https://community.cisco.com/t5/network-access-control/upgrade-ise-in-aws/m-p/5009390#M586898 <P>knowing this is a replace rather than upgrade my plan to to build a whole new cluster in parallel and use backup/restore to migrate the configuration to the new cluster.&nbsp; the new cluster will have all different hostnames and IPs so how do the clients access the new system?</P> <P>my thought is to create a cname that points to the old PSNs and configure all devices to point to the cname for radius and tacacs services.&nbsp; when it is time to migrate over to the new cluster just repoint the cnames.&nbsp; my concern is i don't know if the network devices perform dns caching which would keep them going to the old cluster until the cache ages out.&nbsp;&nbsp;</P> <P>is this the best approach?&nbsp; is there a better way?&nbsp; i really need a way for the cutover to be seamless and we can't go reconfiguring devices to point to a new location every time we upgrade.&nbsp;&nbsp;</P> Tue, 30 Jan 2024 20:37:16 GMT bgoulet00 2024-01-30T20:37:16Z https://community.cisco.com/t5/network-access-control/upgrade-ise-in-aws/m-p/5009390#M586898 <P>knowing this is a replace rather than upgrade my plan to to build a whole new cluster in parallel and use backup/restore to migrate the configuration to the new cluster.&nbsp; the new cluster will have all different hostnames and IPs so how do the clients access the new system?</P> <P>my thought is to create a cname that points to the old PSNs and configure all devices to point to the cname for radius and tacacs services.&nbsp; when it is time to migrate over to the new cluster just repoint the cnames.&nbsp; my concern is i don't know if the network devices perform dns caching which would keep them going to the old cluster until the cache ages out.&nbsp;&nbsp;</P> <P>is this the best approach?&nbsp; is there a better way?&nbsp; i really need a way for the cutover to be seamless and we can't go reconfiguring devices to point to a new location every time we upgrade.&nbsp;&nbsp;</P> Tue, 30 Jan 2024 20:37:16 GMT https://community.cisco.com/t5/network-access-control/upgrade-ise-in-aws/m-p/5009390#M586898 bgoulet00 2024-01-30T20:37:16Z https://community.cisco.com/t5/network-access-control/upgrade-ise-in-aws/m-p/5009460#M586900 <P>Certificates will break if using your method.</P> <P>This is a perfect use-case for load balancers.&nbsp;&nbsp;</P> <P><A href="https://cs.co/ise-lb" target="_blank">https://cs.co/ise-lb</A></P> <P><A title="https://www.youtube.com/watch?v=SSOa75rGofk&amp;list=PLvBZXH_IO6nCu9p49Tl1LE4kY6mpyz1eN&amp;index=10&amp;pp=iAQB" href="https://www.youtube.com/watch?v=SSOa75rGofk&amp;list=PLvBZXH_IO6nCu9p49Tl1LE4kY6mpyz1eN&amp;index=10&amp;pp=iAQB" data-from-md="" target="_blank">Cloud Load Balancers with ISE</A></P> Tue, 30 Jan 2024 21:42:33 GMT https://community.cisco.com/t5/network-access-control/upgrade-ise-in-aws/m-p/5009460#M586900 Charlie Moreton 2024-01-30T21:42:33Z https://community.cisco.com/t5/network-access-control/upgrade-ise-in-aws/m-p/5009465#M586901 <P>Not all network devices support DNS-based configuration for RADIUS servers. A better solution would be to put a load balancer in front of the PSNs and configure the network devices to use the VIPs for RADIUS servers. You can then update the server pools on the LB as the PSN IP addresses change.</P> <P>You could also take the approach of replacing the nodes one at a time (or in a group, depending on the deployment) as you build the new cluster to use the same IP addresses without overlap. This would rely on the network devices finding the RADIUS servers dead and moving to the next available, so it's not as fluid as using a load balancer to do that systematically.</P> <P>The approach would be something like:</P> <UL> <LI>Shutdown the Secondary PAN; rebuild as Primary PAN in new cluster</LI> <LI>Backup/Restore config to new P-PAN</LI> <LI>Shutdown the Secondary MnT; rebuild as Primary MnT in new cluster</LI> <LI>Shutdown one or more PSNs and rebuild; join to new cluster</LI> <LI>Shutdown the remaining PSNs and rebuild; join to new cluster</LI> <LI>Shutdown the Primary PAN and MnT; rebuild as Secondaries in new cluster</LI> <LI>Make the new Secondary PAN the active Primary PAN</LI> </UL> Tue, 30 Jan 2024 21:48:11 GMT https://community.cisco.com/t5/network-access-control/upgrade-ise-in-aws/m-p/5009465#M586901 Greg Gibbs 2024-01-30T21:48:11Z https://community.cisco.com/t5/network-access-control/upgrade-ise-in-aws/m-p/5010553#M586952 <P>Thank you Charlie and Greg.&nbsp; i will pursue the load balancer option</P> Wed, 31 Jan 2024 19:47:48 GMT https://community.cisco.com/t5/network-access-control/upgrade-ise-in-aws/m-p/5010553#M586952 bgoulet00 2024-01-31T19:47:48Z