topic Re: ISE via CDP concern switch upgrade in Network Access Control

ISE via CDP concern switch upgrade

Kn1ghtR1d3rOfD00m — Sat, 11 May 2019 02:07:51 GMT

Hi, please forgive me if this is not the right forum section, but it brought to me a concern.

We have to upgrade the WS-C3650-24PD that is connected to "both ISEs"

when I do the show interfaces status, I can see both ports are up according to the description

I have the following PANs set up,

but when I do the show cdp nei on the switch, I can only see the primary ISE,

and when I trace the MAC address from each ISE 1 and ISE 2, I can only see it that it says is connected to the port 5 for the primary ISE but not the secondary ISE

So, as I stated, Im planning to make the IOS upgrade of this switch connected to both ISEs, but

How come I can only see one ISE?

Is there any soft of configuration applied on ISE to make it appear as one cluster? perhaps Im missing that?

Assuming that I go for the IOS upgrade, how can I ensure that the primary will take the primary role and the secondary the secondary role?

Not sure why I see both interfaces up as you saw above, but cannot identify the port as where it should be connected,

is this normal?

has anyone experienced something like this and have you done it in the past?

what should I take into consideration before upgrading the IOS switch?

Re: ISE via CDP concern switch upgrade

hslai — Sat, 11 May 2019 23:11:10 GMT

How come I can only see one ISE?

The CDP info from ISE is not always shown correctly and can vary by ISE releases.

Is there any soft of configuration applied on ISE to make it appear as one cluster? perhaps Im missing that?

ISE deployment relies on its jGroup replications but not on CDP. See Set Up Cisco ISE in a Distributed Environment

Assuming that I go for the IOS upgrade, how can I ensure that the primary will take the primary role and the secondary the secondary role?

Assuming you asking about how Cisco IOS will treat an ISE PSN as the primary RADIUS and another as the secondary RADIUS server, then it depends on the switch configuration on RADIUS. See ISE Secure Wired Access Prescriptive Deployment Guide or the older Demystifying RADIUS Server Configurations

Not sure why I see both interfaces up as you saw above, but cannot identify the port as where it should be connected,

is this normal?

has anyone experienced something like this and have you done it in the past?

what should I take into consideration before upgrading the IOS switch?

We do not usually rely on CDP to tell how ISE connecting to a switch. If you would like our team to address your issue, please open a Cisco TAC case with info on your ISE release number and patch level.

Re: ISE via CDP concern switch upgrade

Kn1ghtR1d3rOfD00m — Sun, 12 May 2019 05:21:21 GMT

Understood,
I will submit on Monday, surely that got me curious cause I want to make less impact as possible on the operations since we run a global solutions with multiple PSNs

Thanks for your support and time,