https://community.cisco.com/t5/network-access-control/change-ise-personas-without-configuration-loss/m-p/4811524#M581054 <P>Hi Marcelo Morais,</P> <P>Thank you so much for your advice. We use ISE 3.1 so as per document we can have up to 6 PSNs for medium deployment. After your step 6 I can freely add any more PSN up to 6, is that correct ?</P> <P>Regards,</P> <P>An</P> Tue, 11 Apr 2023 01:47:02 GMT nupagazi 2023-04-11T01:47:02Z https://community.cisco.com/t5/network-access-control/change-ise-personas-without-configuration-loss/m-p/4810068#M581011 <P>Hello Team,</P> <P>We currently deploy 2 ISE appliances 3615 with HA as in the attache image. Now we want to move to distributed deployment by adding 4 ISE VMs: 2 of VMs act as the PAN &amp; Mnt (HA), 2 VMs act as PSN together with current 2 x 3615 i.e change personas from PAN, Mnt &amp; PSN to PSN only (attached image). We want to minimize the effort for changing by following steps:</P> <P>1. Shutdown the secondary appliance</P> <P>2. Add first VM as secondary PAN to the current primary appliance PAN+MnT+PSN</P> <P>3. add second VM as PSN to current group of primary appliance PAN+MnT+PSN</P> <P>4. Change the current primary appliance PAN+MnT+PSN to PSN only</P> <P>5. Add third VM as secondary PAN</P> <P>6. Add 4th VM as PSN only to the psn group<BR />7. Turn on the secondary appliance and change it to PSN only and join current psn group</P> <P>Would you please advise the above steps works and all policies are remained as before moving ?</P> <P>Regards,</P> <P>An&nbsp;</P> Fri, 07 Apr 2023 10:37:14 GMT https://community.cisco.com/t5/network-access-control/change-ise-personas-without-configuration-loss/m-p/4810068#M581011 nupagazi 2023-04-07T10:37:14Z https://community.cisco.com/t5/network-access-control/change-ise-personas-without-configuration-loss/m-p/4810071#M581012 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="nupagazi_0-1680863879841.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/181160iBC4303622C43CE1D/image-size/medium?v=v2&amp;px=400" role="button" title="nupagazi_0-1680863879841.png" alt="nupagazi_0-1680863879841.png" /></span></P> <P>&nbsp;</P> Fri, 07 Apr 2023 10:38:07 GMT https://community.cisco.com/t5/network-access-control/change-ise-personas-without-configuration-loss/m-p/4810071#M581012 nupagazi 2023-04-07T10:38:07Z https://community.cisco.com/t5/network-access-control/change-ise-personas-without-configuration-loss/m-p/4810180#M581017 <P>Before you turn off the secondary appliance in step one, change it from PAN + MNT + PSN to PSN only. No need to turn off this appliance and turn it back on.<BR />Only concern in your way is once you completed step 5, Deployment will not let you perform Step 7 as distributed ISE deployments will only allow 2 PAN's and 2 MNT's</P> Fri, 07 Apr 2023 14:49:34 GMT https://community.cisco.com/t5/network-access-control/change-ise-personas-without-configuration-loss/m-p/4810180#M581017 Sri Harsha Dasari 2023-04-07T14:49:34Z https://community.cisco.com/t5/network-access-control/change-ise-personas-without-configuration-loss/m-p/4810897#M581032 <P>Hi Sri Harsha Dasari,</P> <P>Thank you for your comment.&nbsp; I think for distrbuted deployment we can have 5 PSN (attached), am I correct ?</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="nupagazi_0-1681091454378.png" style="width: 400px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/181320i077C01636C834625/image-size/medium?v=v2&amp;px=400" role="button" title="nupagazi_0-1681091454378.png" alt="nupagazi_0-1681091454378.png" /></span></P> <P>&nbsp;</P> <P>Regards,</P> <P>An</P> Mon, 10 Apr 2023 01:51:09 GMT https://community.cisco.com/t5/network-access-control/change-ise-personas-without-configuration-loss/m-p/4810897#M581032 nupagazi 2023-04-10T01:51:09Z https://community.cisco.com/t5/network-access-control/change-ise-personas-without-configuration-loss/m-p/4811202#M581045 <P class="lia-align-justify">Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1044427">@nupagazi</a>&nbsp;,</P> <P class="lia-align-justify">&nbsp;please take a look at:&nbsp;<A href="https://www.cisco.com/c/en/us/td/docs/security/ise/performance_and_scalability/b_ise_perf_and_scale.html" target="_blank" rel="noopener">Performance and Scalability Guide for Cisco Identity Services Engine</A>., search for <STRONG>Different Types of Cisco ISE Deployment</STRONG>, in your case you have a <STRONG>Small Deployment</STRONG> and want to go to a <STRONG>Medium Deployment</STRONG> (up to <STRONG>6x PSNs</STRONG> for <STRONG>ISE 3.0+</STRONG>).</P> <P class="lia-align-justify">Note: about the steps you can:</P> <P class="lia-align-justify">1. generate a <STRONG>Backup: Config</STRONG> and <STRONG>Oper</STRONG>.</P> <P class="lia-align-justify">2. remove the <STRONG>SPAN &amp; SMnT</STRONG>&nbsp;from the <STRONG>Secondary Appliance</STRONG></P> <P class="lia-align-justify">3. add the <STRONG>1st VM</STRONG> as <STRONG>SPAN &amp; SMnT</STRONG></P> <P class="lia-align-justify">4. at <STRONG>1st VM</STRONG>&nbsp;"promote" the <STRONG>SPAN &amp; SMnT</STRONG> to <STRONG>PPAN &amp; PMnT</STRONG></P> <P class="lia-align-justify">5. remove the <STRONG>SPAN &amp; SMnT</STRONG> from the <STRONG>Primary Appliance</STRONG></P> <P class="lia-align-justify">6. add the <STRONG>2nd VM</STRONG> as <STRONG>SPAN &amp; SMnT</STRONG></P> <P class="lia-align-justify">At the end of the day:</P> <P class="lia-align-justify"><STRONG>Primary Appliance: PSN</STRONG></P> <P class="lia-align-justify"><STRONG>Secondary Appliance: PSN</STRONG></P> <P class="lia-align-justify"><STRONG>1st VM: PPAN &amp; PMnT</STRONG></P> <P class="lia-align-justify"><STRONG>2nd VM: SPAN &amp; SMnT</STRONG></P> <P class="lia-align-justify">&nbsp;</P> <P class="lia-align-justify">Hope this helps !!!</P> Mon, 10 Apr 2023 14:02:42 GMT https://community.cisco.com/t5/network-access-control/change-ise-personas-without-configuration-loss/m-p/4811202#M581045 Marcelo Morais 2023-04-10T14:02:42Z https://community.cisco.com/t5/network-access-control/change-ise-personas-without-configuration-loss/m-p/4811524#M581054 <P>Hi Marcelo Morais,</P> <P>Thank you so much for your advice. We use ISE 3.1 so as per document we can have up to 6 PSNs for medium deployment. After your step 6 I can freely add any more PSN up to 6, is that correct ?</P> <P>Regards,</P> <P>An</P> Tue, 11 Apr 2023 01:47:02 GMT https://community.cisco.com/t5/network-access-control/change-ise-personas-without-configuration-loss/m-p/4811524#M581054 nupagazi 2023-04-11T01:47:02Z https://community.cisco.com/t5/network-access-control/change-ise-personas-without-configuration-loss/m-p/4811951#M581074 <P class="lia-align-justify">Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1044427">@nupagazi</a>&nbsp;,</P> <P class="lia-align-justify">&nbsp;yes, that's correct ... after <STRONG>Step 6</STRONG>, you can add up to <STRONG>6x PSNs</STRONG>.</P> <P class="lia-align-justify">Hope this helps !!!</P> Tue, 11 Apr 2023 14:34:52 GMT https://community.cisco.com/t5/network-access-control/change-ise-personas-without-configuration-loss/m-p/4811951#M581074 Marcelo Morais 2023-04-11T14:34:52Z https://community.cisco.com/t5/network-access-control/change-ise-personas-without-configuration-loss/m-p/4816372#M581227 <P>Hi Marcelo Morais,</P> <P>Thank you so much for your advice.</P> <P>Regards,</P> <P>An</P> Tue, 18 Apr 2023 01:25:07 GMT https://community.cisco.com/t5/network-access-control/change-ise-personas-without-configuration-loss/m-p/4816372#M581227 nupagazi 2023-04-18T01:25:07Z