to upgrade any VMware tools to a higher version, support is provided through a newer version of Cisco ISE.

Clone a Cisco ISE Virtual Machine

You can clone a Cisco ISE VMware virtual machine (VM) to create an exact replica of a Cisco ISE node. For example, in a distributed deployment with multiple Policy Service nodes (PSNs), VM cloning helps you deploy the PSNs quickly and effectively. You do not have to install and configure the PSNs individually.

You can also clone a Cisco ISE VM using a template.

Note

For cloning, you need VMware vCenter. Cloning must be done before you run the Setup program.

Before you begin

Ensure that you shut down the Cisco ISE VM that you are going to clone. In the vSphere client, right-click the Cisco ISE VM that you are about to clone and choose Power > Shut Down Guest.
Ensure that you change the IP Address and Hostname of the cloned machine before you power it on and connect it to the network.

Procedure

Step 1	Log in to the ESXi server as a user with administrative privileges (root user). VMware vCenter is required to perform this step.
Step 2	Right-click the Cisco ISE VM you want to clone, and click Clone.
Step 3	Enter a name for the new machine that you are creating in the Name and Location dialog box and click Next. This is not the hostname of the new Cisco ISE VM that you are creating, but a descriptive name for your reference.
Step 4	Select a Host or Cluster on which you want to run the new Cisco ISE VM and click Next.
Step 5	Select a datastore for the new Cisco ISE VM that you are creating and click Next. This datastore could be the local datastore on the ESXi server or a remote storage. Ensure that the datastore has enough disk space.
Step 6	Click the Same format as source radio button in the Disk Format dialog box and click Next. This option copies the same format that is used in the Cisco ISE VM that you are cloning this new machine from.
Step 7	Click the Do not customize radio button in the Guest Customization dialog box and click Next.
Step 8	Click Finish.

What to do next

Changing the IP Address and Hostname of a Cloned Virtual Machine
Connecting a Cloned Cisco Virtual Machine to the Network

Clone a Cisco ISE Virtual Machine Using a Template

If you are using vCenter, then you can use a VMware template to clone a Cisco ISE virtual machine (VM). You can clone the Cisco ISE node to a template and use that template to create multiple new Cisco ISE nodes. Cloning a virtual machine using a template is a two-step process:

Before you begin

Note

For cloning, you need VMware vCenter. Cloning must be done before you run the Setup program.

Procedure

Step 1	Create a Virtual Machine Template
Step 2	Deploy a Virtual Machine Template

Create a Virtual Machine Template

Before you begin

Ensure that you shut down the Cisco ISE VM that you are going to clone. In the vSphere client, right-click the Cisco ISE VM that you are about to clone and choose Power > Shut Down Guest.
We recommend that you create a template from a Cisco ISE VM that you have just installed and not run the setup program on. You can then run the setup program on each of the individual Cisco ISE nodes that you have created and configure IP address and hostnames individually.

Procedure

Step 1	Log in to the ESXi server as a user with administrative privileges (root user). VMware vCenter is required to perform this step.
Step 2	Right-click the Cisco ISE VM that you want to clone and choose Clone > Clone to Template.
Step 3	Enter a name for the template, choose a location to save the template in the Name and Location dialog box, and click Next.
Step 4	Choose the ESXi host that you want to store the template on and click Next.
Step 5	Choose the datastore that you want to use to store the template and click Next. Ensure that this datastore has the required amount of disk space.
Step 6	Click the Same format as source radio button in the Disk Format dialog box and click Next. The Ready to Complete dialog box appears.
Step 7	Click Finish.

Deploy a Virtual Machine Template

After you create a virtual machine template, you can deploy it on other virtual machines (VMs).

Procedure

Step 1	Right-click the Cisco ISE VM template that you have created and choose Deploy Virtual Machine from this template.
Step 2	Enter a name for the new Cisco ISE node, choose a location for the node in the Name and Location dialog box, and click Next.
Step 3	Choose the ESXi host where you want to store the new Cisco ISE node and click Next.
Step 4	Choose the datastore that you want to use for the new Cisco ISE node and click Next. Ensure that this datastore has the required amount of disk space.
Step 5	Click the Same format as source radio button in the Disk Format dialog box and click Next.
Step 6	Click the Do not customize radio button in the Guest Customization dialog box. The Ready to Complete dialog box appears.
Step 7	Check the Edit Virtual Hardware check box and click Continue. The Virtual Machine Properties page appears.
Step 8	Choose Network adapter, uncheck the Connected and Connect at power on check boxes, and click OK.
Step 9	Click Finish. You can now power on this Cisco ISE node, configure the IP address and hostname, and connect it to the network.

What to do next

Changing the IP Address and Hostname of a Cloned Virtual Machine
Connecting a Cloned Cisco Virtual Machine to the Network

Change the IP Address and Hostname of a Cloned Virtual Machine

After you clone a Cisco ISE virtual machine (VM), you have to power it on and change the IP address and hostname.

Before you begin

Ensure that the Cisco ISE node is in the standalone state.
Ensure that the network adapter on the newly cloned Cisco ISE VM is not connected when you power on the machine. Uncheck the Connected and Connect at power on check boxes. Otherwise, if this node comes up, it will have the same IP address as the source machine from which it was cloned.

Figure 2. Disconnecting the Network Adapter
Ensure that you have the IP address and hostname that you are going to configure for the newly cloned VM as soon as you power on the machine. This IP address and hostname entry should be in the DNS server. You cannot use "localhost" as the hostname for a node.
Ensure that you have certificates for the Cisco ISE nodes based on the new IP address or hostname.
Procedure

Procedure

Step 1	Right-click the newly cloned Cisco ISE VM and choose Power > Power On.
Step 2	Select the newly cloned Cisco ISE VM and click the Console tab.
Step 3	Enter the following commands on the Cisco ISE CLI: `configure terminal hostname hostname` The hostname is the new hostname that you are going to configure. The Cisco ISE services are restarted.
Step 4	Enter the following commands: `interface gigabit 0 ip address ip_address netmask` The ip_address is the address that corresponds to the hostname that you entered in step 3 and netmask is the subnet mask of the ip_address. The system will prompt you to restart the Cisco ISE services. See the Cisco Identity Services Engine CLI Reference Guide, for the ip address and hostname commands.
Step 5	Enter Y to restart Cisco ISE services.

Connect a Cloned Cisco Virtual Machine to the Network

After you power on and change the ip address and hostname, you must connect the Cisco ISE node to the network.

Procedure

Step 1	Right-click the newly cloned Cisco ISE virtual machine (VM) and click Edit Settings.
Step 2	Click Network adapter in the Virtual Machine Properties dialog box.
Step 3	In the Device Status area, check the Connected and Connect at power on check boxes.
Step 4	Click OK.

Migrate Cisco ISE VM from Evaluation to Production

After evaluating the Cisco ISE release, you can migrate the from an evaluation system to a fully licensed production system.

Before you begin

When you move the VMware server to a production environment that supports a larger number of users, be sure to reconfigure the Cisco ISE installation to the recommended minimum disk size or higher (up to the allowed maximum of 2.4 TB).
Please not that you cannot migrate data to a production VM from a VM created with less than 200 GB of disk space. You can only migrate data from VMs created with 200 GB or more disk space to a production environment.

Procedure

Step 1	Back up the configuration of the evaluation version.
Step 2	Ensure that your production VM has the required amount of disk space.
Step 3	Install a production deployment license.
Step 4	Restore the configuration to the production system.

Check Virtual Machine Performance On-Demand

You can run the show tech-support command from the CLI to check the VM performance at any point of time. The output of this command will be similar to the following:

ise-vm123/admin# show tech | begin "disk IO perf"
Measuring disk IO performance
*****************************************
Average I/O bandwidth writing to disk device: 48 MB/second 
Average I/O bandwidth reading from disk device: 193 MB/second 
WARNING: VM I/O PERFORMANCE TESTS FAILED!
WARNING: The bandwidth writing to disk must be at least 50 MB/second,
WARNING: and bandwidth reading from disk must be at least 300 MB/second.
WARNING: This VM should not be used for production use until disk 
WARNING: performance issue is addressed. 
Disk I/O bandwidth filesystem test, writing 300 MB to /opt: 
314572800 bytes (315 MB) copied, 7.81502 s, 40.3 MB/s
Disk I/O bandwidth filesystem read test, reading 300 MB from /opt: 
314572800 bytes (315 MB) copied, 0.416897 s, 755 MB/s

Virtual Machine Resource Check from the Cisco ISE Boot Menu

You can check for virtual machine resources independent of Cisco ISE installation from the boot menu.

The CLI transcript appears as follows:


  Cisco ISE Installation (Serial Console)
  Cisco ISE Installation (Keyboard/Monitor)
  System Utilities (Serial Console)
  System Utilities (Keyboard/Monitor)

Use the arrow keys to select System Utilities (Serial Console) or System Utilities (Keyboard/Monitor) and press Enter. The following screen appears:



Available System Utilities:

  [1] Recover administrator password
  [2] Virtual Machine Resource Check
  [3] Perform System Erase
  [q] Quit and reload

Enter option [1 - 3] q to Quit

Enter 2 to check for VM resources. The output will be similar to the following:

*****
***** Virtual Machine host detected…
***** Hard disk(s) total size detected: 600 Gigabyte
***** Physical RAM size detected: 16267516 Kbytes
***** Number of network interfaces detected: 6
***** Number of CPU cores: 12
***** CPU Mhz: 2300.00
***** Verifying CPU requirement…
***** Verifying RAM requirement…
***** Writing disk partition table…

Linux KVM

KVM Virtualization Check

KVM virtualization requires virtualization support from the host processor; Intel VT-x for Intel processors and AMD-V for AMD processors. Open a terminal window on the host and enter the cat /proc/cpuinfo command. You must see either the vmx or the svm flag.

For Intel VT-x:

# cat /proc/cpuinfo
flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx
pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf eagerfpu pni pclmulqdq dtes64 monitor
ds_cpl vmx smx est tm2 ssse3 cx16 xtpr pdcm pcid dca sse4_1 sse4_2 x2apic popcnt tsc_deadline_timer aes xsave avx lahf_lm arat epb xsaveopt
pln pts dtherm tpr_shadow vnmi flexpriority ept vpid

For AMD-V:

# cat /proc/cpuinfo
flags: fpu tsc msr pae mce cx8 apic mtrr mca cmov pat pse36 clflush mmx fxsr sse sse2 ht syscall nx mmxext fxsr_opt rdtscp lm 3dnowext 3dnow
 pni cx16 lahf_lm cmp_legacy svm cr8_legacy

Install Cisco ISE on KVM

This procedure explains how to create a KVM on RHEL and install Cisco ISE on it using the Virtual Machine Manager (virt-manager).

If you choose to install Cisco ISE through the CLI, enter a command similar to the following one:

#virt-install --name= kvm-ise1  --arch=x86_64 --cpu=host --vcpus=2 --ram=4096 
--os-type=linux --os-variant=rhel6 --hvm --virt-type=kvm --cdrom= /home/admin/Desktop/ise-2.4.0.x.SPA.x86_64.iso  
--disk= /home/libvirt-images/kvm-ise1.img,size=100  
--network type=direct,model=virtio,source= eth2 ,source_mode=bridge

where ise-2.4.0.x.SPA.x86_64.iso is the name of the Cisco ISE ISO image.

Before you begin

Download the Cisco ISE ISO image to your local system.

Procedure

Step 1

From the virt-manager, click New.

The Create a new virtual machine window appears.

Step 2

Click Local install media (ISO media or CDROM), and then click Forward.

Step 3

Click the Use ISO image radio button, click Browse, and select the ISO image from your local system.

Uncheck the Automatically detect operating system based on install media check box, choose Linux as the OS type, choose supported Red Hat Enterprise Linux version, and click Forward.

Step 4

Choose the RAM and CPU settings and click Forward.

Step 5

Check the Enable storage for this virtual machine check box and choose the storage settings.

Click the Select managed or other existing storage radio button.
Click Browse.
From the Storage Pools navigation pane on the left, click disk FileSystem Directory.
Click New Volume.

A Create storage volume window appears.
Enter a name for the storage volume.
Choose raw from the Format drop-down list.
Enter the Maximum Capacity.
Click Finish.
Choose the volume that you created and click Choose Volume.
Click Forward.

The Ready to begin the installation screen appears.

Step 6

Check the Customize configuration before install check box.

Step 7

Under Advanced options, choose the macvtap as the source for the interface, choose Bridge in the Source mode drop-down list, and click Finish.

(Optional) Click Add Hardware to add additional NICs.

Choose macvtap as the Network source and virtio as the Device model.
To support RHEL 7, the KVM virtual manager has to support Random Number Generator (RNG) hardware. See the following image for RNG configuration.

Figure 3. New Virtual Hardware
If you are using the CLI to create a new VM, be sure to include the following setting:
```
<rng model='virtio'
   <backend model='random'>/dev/random</backend>
   <address type='pci' domain='0x0000' bus='0x00' slot='0x08' function='0x0'/>
</rng>
```
Click Finish.

Step 8

In the Virtual Machine screen, choose the disk device and under Advanced and Performance Options, choose the following options, and click Apply.

Field	Value
Disk bus	VirtIO
Cache mode	none
IO mode	native

Step 9

Click Begin Installation to install Cisco ISE on KVM.

The Cisco ISE installation boot menu appears.

Step 10

At the system prompt, enter 1 to choose a monitor and keyboard port, or 2 to choose a console port, and press Enter.

The installer starts the installation of the Cisco ISE software on the VM. When the installation process finishes, the console displays:

Type 'setup' to configure your appliance
localhost:

Step 11

At the system prompt, type setup and press Enter.

The Setup Wizard appears and guides you through the initial configuration.

Microsoft Hyper-V

Create a Cisco ISE Virtual Machine on Hyper-V

This section describes how to create a new virtual machine, map the ISO image from the local disk to the virtual CD/DVD drive, edit the CPU settings, and install Cisco ISE on Hyper-V.

Note

Cisco ISE does not support the use of Multipath I/O (MPIO). Hence, the installation will fail if you are using MPIO for the VM.

Before you begin

Download the Cisco ISE ISO image from cisco.com to your local system.

Procedure

Step 1	Launch Hyper-V Manager on a supported Windows server. Figure 4. Hyper-V Manager Console
Step 2	Right-click the VM host and click New > Virtual Machine. Figure 5. Create New Virtual Machine
Step 3	Click Next to customize the VM configuration. Figure 6. New Virtual Machine Wizard
Step 4	Enter a name for the VM and (optionally) choose a different path to store the VM, and click Next. Figure 7. Specify Name and Location
Step 5	Click the Generation 1 radio button and click Next. If you choose to create a Generation 2 ISE VM, ensure that you disable the Secure Boot option in the VM settings. Figure 8. Specify Generation
Step 6	Specify the amount of memory to allocate to this VM, for example, 16000 MB, and click Next. Figure 9. Assign Memory
Step 7	Select the network adapter and click Next. Figure 10. Configure Networking
Step 8	Click the Create a virtual hard disk radio button and click Next. Figure 11. Connect Virtual Hard Disk
Step 9	Click the Install an operating system from a bootable CD/DVD-ROM radio button. From the Media area, click the Image file (.iso) radio button. Click Browse to select the ISE ISO image from the local system and click Next. Figure 12. Installation Options
Step 10	Click Finish. Figure 13. Complete the New Virtual Machine Wizard The Cisco ISE VM is created on Hyper-V. Figure 14. New Virtual Machine created
Step 11	Select the VM and edit the VM settings. Select Processor. Enter the number of virtual processors, for example, 6, and click OK. Figure 15. Edit VM Settings
Step 12	Select the VM and click Connect to launch the VM console. Click the start button to turn on the Cisco ISE VM. Figure 16. Start the Cisco ISE VM The Cisco ISE installation menu appears. Figure 17. CIsco ISE installation menu
Step 13	Enter `1` to install Cisco ISE using a keyboard and monitor.