Re: 2 ISE Deployments concurrently in same network segment

francois-smith · ‎09-19-2025

Initially we want to run the old and new deployments concurrently and want to use the same IP ranges for the new servers.

Eg:

Current deployment has single persona nodes, excluding out of band management (CIMC)

CPT_Admin1 - 10.12.13.2 (VlanX) Data

CPT_Admin2 - 10.12.13.3 (VlanX) Data

CPT_Mon1 - 10.22.23.4 (VlanY) Data

CPT_Mon2 - 10.22.23.5 (VlanY) Data

CPT_PSN1 - 10.22.23.6 (VlanY) Data

CPT_PSN2 - 10.22.23.7 (VlanY) Data

JHB_PSN1 - 10.32.33.2 (VlanZ) Data

JHB_PSN2 - 10.32.33.3 (VlanZ) Data

New deployment has shared persona nodes, including out of band management (CIMC).

[Primary]CPT_Shared1 (Admin,MnT,PSN) - 10.12.13.10 (VlanX) CIMC

10.22.23.50 (VlanY) Data

CPT_Health - 10.12.13.11 (VlanX) CIMC

10.22.23.51 (VlanY) Data

[Secondary]CPT_Shared2 (Admin,MnT,PSN) - 10.12.13.12 (VlanX) CIMC

10.32.33.3 (VlanZ) Data

Our understanding is that a new node starts up initially as a standalone node and it has to be manually registered in order to join a current deployment, so it cannot just automatically join or override a current primary admin node and its configurations even though they are able to reach each other on the network.

In addition, the only way that NADs can send auth traffic to the new deployment is when their IPs are configured as radius servers on the individual NADs, so having the new radius servers on the network would have no impact in terms of current production radius authentications.

Our plan is to complete the configuration on the new primary shared node, bring the other 2 online as well and register them to the primary shared node and complete the 2nd deployment. No changes will be made to the current production deployment.

Torbjørn · ‎09-19-2025

That is a sound plan. You are in essence planning to perform the same procedure as a the "backup & restore" method of upgrading ISE as outlined here(just using different IPs): https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/upgrade_guide/HTML/b_upgrade_method_3_1.html#id_119620

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

julian.bendix · ‎09-20-2025

Sounds solid.

There is absolutely no issue with having 2 ISE Deployments in the same network segement..

It only matters where you point your NADs..

francois-smith · ‎09-22-2025

Thank you for the reply yes, it looks like that is the same process.

The current deployment is on 3.1 patch 4. Our main concern was just to confirm that when we upgrade the 1st server for the new deployment to 3.4 patch 7 and make it the Primary node that it will not impact the current deployment PAN in anyway.

Based on the information that I found the current deployment PAN would not be able join or be impacted, because it is on a different software and patch version and even it was on the same software versions we would still have to manually join it to the new deployment.

In our scenario we will keep the current deployment on 3.1 patch 4 and upgrade the new deployment to 3.4 patch 7 complete the configuration to mirror the current deployment and update test NADs to point to the new IPs and keep the current IPs as back radius servers or lower in the selection sequence and run all the test use cases to ensure that all the policies work in the same way. We will then update all the relevant NADs in a phased approach until all have been updated, run this setup for set period and once satisfied remove the current IPs from all the NADs so that just the new IPs remain and then after another set period shutdown and remove the current (old deployment) servers.

Torbjørn · ‎09-23-2025

You've got it correct. Your plan sounds good, please let us know how it goes. Good luck!

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev