cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

106
Views
0
Helpful
4
Replies
Participant

Re-IP address ISE appliance

I have an ISE version 2.6 patch 2 running on SNS-3615.  When I first installed it, I assigned the appliance with the host name ise1.companyx.com with an IP address of 192.168.1.2.  Both the forward and reserve DNS is working fine. 

 

This ISE appliance is used only for TACACS and RADIUS authentication  to manage Cisco devices such as routers, switches and firewall.

 

Today, I have a requirement to re-IP address from 192.168.1.2 to 192.168.1.100 but the name will stay the same.  I will update DNS to reflect the new IP. Do I just go into the ISE CLI and change the IP address to 192.168.1.100 and restart the ISE application.  Is it that easy?

 

are there any "gotcha" that I need to know about?

 

TIA

4 REPLIES 4
Beginner

Re: Re-IP address ISE appliance

It would need to be in standalone mode.  So if it is joined with another ISE node, you would need to remove it from the deployment first.  Once in standalone mode, you go to the CLI and stop the services using "application stop ise".  Then change the IP address from the CLI and restart the services using "application start ise".  Rejoin back to the deployment.  You may have to reissue the certificates on the node if they were issued using the IP address in any of the fields such as the Subject Alternative Name (SAN).

Personally, I never like to change the IP once it is running.  I don't trust that it is a clean operation.  So if the configuration isn't too crazy, I would just reset the configuration and start over.

Re: Re-IP address ISE appliance


@Colby.LeMaire wrote:

It would need to be in standalone mode.  So if it is joined with another ISE node, you would need to remove it from the deployment first.  Once in standalone mode, you go to the CLI and stop the services using "application stop ise".  Then change the IP address from the CLI and restart the services using "application start ise".  Rejoin back to the deployment.  You may have to reissue the certificates on the node if they were issued using the IP address in any of the fields such as the Subject Alternative Name (SAN).

Personally, I never like to change the IP once it is running.  I don't trust that it is a clean operation.  So if the configuration isn't too crazy, I would just reset the configuration and start over.


Unfortunately, your answer didn't help me.  I was looking for any potential side effects and hidden issues from re-IP the appliance.

 

 

Beginner

Re: Re-IP address ISE appliance

The documentation states that you can re-IP the nodes as long as they are in standalone mode!  So it is supported and the documentation doesn't mention any side effects or anything.

However, my recommendation would be to reset the configuration and start over to avoid any potential side effects.  If there were known issues with changing the IP of a node, then Cisco would not have the instructions in the documentation to do it.  Or there would be a caveat in the documentation with a warning.

But anyone who has worked with Cisco appliances such as ACS, NAC, MARS, etc, would not feel comfortable with changing the IP even if they say it is ok.  I wouldn't want to take the chance that there are some remnants that could cause weird issues in the future.

Highlighted
VIP Engager

Re: Re-IP address ISE appliance

I've broken a node before while changing the IP. Something went wrong and services would not come up afterwards. It resulted in having to reset the config and rejoin it to the deployment. I've also done it a few times in the lab without any issue, ISE will automatically restart the services when you change the IP.

You will need downtime for anything referencing the node without another specified server.