Solved: Change ISE personas without configuration loss

nupagazi · ‎04-07-2023

Hello Team,

We currently deploy 2 ISE appliances 3615 with HA as in the attache image. Now we want to move to distributed deployment by adding 4 ISE VMs: 2 of VMs act as the PAN & Mnt (HA), 2 VMs act as PSN together with current 2 x 3615 i.e change personas from PAN, Mnt & PSN to PSN only (attached image). We want to minimize the effort for changing by following steps:

1. Shutdown the secondary appliance

2. Add first VM as secondary PAN to the current primary appliance PAN+MnT+PSN

3. add second VM as PSN to current group of primary appliance PAN+MnT+PSN

4. Change the current primary appliance PAN+MnT+PSN to PSN only

5. Add third VM as secondary PAN

6. Add 4th VM as PSN only to the psn group
7. Turn on the secondary appliance and change it to PSN only and join current psn group

Would you please advise the above steps works and all policies are remained as before moving ?

Regards,

An

Marcelo Morais · ‎04-10-2023

Hi @nupagazi ,

please take a look at: Performance and Scalability Guide for Cisco Identity Services Engine., search for Different Types of Cisco ISE Deployment, in your case you have a Small Deployment and want to go to a Medium Deployment (up to 6x PSNs for ISE 3.0+).

Note: about the steps you can:

1. generate a Backup: Config and Oper.

2. remove the SPAN & SMnT from the Secondary Appliance

3. add the 1st VM as SPAN & SMnT

4. at 1st VM "promote" the SPAN & SMnT to PPAN & PMnT

5. remove the SPAN & SMnT from the Primary Appliance

6. add the 2nd VM as SPAN & SMnT

At the end of the day:

Primary Appliance: PSN

Secondary Appliance: PSN

1st VM: PPAN & PMnT

2nd VM: SPAN & SMnT

Hope this helps !!!

View solution in original post

Marcelo Morais · ‎04-11-2023

Hi @nupagazi ,

yes, that's correct ... after Step 6, you can add up to 6x PSNs.

Hope this helps !!!

View solution in original post

nupagazi · ‎04-07-2023

Sri Harsha Dasari · ‎04-07-2023

Before you turn off the secondary appliance in step one, change it from PAN + MNT + PSN to PSN only. No need to turn off this appliance and turn it back on.
Only concern in your way is once you completed step 5, Deployment will not let you perform Step 7 as distributed ISE deployments will only allow 2 PAN's and 2 MNT's

Thanks, Sri.

nupagazi · ‎04-09-2023

Hi Sri Harsha Dasari,

Thank you for your comment. I think for distrbuted deployment we can have 5 PSN (attached), am I correct ?

Regards,

An

Marcelo Morais · ‎04-10-2023

Hi @nupagazi ,

please take a look at: Performance and Scalability Guide for Cisco Identity Services Engine., search for Different Types of Cisco ISE Deployment, in your case you have a Small Deployment and want to go to a Medium Deployment (up to 6x PSNs for ISE 3.0+).

Note: about the steps you can:

1. generate a Backup: Config and Oper.

2. remove the SPAN & SMnT from the Secondary Appliance

3. add the 1st VM as SPAN & SMnT

4. at 1st VM "promote" the SPAN & SMnT to PPAN & PMnT

5. remove the SPAN & SMnT from the Primary Appliance

6. add the 2nd VM as SPAN & SMnT

At the end of the day:

Primary Appliance: PSN

Secondary Appliance: PSN

1st VM: PPAN & PMnT

2nd VM: SPAN & SMnT

Hope this helps !!!

nupagazi · ‎04-10-2023

Hi Marcelo Morais,

Thank you so much for your advice. We use ISE 3.1 so as per document we can have up to 6 PSNs for medium deployment. After your step 6 I can freely add any more PSN up to 6, is that correct ?

Regards,

An

Marcelo Morais · ‎04-11-2023

Hi @nupagazi ,

yes, that's correct ... after Step 6, you can add up to 6x PSNs.

Hope this helps !!!

nupagazi · ‎04-17-2023

Hi Marcelo Morais,

Thank you so much for your advice.

Regards,

An