Upgrade to ISE 3.1 on AWS

Below is the prep work for migrating from ISE2.4 to ISE3.1+ for AWS, and the migration steps are here, but I have summarize them below.

Cisco ISE is available as an infrastructure-as-code solution leveraging AWS CloudFormation making the deployment of ISE a very light lift. I’ll be walking you through how to deploy ISE on AWS in a later post.

Step 1 – Base, Plus, Apex, and Device Admin licenses need to be migrated to Smart Licenses
Step 2 – VM licenses need to be converted
Step 3 – Migration can occur. Once licenses are prepped and converted, you go to the AWS Marketplace ISE BYOL listing and choose your deployment size. 

ISE Licensing

  1. AWS ISE requires ISE 3.1+
    1. If upgrading to 3.1 from an existing 2.X release, it is required that a customer migrate their existing licenses to the new licenses and then upgrade to the 3.0 release. I.e. These are the Base, Plus, and Apex license that need to be upgraded. Device Admin licenses are grandfathered and need to be upgraded to a Smart License as well.
  2. This requires a Cisco Smart License Account. 
  3. Please refer to the Migration Guide for instructions.

ISE VM – You need to register the VM Common license for ISE 3.1 and later.

  1. Customers need to migrate their ISE License to the new “Common License.”
    1. To migrate the legacy VM license to the VM Common license, customers need to obtain the $0 upgrade Product ID (PID), “L-ISE-VMC-UPG=, from Cisco. This is the same PID regardless of what current size of VM license you have today.
    2. https://www.cisco.com/c/en/us/products/collateral/security/identity-services-engine/ise-licensing-migration-guide-og.html

2. To obtain a VM Common License for a net new deployment you’ll need the new VM PID, “R-ISE-VMC-K9=” Refer to the table below for a 1:1 mapping.

These VM licenses are valid in Cisco ISE 3.0 and earlier releases. Again, when you upgrade your Cisco ISE to Release 3.1, you will need to have VM Common license.  

Upgrade FromUpgrade ToRatio
R-ISE-VML-K9=R-ISE-VMC-K9=1:1
R-ISE-VMM-K9=R-ISE-VMC-K9=1:1
R-ISE-VMS-K9=R-ISE-VMC-K9=1:1

How to migrate license

To migrate the legacy VM license to the VM Common license, customers need to obtain the $0 upgrade PID, “L-ISE-VMC-UPG=,” in CCW. See ISE Licensing Migration Guide for the detailed process.

Support for VM and License

Q. What support do customers receive with the new ISE licenses?

A. The same as with current subscription licenses. With the new ISE software licenses, customers receive embedded SWSS—which covers 24x7x365 Cisco Technical Assistance Center (TAC) support and software updates. However, now Essentials will also have this support.

More Question and Answers here

Support associated with the legacy VM licenses

When customers upgrade the version of their legacy VM to VM Common license, they can continue to receive support based on the support contract purchased on legacy VM license PID. They can renew the support until the legacy VM license PID is EOL and reaches the last service renewal date per the EOL bulletin. There is no support for migration. For seamless support, the customer should request the legacy VM PID to be replaced with the desired VM PID in order to renew and receive support.

Mike

Cloud Workload Optimization – Cost and Performance?

I took inspiration to write this blog from the “Workload Optimization” section from the digital book “Cisco Intersight: A Handbook for Intelligent Cloud Operations” – Please consider connecting and send a thank you to the hard-working authors of this fantastic book.

IT operations have one fundamental goal, to deliver performant applications at the lowest possible cost while maintaining compliance.

Because of this, organizations turn to cloud providers to achieve a lower variable cost compared to an on-premises data center, which is generally finite in scale and fixed in cost.

Cloud providers such as AWS can achieve higher economies of scale, which translates into lower pay-as-you-go prices and effectively infinite infrastructure.

Having a handle on which application requires which underlying resources, license constraints, and placement rules are beyond the scale of humans.

As a result, determining the placement of workloads minimizing cost while assuring workload performance becomes a guessing game.

Cost Optimization Pillar

According to AWS, a cost-optimized workload fully utilizes all resources, achieves an outcome at the lowest possible price point, and meets your functional requirements(AWS, n.d.).

Put another way, the Desired State is to assure workload performance and minimize spend in the public cloud (Intersight Handbook, 2021).

AWS provides a vast array of instance sizes to achieve optimized workloads and various ways to consume instances in an on-demand or via Reservice Instances (RI) which are heavily discounted for a specific term, generally one year or three years. Think of RIs as a billing discount applied to running On-Demand Instances. RIs are appropriate for consistent and predictable workloads.

The challenge with consuming RIs is that the public cloud consumers will pay for the RI whether they use them or not. RIs become more like “the sunk cost of a physical server on-premises than to the ongoing cost of an on-demand cloud instance (Intersight Handbook, 2021).” This consumption model can create behaviors that lend to horseshoeing application into an undersized instance or neglect to resize an instance when a workload outgrows its current resource needs.

“There are hundreds of different instance options in AWS and Azure, with new options and pricing emerging almost daily (Intersight Handbook, 2021).”

Automation to optimize costs

The lack of expertise and security is more critical at the beginning stages of cloud than managing cloud spending. However, as organizations mature their cloud practice, managing cloud spending becomes the number one issue, and they struggle to forecast cloud costs accurately.

An average of 24 percent of the organization reported that their cloud spend was over budget and expected to increase by 39 percent in the next twelve months (Flexera, 2021).

This issue is further compounded when you include more than one cloud provider and requires automation to decide on price and performance vs. price for performance.

Assuring applications performance while optimizing cost is precisely what Cisco’s Interisght Workload Optimizer SaaS will do. (Workload Optimizer is a separately licensed feature set within the Intersight platform)

Workload Optimizer is constantly receiving real-time data on consumption, pricing, and instance options from the cloud providers and combining such data with the knowledge of applicable customer-specific pricing and enterprise agreements to determine the best actions available at any given point in time.

It does this through direct API target integrations with the cloud provider in real-time to add value far beyond any cloud-specific or hypervisor-specific, point-in-time tools that may be available. Besides being multi-vendor, multi-cloud, and real-time by design, Workload Optimizer does not force administrators to choose between performance assurance and cost/resource optimization.

Wrapping up

The underlying resources, license constraints, and placement rules of running workloads in the public cloud are beyond what most organizations can handle. While the organization’s capability to use the cloud continues to grow, so does its need to forecast and manage cloud spending. The solution requires automation, real-time information, and optimization to make informed decisions. Cisco Workload Optimizer has the ability to do just that and a whole lot more. If you’re interested in understanding Intersight and the components that make up the hybrid-cloud tool, you can find the documentation here.

Mike

Baker, M., Beck, B., Chosnek, D., McGee, J., McKeown, S., TerEick, B., & Vaswani, M. (2021). Cisco Intersight: A Handbook for Intelligent Cloud Operations. https://www.booksprints.net. 

Cost optimization pillar – AWS well-architected framework. (n.d.). Retrieved February 28, 2022, from https://docs.aws.amazon.com/wellarchitected/latest/cost-optimization-pillar/welcome.html 

Reserved instances – amazon elastic compute cloud. (n.d.). Retrieved February 28, 2022, from https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-reserved-instances.html 

“2021 State of the Cloud Report.” Flexera, 2021, https://info.flexera.com/CM-REPORT-State-of-the-Cloud?dtid=oblgzzz001087. 

Cisco at AWS re:Invent 2021

Here is a summary of Cisco’s mentions and highlights at AWS re:Invent 2021!

Please note: each of these links require registering on the AWS re:Invent site.

Launches and Mentions

AWS GATEWAY LOAD BALANCER >> Now featuring Cisco Firewall as a Service (FWaaS)

Learn more by reading Cisco’s blog

AWS MARKETPLACE LAUNCH >> Cisco Snort 3 Anywhere

Snort 3 Anywhere is a containerized form factor of the well-known, industry defacto standard standard IPS engine. With this latest offering now available in AWS Marketplace you can easily deploy Snort 3 in your EKS or on-premises container environment. Learn more in Cisco’s blog

AWS MARKETPLACE LAUNCH >> Cisco Intersight Workload Optimizer SaaS

Cisco Intersight Workload Optimizer is a real-time decision engine that drives continuous health of applications across on-premises and public cloud environments to analyze workload consumption, costs, and policy constraints across the full stack. Learn more via the new listing in AWS Marketplace and Cisco’s blog.

NEW AWS QUICK START >> Featuring Cisco Meraki Virtual MX

Customers can secure SD-WAN traffic between branch offices to resources on AWS with this new AWS Quick Start. Click to view and deploy.

Mike

Canary in the Cloud

Now a cliche but once a reality, it turns out that the canaries, like other birds, are much more sensitive to poisonous gases than humans. The birds were brought down into the coal mine and acted as an indicator and early warning of possible danger to the British miners.

An electronic detection system later replaced the birds, but these birds served an essential role for decades.

The public cloud has changed the way organizations deliver, respond, and represent their customers, and organizations are building an early warning systems approach to their cloud. The teams and systems that make up this strategy are Cloud Center of Excellent (CoE), which provides centralized controls, tools, and best practices.

The purpose of these teams is to accelerate cloud adoption by centralizing expertise while reducing costs and risk (Flexera, 2021).

Flexera 2021 State of the Cloud Report

Unlike the canaries that provide chaotic monitoring of harmful gasses, enterprises have tools that offer next-level proactive and predictive monitoring. These systems allow organizations to understand the complexity of their cloud and oversee across multiple business units and functional areas.

Full-Stack Canary

Well, it’s not a cute bird, but it does overcome the spiraling complexity of cloud, hybrid cloud, and traditional IT. AppDynamics, ThousandEyes, and Intersight Workload Optimizer make up Cisco’s Full-Stack Observability platform. Connecting the dots up and down the “stack”-from the customer or employee-facing application, all the way down to the lowest level infrastructure (compute, storage, networking, and public internet).

Conclusion

When we consider the technical environment we live in, we recognize the need to monitor the entire IT estate. Like the canaries in the coal mine, the answer is to predict and identify an issue before it adversely affects customers and businesses.

Mike

“2021 State of the Cloud Report.” Flexera, 2021, https://info.flexera.com/CM-REPORT-State-of-the-Cloud?dtid=oblgzzz001087. 

Magazine, Smithsonian. “The Story of the Real Canary in the Coal Mine.” Smithsonian.com, Smithsonian Institution, 30 Dec. 2016, https://www.smithsonianmag.com/smart-news/story-real-canary-coal-mine-180961570/. 

Smith, Kiona N. “The Canary in the Coal Mine Isn’t Ancient History.” Forbes, Forbes Magazine, 7 Jan. 2020, https://www.forbes.com/sites/kionasmith/2019/12/31/the-canary-in-the-coal-mine-isnt-ancient-history/?sh=1245d4244393. 

“Rise of Full-Stack Observability.” AppDynamics, AppDynamics, 13 July 2021, https://www.appdynamics.com/resources/reports/rise-of-full-stack-observability. 

Catalyst 9200, Upgrading IOS-XE Amsterdam 17.3.x (Install Mode)

Starting with IOS-XE 17.3.2 and future releases, Cisco implemented Smart Licensing using Policy. Be sure to read up on what this means in this post Update to Cisco Smart Licensing. If you need to review how to change operating modes, you can check this post Converting Cisco IOS-XE Software from Bundle Mode to Install Mode.

You may notice the new command no boot manual. What this essentially is doing is setting the config register to 0x2102. Classic platforms that run on IOS code version; you can set this via the config-register command. However, on Catalyst 9K switches that run IOS-XE, the config-register command was ineffective and malfunctioned, causing confusion.

To prevent the switch from rebooting into ROMmon mode (boot the switch normally), use the no boot manual command as shown in the code snippet below.

OperationIOS Config-register valueEquivalent IOS-XE CLI
Boot normally0x2102Switch(config)#no boot manual
Boot to rommon0x0,0x2120Switch(config)#boot manual
Step 1. Remove Unwanted Packages
C9200K#install remove inactive
Step 2. Copy New Image to Flash
C9200K#copy usbflash1:cat9k_lite_iosxexxx.bin flash:
Step 3. Set Boot Variable
C9200K(config)#boot system flash:packages.conf
C9200K(config)#no boot manual
C9200K(config)#end
C9200K#wr
C9200K#show boot system
Step 4. Software Install Image to Flash
C9200K#install add file flash: cat9k_lite_iosxexxx.bin activate commit (auto reloads after this command)
Step 5. Verify New Packages and Image after reload
C9200K#dir flash:*.pkg
Step 6. Check Version and New Bootloader
C9200K#show version
C9200K#show boot

Hope that this helps.

Mike

Cisco. (2021, May 10). Smart licensing using policy on catalyst switching platforms. Cisco. https://www.cisco.com/c/en/us/support/docs/switches/catalyst-9300-series-switches/216545-smart-licensing-using-policy-on-catalyst.html. 

Cisco. (2021, February 24). Configuration register equivalent CLIs In IOS-XE. Cisco. https://www.cisco.com/c/en/us/support/docs/switches/catalyst-9300-series-switches/216850-configuration-register-equivalent-clis-i.html.