topic Re: Cisco ISE 2.2 moving personas Administration and Monitoring to a new node in Network Access Control

Cisco ISE 2.2 moving personas Administration and Monitoring to a new node

maissiat — Fri, 21 Feb 2020 18:34:38 GMT

Hi All,

The company I work for is growing very fast and our ISE infrastructure is not adapted any more so I d'l like to review totally the design of it and I'd like to know which is the best approach for implementing it.

My current ISE Distributed deployment of nodes is as follow :

Note : No PAN active

2 Cisco ISE 2.2.0.407 servers running on VM's

ISE01 : Primary Admin/monitoring and PSN role

ISE02 : Secondary Admin/Monitoring and PSN role

Today , I'd like to move the Admin and Monitoring personas to 2 new servers (VM)and keep the PSN on the actual servers , the idea behind is to unload actual servers of Monitoring and admin tasks

My ISE deployment will look as follow:

ISE New 1 : Primary Admin , secondary Monitoring

ISE New 2 : Secondary Admin, Primary Monitoring

ISE01 : PSN

ISE02 : PSN

I already have my two new servers running in standalone with the same ISE version (Hostname and IP are not the same) .

Now I'm not sure what is the best approach to migrate the Admin and Monitoring services to the new servers :

My first idea is :

1. restore first a backup of the old server 1/2 to the new servers

(make sure I have the Admin certificates of each nodes on all servers)

2. On actual ISE02(Secondary) server remove the Admin/monitoring services

3. register ISE New 1 as secondary server of ISE01 for Admin/monitoring to the ISE deployment and do a sync between Primary and Secondary

4. Promote ISE New 1 as Primary node for Admin /Monitoring services sync

5. remove Admin/monitoring on ISE01 (keep only PSN)

6, register ISE new 2 as secondary server for Admin/Monitoring services , SYNC

Other things :

What will happen when I will remove the Admin/Monitoring Services of the actual ISE02 servers , will both ISE will restart ?

If someone has a best way to do it or any suggestions, it will be very appreciated .

Thank you

Best regards

Marc

Re: Cisco ISE 2.2 moving personas Administration and Monitoring to a new node

Marvin Rhoads — Sat, 23 Sep 2017 14:42:59 GMT

I don't think you should have to do any restore operations. Of course starting the whole process with a current backup is a recommended step no matter what path you follow.

I would add the 2 new servers to the deployment as PSNs first. I'd remove the non-PSN roles for the current ISE02 first. Then add a new VM to the deployment and make it secondary PAN and MnT. Once it is all synced, promote it to primary. Then remove the non-PSN roles from ISE01. Finally add the second new VM in the role of Secondary PAN and MnT.

You may need to re-issue your certs with additional SANs to accommodate the new servers.

You might consider putting the whole deployment on ISE 2.3. It's being seen as less buggy than ISE 2.2.

Re: Cisco ISE 2.2 moving personas Administration and Monitoring to a new node

maissiat — Sat, 23 Sep 2017 17:45:20 GMT

Dear Marvin,

Sound's very good approach , I will follow it .

I will update my post with the result of my migration

Thank you very much

Marc

Re: Cisco ISE 2.2 moving personas Administration and Monitoring to a new node

Peter Koltl — Thu, 08 Mar 2018 07:49:44 GMT

Marc, did it go smoothly?