Solved: Cisco ISE - Move policy nodes to Admin/monitoring node

victormanuelsolis · ‎10-03-2024

Hello Team,

I need some help, we need to know if we can move the policy nodes to admin-monitoring nodes? we have version 2.4, base and Device admin licenses installed, we are running on Virtual machines.

Our Deployment:

1 primary admin-secondary monitoring (Datacenter 1)(will be turned off)

1 primary monitoring-secondary admin (Datacenter 1)(will be turned off)

1 policy node A(Datacenter 2) (it will be primary admin-secondary monitoring)

1 policy node B(Datacenter 3)(it will be secondary admin-primary monitoring)

I appreciate your comments.

Arne Bier · ‎10-03-2024

You can certainly do that. But you have to "free up a slot" first for the new Admin persona. I would de-register the secondary PAN, and then edit one of the PSN's to be the new Secondary PAN, and Secondary MNT. Let it sync. Then promote that node to be the new Primary PAN and Primary MNT. Once that is done, de-register the remaining PAN/MNT. And then edit the remaining PSN to also have PAN and MNT roles (standby). That's how I imagine the workflow. Full disclosure, I have not done this before, but I don't see any issues with this process.

because it's ISE 2.4 and using Traditional Licensing, it might cause you an issue, because the licenses that exist today, will have the UDI of the PAN nodes, and not that of the PSN nodes. Therefore, I can't be sure what your licensing situation will look like. In the old days you could ask Cisco to re-home those licenses, if you gave them the new UDIs. Perhaps you can still do this, but ISE 2.4 is a bit ancient now. You probably won't get much support or sympathy for running such an old version of ISE if things go wrong.

View solution in original post

Arne Bier · ‎10-03-2024

You can certainly do that. But you have to "free up a slot" first for the new Admin persona. I would de-register the secondary PAN, and then edit one of the PSN's to be the new Secondary PAN, and Secondary MNT. Let it sync. Then promote that node to be the new Primary PAN and Primary MNT. Once that is done, de-register the remaining PAN/MNT. And then edit the remaining PSN to also have PAN and MNT roles (standby). That's how I imagine the workflow. Full disclosure, I have not done this before, but I don't see any issues with this process.

because it's ISE 2.4 and using Traditional Licensing, it might cause you an issue, because the licenses that exist today, will have the UDI of the PAN nodes, and not that of the PSN nodes. Therefore, I can't be sure what your licensing situation will look like. In the old days you could ask Cisco to re-home those licenses, if you gave them the new UDIs. Perhaps you can still do this, but ISE 2.4 is a bit ancient now. You probably won't get much support or sympathy for running such an old version of ISE if things go wrong.

victormanuelsolis · ‎10-03-2024

Thank you for your quick answer, I'll check the portion of the licenses, exactly I plan to do as you said, thank you again!

Arne Bier · ‎10-03-2024

Good luck! I had a look in the software.cisco.com Traditional Licensing page, you can Re-host a license. Hopefully that works for you, if you can find your ISE licenses there. It should ask for the UDI details of the new VMs and then spit out a new license file. It's been so long I can hardly remember how this used to work. Smart Licensing all the way!!!

victormanuelsolis · ‎10-04-2024

thanks, do you know how much time takes on these role changes?

Arne Bier · ‎10-05-2024

Depends a bit on the speed of your VM infrastructure - but I'd budget around 20-30 min per change - the application restart usually takes the bulk of the time.