Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
136
Views
0
Helpful
2
Replies

2 ISE Deployments concurrently in same network segment

francois-smith
Level 1
Level 1

‎09-19-2025 02:16 PM

Initially we want to run the old and new deployments concurrently and want to use the same IP ranges for the new servers.

Eg:

Current deployment has single persona nodes, excluding out of band management (CIMC)

CPT_Admin1 - 10.12.13.2 (VlanX) Data

CPT_Admin2 - 10.12.13.3 (VlanX) Data

CPT_Mon1 - 10.22.23.4 (VlanY) Data

CPT_Mon2 - 10.22.23.5 (VlanY) Data

CPT_PSN1 - 10.22.23.6 (VlanY) Data

CPT_PSN2 - 10.22.23.7 (VlanY) Data

JHB_PSN1 -  10.32.33.2 (VlanZ) Data

JHB_PSN2 -  10.32.33.3 (VlanZ) Data

 

New deployment has shared persona nodes, including out of band management (CIMC).

[Primary]CPT_Shared1 (Admin,MnT,PSN) -  10.12.13.10 (VlanX) CIMC

                                                                                          10.22.23.50 (VlanY) Data

CPT_Health -  10.12.13.11 (VlanX) CIMC

                                 10.22.23.51 (VlanY) Data

[Secondary]CPT_Shared2 (Admin,MnT,PSN) -  10.12.13.12 (VlanX) CIMC

                                                                                                 10.32.33.3 (VlanZ) Data

 

Our understanding is that a new node starts up initially as a standalone node and it has to be manually registered in order to join a current deployment, so it cannot just automatically join or override a current primary admin node and its configurations even though they are able to reach each other on the network. 

 

In addition, the only way that NADs can send auth traffic to the new deployment is when their IPs are configured as radius servers on the individual NADs, so having the new radius servers on the network would have no impact in terms of current production radius authentications.

 

Our plan is to complete the configuration on the new primary shared node, bring the other 2 online as well and register them to the primary shared node and complete the 2nd deployment. No changes will be made to the current production deployment.

0 Helpful
2 Replies 2

Torbjørn
VIP
VIP

‎09-19-2025 03:28 PM

That is a sound plan. You are in essence planning to perform the same procedure as a the "backup & restore" method of upgrading ISE as outlined here(just using different IPs): https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/upgrade_guide/HTML/b_upgrade_method_3_1.html#id_119620 

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev
0 Helpful

julian.bendix
Level 7
Level 7

‎09-20-2025 01:46 AM

Sounds solid.

There is absolutely no issue with having 2 ISE Deployments in the same network segement.. 

It only matters where you point your NADs..

0 Helpful
Customers Also Viewed These Support Documents