10-30-2014 02:34 AM - edited 03-10-2019 10:09 PM
Hello Community,
I administer an ISE installation with two nodes (I am not an ISE Specialist, my job is just to manage the user/mac-adresses... but now I have to move my ISE Nodes from one VMWare Cluster to another VMWare Cluster.
(Both VMWare environments are connected to our enterprise network, but are different environments. vMotion not possible)
I would shutdown ISE02, move it to our new VMWare environment and start it again.
Than I would do this with our ISE01 Node...
Are there any best practises for doing this? (Shutdown application first, stopl replikation etc)?
Can I really simply reboot an ISE Node - or have I consider something bevor I doing this? After I doing this?
Any tasks after reboot?
Thank you for any answer!
ISE01
Administration, Monitoring, Policy Service
PRI(A), SEC(M)
ISE02
Administration, Monitoring, Policy Service
SEC(A), PRI(M)
Solved! Go to Solution.
10-30-2014 06:26 AM
There is a lot to consider here. If changing environments means changing IP Address and IP Scopes, then your policies, profiles, and dACLs would also have to change among other things. If this is the case, create a new ISE VM in the new environment using the built in evaluation license and recreate the deployment from the old environment using the addressing scheme of the new environment. Then spin-up a new Secondary node and register it on the Primary. Once this is done, you can re-host the license from your old environment onto your new environment. You can use this tool to re-host:
https://tools.cisco.com/SWIFT/LicensingUI/loadDemoLicensee?FormId=3999
If IP Addressing is to remain the same, it gets simpler.
First, and always, perform a configuration and operational backup.
If downtime is not an issue, or if you have a maintenance window of an hour or so: Simply shut down both nodes. Transfer them to the New Environment and turn them on, Primary Node first, of course.
If downtime is an issue, shut down the Secondary Node and transfer it to the New Environment. Start the Secondary Node and when it is up, shut down the Primary Node. Once services on the primary node have stopped, promote the Secondary Node to Primary Node.
Transfer the OLD Primary Node to the New Environment and turn it on. It should assume the role of Secondary Node. If it does not, assign that role through the GUI.
Remember, the correct way to shut down an ISE node is:
application stop ise
halt
By using these commands, the risk of database corruption decreases by about 90% (Remember to always backup).
Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question. Otherwise, feel free to post follow-up questions.
Charles Moreton
10-30-2014 06:51 AM
How to promote the secondary to primary node? (Do you got an Link for me?)
Here is the link to show how to promote the node:
Can I do the movment without changeing the primary/secondary roles?
If you can schedule the move with expected downtime, then yes.
What will happen if I dont promote the secondary to primary? If node01 comes up - it will be the primary again if there is no other primary?
True, and that is the reason for having a Secondary Node, however, if there is an extended amount of time between moving the Primary Node, other anomalies may occur.
10-30-2014 06:26 AM
There is a lot to consider here. If changing environments means changing IP Address and IP Scopes, then your policies, profiles, and dACLs would also have to change among other things. If this is the case, create a new ISE VM in the new environment using the built in evaluation license and recreate the deployment from the old environment using the addressing scheme of the new environment. Then spin-up a new Secondary node and register it on the Primary. Once this is done, you can re-host the license from your old environment onto your new environment. You can use this tool to re-host:
https://tools.cisco.com/SWIFT/LicensingUI/loadDemoLicensee?FormId=3999
If IP Addressing is to remain the same, it gets simpler.
First, and always, perform a configuration and operational backup.
If downtime is not an issue, or if you have a maintenance window of an hour or so: Simply shut down both nodes. Transfer them to the New Environment and turn them on, Primary Node first, of course.
If downtime is an issue, shut down the Secondary Node and transfer it to the New Environment. Start the Secondary Node and when it is up, shut down the Primary Node. Once services on the primary node have stopped, promote the Secondary Node to Primary Node.
Transfer the OLD Primary Node to the New Environment and turn it on. It should assume the role of Secondary Node. If it does not, assign that role through the GUI.
Remember, the correct way to shut down an ISE node is:
application stop ise
halt
By using these commands, the risk of database corruption decreases by about 90% (Remember to always backup).
Please Rate Helpful posts and mark this question as answered if, in fact, this does answer your question. Otherwise, feel free to post follow-up questions.
Charles Moreton
10-30-2014 06:37 AM
Hello Charles,
thanks for your reply. The network addresses dont changes.
So, just few further questions:
How to promote the secondary to primary node? (Do you got an Link for me?)
Can I do the movment without changeing the primary/secondary roles?
What will happen if I dont promote the secondary to primary? If node01 comes up - it will be the primary again if there is no other primary?
10-30-2014 06:51 AM
How to promote the secondary to primary node? (Do you got an Link for me?)
Here is the link to show how to promote the node:
Can I do the movment without changeing the primary/secondary roles?
If you can schedule the move with expected downtime, then yes.
What will happen if I dont promote the secondary to primary? If node01 comes up - it will be the primary again if there is no other primary?
True, and that is the reason for having a Secondary Node, however, if there is an extended amount of time between moving the Primary Node, other anomalies may occur.
10-30-2014 06:56 AM
Hello Charles,
thank you very much.
Kind regards
Benjamin
10-30-2014 07:16 AM
Happy to help.
Good luck with your ISE move.
Charles Moreton
10-30-2014 08:47 AM
Hello Charly,
one more further question about changing primary/secondary role:
My installation:
node01
- Admin, Policy
node02
- Monitoring, Policy
In your link I read:
"You can only promote a secondary Administration node to become a primary Administration node. Cisco ISE nodes that assume only the Policy Service or Monitoring persona, or both, cannot be promoted to a primary Administration node."
So it is not possible to promote this node to primary admin node?
--> I dont got an Option like " Promote to Primary ." in the edit page of my noedes... what dos this mean?
10-30-2014 09:12 AM
Add the secondary Admin Node persona to the Secondary Node before moving the VM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide