cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1693
Views
2
Helpful
3
Replies

Can anyone validate what Cisco documents for an ISE hardware (33xx) to VM migration?

Andrew Quebman
Level 4
Level 4

Can anyone validate what Cisco documents for an ISE hardware (33xx) to VM migration? Either a best practice steps or guide.

1 Accepted Solution

Accepted Solutions

Charlie Moreton
Cisco Employee
Cisco Employee

This is covered in the Ordering Guide.  This is found in the section

3.2 Migration Appliance Ordering Information

Existing ISE customer with legacy ISE appliances that have reached end of life can also order these ISE migration appliances. ISE migration appliances are denoted by an “-M-” in the part number (SKU) and listed in Table 4. Please note that migrating from physical to virtual, from virtual to physical or even from physical to a mix of physical and virtual appliances is possible when using ISE migration appliances.

Since you have a 33xx which is end-of-life, you can order the ISE-VM-M-K9=.

For a standalone or standalone HA deployment, The best way to migrate and keep the same IP Addresses and host names for the ISE Primary and Secondary Admin nodes might be to install the VMs until you get to the setup script.

Make a backup of the current ISE (Configuration and Operational), go into CLI and backup the certificate store.  Shut down the admin nodes.

Go through the setup script on the VMs and restore backups, join to AD, etc...

For a larger deployment with external PSNs, you may find it easier to shut down the Secondary Admin Node and join a new VM to the deployment as a new Secondary Admin Node.  Let the sync complete, then promote this node to Primary, shut down the old (appliance ) Primary Admin Node and add the other new VM to the deployment as secondary.  Once the sync is complete, you can promote this one to primary and set the other as secondary to keep IP Addresses/host names and Primary/Secondary roles consistent with the original deployment.

Whichever method is chosen, remember that you WILL have to Re-Host the licenses through your Licensing Portal.

The Cisco ISE Ordering Guide can be found here:

http://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/guide_c07-656177.pdf

View solution in original post

3 Replies 3

kthiruve
Cisco Employee
Cisco Employee

Hi,

Here is the ACS licensing page that discusses about migrating from 1121 to VM? The same applies to 33xx as well.

You need to restore the backup and add support contract.

Thanks

Krishnan

Charlie Moreton
Cisco Employee
Cisco Employee

This is covered in the Ordering Guide.  This is found in the section

3.2 Migration Appliance Ordering Information

Existing ISE customer with legacy ISE appliances that have reached end of life can also order these ISE migration appliances. ISE migration appliances are denoted by an “-M-” in the part number (SKU) and listed in Table 4. Please note that migrating from physical to virtual, from virtual to physical or even from physical to a mix of physical and virtual appliances is possible when using ISE migration appliances.

Since you have a 33xx which is end-of-life, you can order the ISE-VM-M-K9=.

For a standalone or standalone HA deployment, The best way to migrate and keep the same IP Addresses and host names for the ISE Primary and Secondary Admin nodes might be to install the VMs until you get to the setup script.

Make a backup of the current ISE (Configuration and Operational), go into CLI and backup the certificate store.  Shut down the admin nodes.

Go through the setup script on the VMs and restore backups, join to AD, etc...

For a larger deployment with external PSNs, you may find it easier to shut down the Secondary Admin Node and join a new VM to the deployment as a new Secondary Admin Node.  Let the sync complete, then promote this node to Primary, shut down the old (appliance ) Primary Admin Node and add the other new VM to the deployment as secondary.  Once the sync is complete, you can promote this one to primary and set the other as secondary to keep IP Addresses/host names and Primary/Secondary roles consistent with the original deployment.

Whichever method is chosen, remember that you WILL have to Re-Host the licenses through your Licensing Portal.

The Cisco ISE Ordering Guide can be found here:

http://www.cisco.com/c/dam/en/us/products/collateral/security/identity-services-engine/guide_c07-656177.pdf

Thank you Charles.

Also make sure you sync up the PSN's with your new deployment. The network devices talk to your PSN's. It is only for guest and BYOD registration you need PAN, however the PAN, MNT and PSN's should be synced.

If you are using new certificates make sure the CA root is present in the root store or self-signed certificates of PAN are installed in PSN.

If you are using the same certificates and same IP then you may not have to do this. In this case, remember that you can only have one deployment up at any point of time to avoid DNS issues and failures.

You can also configure the primary and secondary RADIUS server in the network devices to old and new deployment during this transition if using different IP.

Thanks

Krishnan