topic Converting from 34xx appliances to VM in Network Access Control

Converting from 34xx appliances to VM

gjw_csco — Thu, 06 Jun 2019 15:39:26 GMT

Environment is running an ISE cluster with four 34xx appliances:

- Active/Standby PAN & MnT

- 2 x PSN

Customer would like to consolidate into two appliances based on their concurrent session count and also migrate to VM since appliances due to EoS/EoL announcements.

Questions:

1. Do we support running active on VM and standby on physical appliance for short/medium term? Does the VM need specific requirements?

2. When we take the current standby appliance out of cluster, then integrate VM, and do database sync...is there anything, such as certificates, that need to manually configured on standby VM?

Thanks.

Re: Converting from 34xx appliances to VM

Mohammed al Baqari — Fri, 07 Jun 2019 09:39:06 GMT

For 1st question, yes the VM has specific requirements based on the sizing
(ideally you use an OVA template). See below.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_01.html

For 2nd question, when you deregister a node from the cluster, its local
certificates disappear and you need to import the new ones related to the
VM after it joins the cluster. The only certificates which gets replicated
are wildcard certs.

Re: Converting from 34xx appliances to VM

Damien Miller — Fri, 07 Jun 2019 16:39:29 GMT

Are they planning to upgrade the deployment at the same time, or would they prefer to remain on the version they are on now? we can help you with the process either way but it will differ.

Re: Converting from 34xx appliances to VM

gjw_csco — Mon, 10 Jun 2019 01:17:25 GMT

They already upgraded to 2.4.x and then realized the 34xx appliances were not supported, so now they're working towards getting things migrated to VM's.

Re: Converting from 34xx appliances to VM

Damien Miller — Mon, 10 Jun 2019 01:29:58 GMT

Pretty straight forward process and there are quite a few way to do it, you won't have issues joining VM's to a physical node deployment. Also, because NADs are probably configured for PSN IP's, I would try to put both new standalone VM's on those IP's. It would look something like this.

1. Deregister a PSN and shut it down.
2. Deregister secondary PAN and shut it down.
3. Deploy a new 2.4 OVA, ideally 600GB+ since it will also host MNT serivces.
4. Run the setup and reuse the shut down PSN hostname/IP (or change DNS).
5. Install certificates if you use common certs across the nodes today.
6. Patch it to the same as the current PAN/deployment.
7. Register it to the deployment selecting admin, mnt, and policy services roles.
8. Promote this new node to primary MNT and primary admin.
9. Deregister and shut down appliance admin node and PSN.
10. Deploy a new 2.4 OVA, again ideally 600+ GB.
11. Install certs, patch, and register.

At this point you will have two VM nodes left running PAN, MNT and PSN services. This certainly isn't the only way, but viable if you have two radius servers configured on each NAD. Probably wise to expand upon my high level task list to include more specifics if presenting it to a client to do. An alternative to save some single point of failure time is to pre deploy the new 2.4 VM's and stage them at the setup script. If you don't want to reuse IP's, you could deploy the OVA's, join the nodes with new IP's and hostnames, then decommission the four old nodes.

Re: Converting from 34xx appliances to VM

ldanny — Mon, 10 Jun 2019 08:24:39 GMT

Damien is correct , there are many ways you can achieve upgrades and really depends on your existing environment and requirements

Another doc that may be useful and give you some ideas is :

https://community.cisco.com/t5/security-documents/ise-upgrades-best-practices/ta-p/3656934#toc-hId--718381845