cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7243
Views
21
Helpful
10
Replies

Re-IP address ISE appliance

cciesec2011
Level 3
Level 3

I have an ISE version 2.6 patch 2 running on SNS-3615.  When I first installed it, I assigned the appliance with the host name ise1.companyx.com with an IP address of 192.168.1.2.  Both the forward and reserve DNS is working fine. 

 

This ISE appliance is used only for TACACS and RADIUS authentication  to manage Cisco devices such as routers, switches and firewall.

 

Today, I have a requirement to re-IP address from 192.168.1.2 to 192.168.1.100 but the name will stay the same.  I will update DNS to reflect the new IP. Do I just go into the ISE CLI and change the IP address to 192.168.1.100 and restart the ISE application.  Is it that easy?

 

are there any "gotcha" that I need to know about?

 

TIA

1 Accepted Solution

Accepted Solutions

Colby LeMaire
VIP Alumni
VIP Alumni

It would need to be in standalone mode.  So if it is joined with another ISE node, you would need to remove it from the deployment first.  Once in standalone mode, you go to the CLI and stop the services using "application stop ise".  Then change the IP address from the CLI and restart the services using "application start ise".  Rejoin back to the deployment.  You may have to reissue the certificates on the node if they were issued using the IP address in any of the fields such as the Subject Alternative Name (SAN).

Personally, I never like to change the IP once it is running.  I don't trust that it is a clean operation.  So if the configuration isn't too crazy, I would just reset the configuration and start over.

View solution in original post

10 Replies 10

Colby LeMaire
VIP Alumni
VIP Alumni

It would need to be in standalone mode.  So if it is joined with another ISE node, you would need to remove it from the deployment first.  Once in standalone mode, you go to the CLI and stop the services using "application stop ise".  Then change the IP address from the CLI and restart the services using "application start ise".  Rejoin back to the deployment.  You may have to reissue the certificates on the node if they were issued using the IP address in any of the fields such as the Subject Alternative Name (SAN).

Personally, I never like to change the IP once it is running.  I don't trust that it is a clean operation.  So if the configuration isn't too crazy, I would just reset the configuration and start over.


@Colby LeMaire wrote:

It would need to be in standalone mode.  So if it is joined with another ISE node, you would need to remove it from the deployment first.  Once in standalone mode, you go to the CLI and stop the services using "application stop ise".  Then change the IP address from the CLI and restart the services using "application start ise".  Rejoin back to the deployment.  You may have to reissue the certificates on the node if they were issued using the IP address in any of the fields such as the Subject Alternative Name (SAN).

Personally, I never like to change the IP once it is running.  I don't trust that it is a clean operation.  So if the configuration isn't too crazy, I would just reset the configuration and start over.


Unfortunately, your answer didn't help me.  I was looking for any potential side effects and hidden issues from re-IP the appliance.

 

 

The documentation states that you can re-IP the nodes as long as they are in standalone mode!  So it is supported and the documentation doesn't mention any side effects or anything.

However, my recommendation would be to reset the configuration and start over to avoid any potential side effects.  If there were known issues with changing the IP of a node, then Cisco would not have the instructions in the documentation to do it.  Or there would be a caveat in the documentation with a warning.

But anyone who has worked with Cisco appliances such as ACS, NAC, MARS, etc, would not feel comfortable with changing the IP even if they say it is ok.  I wouldn't want to take the chance that there are some remnants that could cause weird issues in the future.

Hello Colby,

Do you have evidence of issues per a re-address of an ISE server from previous installs?

thank you for providing extra insight on this topic. i do have a follow up question on your post... when re-IPing in a clustered environment, is there a preferred order the nodes must be re-IPed in? meaning should the Primary admin node be re-IPed first and then the secondary admin node followed by the PSN? OR is it that the order doesnt matter? 

do you have to issue the "reset config" command via cli?

do you need to issue a new cert to the node again? OR can you re-use the previous cert before you re-IPed? 

Re: Re-IP address ISE appliance<>
thank you for providing extra insight on this topic. i do have a follow up question on your post... when re-IPing in a clustered environment, is there a preferred order the nodes must be re-IPed in? meaning should the Primary admin node be re-IPed first and then the secondary admin node followed by the PSN? OR is it that the order doesnt matter?
do you have to issue the "reset config" command via cli?
do you need to issue a new cert to the node again? OR can you re-use the previous cert before you re-IPed?

REPLY -
We have RE IPed the secondary admin nodes first and then primary and so on. All addressing updates should be cared for in the same session. Make sure you have a defined Test plan to assure your success from old to new addressing (pings, app validation Be careful with Certs, they should be re-issued to be in sync with new addressing scheme you seek. You can issue the reset command via CLI as an option. If your comfortable and have good connectivity (console), this should be ok.
Please share your outcome once complete and good luck.

Resurrecting a 2-year old + thread that has an accepted solution limits the number of people that will take a look at it. The best thing to do is to start a new thread.

Damien Miller
VIP Alumni
VIP Alumni
I've broken a node before while changing the IP. Something went wrong and services would not come up afterwards. It resulted in having to reset the config and rejoin it to the deployment. I've also done it a few times in the lab without any issue, ISE will automatically restart the services when you change the IP.

You will need downtime for anything referencing the node without another specified server.

Hello Damien,

Do you have details of the result when changing the IP address - what was the requirement or system requirement to do so?  can you elaborate on something went wrong?

If you are really worried, you may open a proactive TAC case and also have a backup plan. Each ISE deployment is different so what happened to Damien may or may not apply to yours.

Colby already mention the main requirement is for the ISE node in standalone mode. Besides, we need ensure proper DNS resolutions before and after re-IP.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: