topic ISE 3.1 deployment migration - Small PSN on Medium PAN in Network Access Control

ISE 3.1 deployment migration - Small PSN on Medium PAN

stubush — Fri, 25 Aug 2023 14:04:27 GMT

Hi All,

I'll soon be needing to move away from our two-node small ISE VM deployment (currently running 3.1) in favour of a medium deployment (Still on 3.1 for now). I believe I have an understanding of the actual migration process once the new VMs have been built (thanks to the very helpful information from @Milos_Jovanovic found here https://community.cisco.com/t5/network-access-control/move-from-small-2-node-ise-deployment-to-medium-large-deployment/td-p/4486348 ), but have listed steps here for verification in case my understanding is incorrect:

1. Install ISE on two standalone nodes using Medium VM OVA - ensure PKI certs in place

2. From existing deployment remove Admin and MnT roles from secondary PAN (leaving PSN in place)

3. Join one of the new nodes to the existing deployment as a secondary PAN running Admin an MnT

4. Join (new) secondary node to AD

5. Promote (new) secondary to primary PAN

6. Remove Admin and MnT roles from what is now the secondary PAN (leaving PSN in place)

7. Join the second of the new standalone nodes as a secondary PAN and MnT

8. Join the new secondary PAN to AD

My questions are:

Should I be restoring config/operational backups to the new node before joining it back to the existing deployment? (e.g between steps 2 and 3) - I've only ever done ISE upgrades, where this has been a necessary step. I presume because the new node/s is re-joining the same deployment (initially as a secondary PAN) it will simply sync up and therefore isn't required?

The PSN's left from the existing deployment were built with a small/medium (600Gb) OVA, but the "Small" option was selected in VMWare, do these need to be re-imaged and built specifically with the Medium VM option to be properly part of the deployment (and function correctly), or will the PSN's be fine as they are?

Thanks

Re: ISE 3.1 deployment migration - Small PSN on Medium PAN

thomas — Sat, 26 Aug 2023 13:51:34 GMT

It helps to have a picture of your final state noting which nodes were the originals.

If you had a load balancer(s), you could simply add 2 PSNs to your existing deployment, redirect the RADIUS requests to the new PSNs and turn off PSN services on your original 2 nodes. But it doesn't sound like you have load balancer(s) and you want to preserve the existing PSN IPs because you do not want to update the AAA server IPs on all of your network devices. That is the real issue making this more complicated because you need to move the roles around.

You do not need to perform a backup+restore although you should definitely make a backup just in case! When you elect your new node as the secondary (step 3) ISE will synchronize the configuration with it so no restore should be necessary. Just wait for the sync to complete before continuing.

The Small/Medium OVA is fine for either. The issue is not disk space (600GB) but CPU & RAM. After moving to your Medium deployment, your PSNs will be Smalls. That may be fine depending on your scale because you have not provided any details about Why you are moving to a Medium-sized deployment with respect to your Scale needs. See https://cs.co/ise-scale for Small vs Medium PSN performance/scale. If you do want to update from Small to Medium you should be able to shutdown each PSN, adjust the VM sizing in VMware and power on and you will have the increased CPU and RAM for your ISE node.

Re: ISE 3.1 deployment migration - Small PSN on Medium PAN

stubush — Tue, 29 Aug 2023 08:10:50 GMT

Thomas, thanks for the reply.

Unfortunately no load balancer in the environment currently, we only have the two nodes which are both running all roles. By the end of the migration these two original nodes will be the PSNs. As you have mentioned, wanted to take this approach as all our NAD's are currently pointing at these nodes

The reason for the the move to a medium deployment is to accommodate an office in another country, which will get its own local PSN. So the actual amount of requests, or load on the current PSNs in the UK will remain the same as it is currently. I had no idea you could just change the VM size by shutting it down and amending, that's a helpful tip