Showing results for 
Search instead for 
Did you mean: 
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

Cisco Employee

Move from centralized to distributed ISE deployment

Hello. I have a customer that has a centralized HA ISE deployment. They also have another seperate ISE deployment in another part of the network. They would like to change this to one distributed deployment. Is there a guide that details how this can be accomplished?


The second deployment is barely used and could be re-installed if that would make the change easier.



Rising star

Re: Move from centralized to distributed ISE deployment

Expanding the deployment is as simple as joining new ISE nodes to the deployment and setting their roles.  For the deployment that isn't used much, I would recommend a re-install of those nodes and then just join them to the existing deployment.  As soon as you add your first additional node, set its role as PSN and remove the PSN role from the current Admin/MnT nodes.  Keep in mind that you will have to point your network devices to the new PSN IP addresses.

VIP Advocate

Re: Move from centralized to distributed ISE deployment

There is no guide for this and you will have to merge the deployments manually. What that looks like will depend greatly on what is configured on both deployments.

Some of the steps might include determining what is using the deployment you intend on removing. Reasons the two deployments were set up in the first place, ex. one is in the DMZ/used for guest while the other is for prod. Planning any expansion of the deployment that will remain if there will be a load increase. Ensuring licensing is migrated. Building any authentication and authorization policies that might now exist on the remaining deployment. Finally, reconfiguring any device that is using the deployment getting removed.

There is no one size fits all to this. It has to start with manually auditing the deployments to see what needs to move/be built.