Traditional corporate network boundaries and siloed services are a thing of the past. Today's networks must accommodate an ever-growing array of consumer IT devices while providing user-centric policy and enabling global collaboration. The Cisco TrustSec® architecture addresses this shift by using identity-based access policies to allow users and devices onto the network, so that IT can enable appropriate services without sacrificing control. Customers can use a range of next-generation physical or virtual appliances and associated licenses to deploy the Cisco® Identity Services Engine (ISE). This guide provides the SKU-level information needed to order the appliances and licenses for an ISE deployment.
1. Estimate the number of concurrent endpoints in the network.
2. Estimate the number of appliances (physical or virtual) needed to support the number of concurrent endpoints in the network.
• Please consult a network professional that has been Cisco ISE-trained and certified to design and estimate the number of ISE appliances needed.
3. Select the appropriate type of appliance suitable for your deployment. (Reference the appliance selection.)
4. Select the appropriate level of support needed for the appliances in your deployment. (Reference the appliance support selection.)
5. Select the appropriate type of license suitable for your deployment. (Reference the license selection.)
6. Select the approriate level of services available from Cisco Advanced Services or a Certified Partner for design, deployment, and sustaining services of the ISE deployment.
Step 1: Estimate the Number of Concurrent Endpoints in the Network
Estimating the total number of concurrent endpoints is dependent on a number of variables. An approach to consider would be to take into account:
• Number of employees in the organization
• Average number of devices per employee (desktop, laptop, smartphone, desk IP phone, etc.)
• Number of switch ports currently in the organization
• Number of access points deployed in the organization
• Average number of devices per access point
• Dynamic IP address range being used
• Average number of guests expected to join the network
• Inventory of non-user devices such as IP cameras, printers, IP-enabled projectors, etc.
A combination of factors that includes but is not limited to the above factors could be used to determine the total number of concurrent endpoints in the network.
Step 2: Estimate the Number of Appliances or Servers* Needed for the Deployment
The total number of appliances or servers needed in a deployment is determined by a range of factors, including but not limited to the total number of concurrent endpoints in the network, use cases, high-availability requirements, and locations. For appliance or server sizing questions, please speak to your local security sales specialist or send an email to cise-questions@external.cisco.com.
Step 3: Select the Type of Appliance or Server*
An ISE deployment can consist of one or more appliances or servers. These appliances or servers can be centrally located, distributed, or both. Table 1 provides the appliance or server options available.
Table 1. Cisco ISE Appliances and Servers* Options
Cisco Identity Services Engine Appliances
Option 1: Cisco Identity Services Engine Appliances and Servers*
Product Number
Endpoints Supported
Cisco Secure Network Server 3415*
SNS-3415-K9
5,000
Cisco Secure Network Server 3495*
SNS-3495-K9
20,000
Cisco Identity Services Engine 3315 Appliance
ISE-3315-K9
3,000
Cisco Identity Services Engine 3355 Appliance
ISE-3355-K9
5,000
Cisco Identity Services Engine 3395 Appliance
ISE-3395-K9
10,000
Option 2: Cisco Identity Services Engine Virtual Appliance on VMware ESX or ESXi 4.X & 5.X hypervisor
Paper Entitlement Delivery
eDelivery Entitlement
Cisco Identity Services Engine Virtual Appliance
ISE-VM-K9=
L-ISE-VM-K9=
Bundle of 5 Cisco Identity Services Engine Virtual Appliances
ISE-5VM-K9=
L-ISE-5VM-K9=
Bundle of 10 Cisco Identity Services Engine Virtual Appliances
ISE-10VM-K9=
L-ISE-10VM-K9=
Note: The Cisco Secure Network Server* is a multipurpose server and can support Cisco ISE, ACS, and NAC applications. One application can be selected as a Software Option to be installed on the server. To order ISE and the Cisco Secure Network Server*, order the appropriate product number (SNS-3415-K9* or SNS-3495-K9*) and then select ISE as the Software Option.
Note: To achieve the same level of performance and scalability as ISE hardware appliances, ISE virtual appliances must be installed on servers with the same configurations as the ISE hardware appliances. Consult the Cisco Identity Services Engine Installation Guide.
Note: Please consult a certified ISE design engineer on the specific models needed for your deployment prior to ordering any of the Cisco Secure Network Servers or Cisco Identity Services Engine 3300 Series Appliances.
Step 4: Select the Type of Support
Four types of Cisco SMARTnet® support services are available for Cisco ISE customers using physical appliances:
• 8x5xNBD: Next business day
• 8x5x4: Standard 4-hour service
• 24x7x4: Premium 4-hour service
• 24x7x2: Premium 2-hour service
Cisco SMARTnet support services include global access to the Cisco Technical Assistance Center (TAC), advance hardware replacement, and ISE software updates and all minor and major upgrades. Access to the extensive Cisco.com knowledge base and tools is also included. For more information about Cisco SMARTnet service offerings, please visit http://www.cisco.com/en/US/products/svcs/ps3034/ps2827/ps2978/serv_group_home.html.
For Cisco ISE customers using virtual appliances, Cisco offers Software Application Support plus Upgrades (SASU). Cisco SASU services include global access to Cisco TAC and ISE software updates and all minor and major upgrades. Access to the extensive Cisco.com knowledge base and tools is also included. For more information about Cisco SASU offerings, please visit http://www.cisco.com/en/US/products/svcs/ps3034/ps2827/ps2993/serv_group_home.html.
Table 2 lists the SKUs of the four service options available for Cisco ISE physical appliances. Table 3 lists the service options for the Cisco Secured Network Servers*. Table 4 lists the SKUs for service options available for Cisco ISE virtual appliances. All support licenses will be in effect for one year from the purchase date.
Table 2. Cisco ISE Physical Appliance Support SKUs
Cisco SMARTnet Service Option SKUs
Product Number
8x5xNBD
8x5x4
24x7x4
24x7x2
ISE-3315-K9
CON-SNT-ISE3315
CON-SNTE- ISE3315
CON-SNTP- ISE3315
CON-S2P- ISE3315
ISE-3355-K9
CON-SNT- ISE3355
CON-SNTE- ISE3355
CON-SNTP- ISE3355
CON-S2P- ISE3355
ISE-3395-K9
CON-SNT- ISE3395
CON-SNTE- ISE3395
CON-SNTP- ISE3395
CON-S2P- ISE3395
Table 3. Cisco Secure Network Server Support SKUs*
Product Number
SMARTnet Part Number
Description
SNS-3415-K9*
CON-SNT-SNS-3415
Cisco SMARTnet support for SNS-3415-K9 - 8x5 Next Business Day
SNS-3495-K9*
CON-SNT-SNS-3495
Cisco SMARTnet support for SNS-3495-K9 - 8x5 Next Business Day
Table 4. Cisco ISE Virtual Appliance Support SKUs
Product Number
Cisco SASU SKU
ISE-VM-K9= or L-ISE-VM-K9=
CON-SAU- ISEVM
ISE-5VM-K9= or L-ISE-5VM-K9=
CON-SAU- ISE5VM
ISE-10VM-K9= or L-ISE-10VM-K9=
CON-SAU- ISE10VM
Step 5: Select the Type of License
Cisco ISE license options allow customers to choose between functionality-based licensing or deployment-based licensing.
Functionality-based licensing:
• The Base license is intended for organizations that want to authenticate and authorize users and devices on their network (wired, wireless, and VPN). Base licenses include support for AAA services, guest lifecycle management, compliance reporting, and end-to-end monitoring and troubleshooting. The Base license is a perpetual license.
• The Advanced license expands upon the Base license and enables organizations to make more advanced policy decisions based on user and device compliance. Advanced license features include device onboarding and provisioning, device profiling, posture services, mdm integration capabilities* and Security Group Access enforcement capabilities across the entire network (wired, wireless, and VPN). The Advanced license is a subscription-term-based license, with a choice of 3- or 5-year term subscriptions.
Note: Do not order and install ISE Base and Advanced licenses on ISE deployments using ISE Wireless and Wireless Upgrade Licenses.
Deployment-based licensing:
• The Wireless license is intended for organizations that want to start their ISE deployment for policy decision for wireless endpoints only. Wireless license features include both Base and Advanced license features. The Wireless license is a subscription-term-based license with a choice of 3- or 5-year term subscriptions. The Wireless Upgrade license is intended for customers who deployed the Cisco Identity Services Engine for wireless endpoints only and want to expand their deployment to wired and VPN endpoints. The Wireless Upgrade license installs on top of the Wireless license and is a term license whose term coincides with the pre-existing Wireless license.
• Note: The ISE Wireless Upgrade licenses do not increase the number of endpoints supported in a deployment. The number of endpoints supported is determined by the license quantity specified by the ISE Wireless license.
• Note: When ordering the ISE Wireless license, order the same license quantity as the ISE Wireless License in operation. Do not purchase ISE Wireless Upgrade licenses based only on anticipated or wired and VPN devices. ISE does not pool licenses based on access method (wired, wireless, or VPN).
The type of license needed is determined by the functionality, the deployment required to meet specific use cases, the total number of concurrent endpoints on the network, and, in the case of the Advanced or Wireless licenses, the term duration. Cisco ISE licenses are specific to a deployment and not to individual appliances in the deployment. Cisco ISE licenses can be ordered at the same time as, or separately from, an appliance order. Please note that the Advanced licenses can only be added on top of Base licenses, and that the number of Advanced licenses can never exceed the number of Base licenses. Similarly, the Wireless Upgrade license can only be installed on top of a Wireless license. To install the Wireless Upgrade license, the Wireless Upgrade license count has to match the Wireless license count. Table 5 lists the various Cisco ISE licenses available.
Table 5. Cisco ISE License Options
License Type
Features Supported
Deployment Type Supported
License Prerequisite
License Term(s)
Base License
AAA
Guest Provisioning
Link Encryption Policies
Wired
Wireless
VPN
-
Perpetual
Advanced License
Device Onboarding/Provisioning
Device Profiling and Feed Service*
Host Posture
Security Group Access
Integrated Vendor MDM Support*
Wired
Wireless
VPN
Base License
3- and 5-Year Terms
Wireless License
Device Onboarding/Provisioning
AAA
Guest Provisioning
Link Encryption Policies
Device Profiling and Feed Service*
Host Posture
Security Group Access
Integrated Vendor MDM Support*
Wireless
-
3- and 5-Year Terms
Wireless Upgrade License
Device Onboarding/Provisioning
Authentication/Authorization
Guest Provisioning
Link Encryption Policies
Device Profiling
Host Posture
Security Group Access
Wired
Wireless
VPN
Wireless License
3- and 5-Year Terms
Table 6 lists the SKUs associated with the ISE license options.
Table 6. Cisco ISE Functionality-Based License Options
License Tiers (T)
Number of Endpoints Supported
Base License
Advanced 3-Year License
Advanced 5-Year License
Wireless 3-Year License
Wireless 5-Year License
Wireless Upgrade 3-Year License
Wireless Upgrade 5-Year License
100
100 Endpoints
L-ISE-BSE-100=
L-ISE-ADV3Y-100=
L-ISE-ADV5Y-100=
L-ISE-AD3Y-W-100=
L-ISE-AD5Y-W-100=
L-ISE-W-3UPG-100=
L-ISE-W-UPG-100=
250
250 Endpoints
L-ISE-BSE-250-
L-ISE-ADV3Y-250=
L-ISE-ADV5Y-250=
L-ISE-AD3Y-W-250=
L-ISE-AD5Y-W-250=
L-ISE-W-3UPG-250=
L-ISE-W-UPG-250=
500
500 Endpoints
L-ISE-BSE-500=
L-ISE-ADV3Y-500=
L-ISE-ADV5Y-500=
L-ISE-AD3Y-W-500=
L-ISE-AD5Y-W-500=
L-ISE-W-3UPG-500=
L-ISE-W-UPG-500=
1000
1000 Endpoints
L-ISE-BSE-1K=
L-ISE-ADV3Y-1K=
L-ISE-ADV5Y-1K=
L-ISE-AD3Y-W-1K=
L-ISE-AD5Y-W-1K=
L-ISE-W-3UPG-1K=
L-ISE-W-UPG-1K=
1500
1500 Endpoints
L-ISE-BSE-1500=
L-ISE-ADV3Y-1500=
L-ISE-ADV5Y-1500=
L-ISE-AD3Y-W-1500=
L-ISE-AD5Y-W-1500=
L-ISE-W-3UPG-1500=
L-ISE-W-UPG-1500=
2500
2500 Endpoints
L-ISE-BSE-2500=
L-ISE-ADV3Y-2500=
L-ISE-ADV5Y-2500=
L-ISE-AD3Y-W-2500=
L-ISE-AD5Y-W-2500=
L-ISE-W-3UPG-2500=
L-ISE-W-UPG-2500=
3500
3500 Endpoints
L-ISE-BSE-3500=
L-ISE-ADV3Y-3500=
L-ISE-ADV5Y-3500=
L-ISE-AD3Y-W-3500=
L-ISE-AD5Y-W-3500=
L-ISE-W-3UPG-3500=
L-ISE-W-UPG-3500=
5000
5000 Endpoints
L-ISE-BSE-5K=
L-ISE-ADV3Y-5K=
L-ISE-ADV5Y-5K=
L-ISE-AD3Y-W-5K=
L-ISE-AD5Y-W-5K=
L-ISE-W-3UPG-5K=
L-ISE-W-UPG-5K=
10,000
10K Endpoints
L-ISE-BSE-10K=
L-ISE-ADV3Y-10K=
L-ISE-ADV5Y-10K=
L-ISE-AD3Y-W-10K=
L-ISE-AD5Y-W-10K=
L-ISE-W-3UPG-10K=
L-ISE-W-UPG-10K=
25,000
25K Endpoints
L-ISE-BSE-25K=
L-ISE-ADV3Y-25K=
L-ISE-ADV5Y-25K=
L-ISE-AD3Y-W-25K=
L-ISE-AD5Y-W-25K=
L-ISE-W-3UPG-25K=
L-ISE-W-UPG-25K=
50,000
50K Endpoints
L-ISE-BSE-50K=
L-ISE-ADV3Y-50K=
L-ISE-ADV5Y-50K=
L-ISE-AD3Y-W-50K=
L-ISE-AD5Y-W-50K=
L-ISE-W-3UPG-50K=
L-ISE-W-UPG-50K=
100,000
100K Endpoints
L-ISE-BSE-100K=
L-ISE-ADV3Y-100K=
L-ISE-ADV5Y-100K=
L-ISE-AD3Y-W-100K=
L-ISE-AD5Y-W-100K=
L-ISE-W-3UPG-100K=
L-ISE-W-UPG-100K=
Table 7. Cisco ISE Functionality-Based License Options
License Type
License SKU
Base License
L-ISE-BSE-[T]=
Advanced 3-Year License
L-ISE-ADV3Y-[T]=
Advanced 5-Year License
L-ISE-ADV5Y-[T]=
3-Year Wireless License
L-ISE-AD3Y-W-[T]=
5-Year Wireless License
L-ISE-AD5Y-W-[T]=
3-Year Wireless Upgrade License
L-ISE-W-3UPG-[T]=
5-Year Wireless Upgrade License
L-ISE-W-UPG-[T]=
Replace [T] with the appropriate license tier from Table 5 and 6.
Note: Cisco ISE customers must have an active and valid SMARTnet or SASU contract for the appliances in the deployment to install any of the licenses described in this section.
Step 6: Select a Design and Deployment Service
Deploying the Cisco Identity Services Engine in an organization touches many geographic, functional, and political boundaries. For a successful deployment, customers must engage either a Cisco Certified Partner or Cisco Advanced Services (AS) for the design, deployment, and sustaining engineering of the Identity Services Engine.
Cisco AS has developed a number of services packages to meet program requirements and customer expectations. Table 8 lists two AS-Fixed Service options available:
Table 8. Cisco ISE Physical Appliance Support SKUs
