cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

345
Views
5
Helpful
6
Replies
Highlighted
Beginner

Cisco ISE 2.0 to 2.3 Upgrade

Hey All,

 

We currently run Cisco ISE 2.0 in standalone mode and we are looking to upgrade to version 2.3.  I've done some reading on the upgrade and it feels straight forward based on the documentation.

 

However, almost every VAR I've talked to is recommending other scenarios to upgrade that seem to center introducing a temporary secondary node…install a new node, join it to the deployment, physically separate it from the cluster after it syncs, promote it to admin (still isolated) and upgrade it to 2.3.  Then switch it to production and move the over nodes over.  This scares the hell out of me because we run standalone and I have no experience with dealing with multiple nodes and moving personas.

 

I was wondering if it would be just as effective to stand up a new VM running 2.0 in an isolated network and restore a backup from the production ISE VM onto it, import the certificates, etc...   Then upgrade the new VM from 2.0 to 2.3...still in an isolated network.

 

Since it has the same hostname and IP address all the configuration/certificates should be valid and I could simply move this new VM into production and isolate the existing.  If any problems arise just swap them back and forth?

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

In a single node deployment, none of the licensing changes in 2.4 are going to affect you. At some point the base license will stop being permanent, but that is not there now. Save yourself an upgrade in 6 months and go to 2.4. At least that is what I would do.


View solution in original post

6 REPLIES 6
Highlighted
VIP Advocate

How many network devices you have pointing at ISE?  I would guess since you only have one there aren't that many.  Why not just build a new 2.3 VM, restore your 2.0 backup to it, get certs setup correctly and then migrate your network devices over to using it?  Then if something goes wrong you simply point your network devices back to the 2.0 node?  Very low risk.  

Highlighted

Hi Paul - Thanks for the reply.

 

I thought I remembered reading somewhere that configuration restores needed to be done to ISE instances of the same version - so it wouldn't be possible to restore a 2.0 backup onto 2.3.

 

 

Highlighted

You can restore to any version supported in the upgrade path. So you can restore your 2.0 backup all the way onto a 2.4 VM. I would probably consider going to 2.4 right way especially once patch 4 comes out. 2.4 is the long lived release where 2.3 will die off.


Highlighted

Thanks Paul for the confirmation.  To your point - we can definitely lab this all out with little to no risk.

 

We were advised against going to 2.4 - I believe it had something to do with a license change w/ going to 2.0 to 2.4.  I questioned it as we are just using the Base license for endpoints and the Admin license for TACACS+.

Highlighted

In a single node deployment, none of the licensing changes in 2.4 are going to affect you. At some point the base license will stop being permanent, but that is not there now. Save yourself an upgrade in 6 months and go to 2.4. At least that is what I would do.


View solution in original post

Highlighted

I agree with Paul - go with 2.4 and not 2.3.

 

You will need a VM license but Cisco Licensing will provide that at no cost for your existing deployment. (It will work without one but you will get a popup every time you log into the PAN.)