Solved: How to properly backup ISE PSN

xbill42 · ‎05-04-2020

Hi,

The documentation specifies that we can backup PAN and MNT. The backup should contains "both application-specific and Cisco ADE operating system configuration data."

- Does this backup includes the config done during the wizard after booting the VM and the interfaces config (gi1, gi2, ...) ?

- How do I backup a PSN ?

Best regards

Arne Bier · ‎05-04-2020

Correct.

Configuration Backup is essentially all the data that you need to build/re-build an Admin node. Once you have an Admin node, then the rest of the nodes (MnT and PSN) have to be registered to the Admin node. They are all "Secondary" nodes to the Admin, and they get all their programming from the Admin. There is no concept of backing up an MnT or a PSN.

Operation Backup - this is the data that is found on the MnT and relates to AAA events (i.e. authentication records) - you only need this if you care about restoring all the AAA records after losing an MnT node (or both MnT nodes). E.g. imagine you rebuilt your ISE deployment and then your new Admin node becomes operation - then add in a new MnT node - you will have no records from your previous ISE deployment unless you restore the Operational Backup - suddenly your Live Logs and Reports will have data to look at. If you have sent all your AAA to an external SYSLOG server (e.g. Splunk/Graylog) then strictly speaking you don't need to restore the Operational Backup - save yourself that hassle.

I would not worry about the ADE-OS backups either - just make a copy and save the show run somewhere in your documentation in case of disaster recovery

View solution in original post

poongarg · ‎05-04-2020

This backup will not have basic setup config of the PSN's. You need to take the "sh run" output of the PSN, in case you need to re-image the PSN node.

xbill42 · ‎05-04-2020

Regarding the basic setup of the PAN do I also need the sh run ? Or does the backup allow to restore everything ?

Mike.Cifelli · ‎05-04-2020

Regarding the basic setup of the PAN do I also need the sh run ? Or does the backup allow to restore everything ?
-The configuration data backup contains both app specific and Cisco ADE OS config data. The ADE OS config data includes things such as network settings, ntp, etc.
This will cover backup/restore operations in depth: https://www.cisco.com/c/en/us/td/docs/security/ise/2-6/admin_guide/b_ise_admin_guide_26/b_ise_admin_guide_26_chapter_01100.html

xbill42 · ‎05-04-2020

This documentation only mention backing-up PAN and MNT and does not mention the backup procedure for PSN.

"Cisco ISE allows you to back up data from the Primary PAN and from the Monitoring node".

So what I understand is that there is no backup for PSN nodes, they should be reconfigured with wizard and output of "sh run".

Best regards

Arne Bier · ‎05-04-2020

Correct.

Configuration Backup is essentially all the data that you need to build/re-build an Admin node. Once you have an Admin node, then the rest of the nodes (MnT and PSN) have to be registered to the Admin node. They are all "Secondary" nodes to the Admin, and they get all their programming from the Admin. There is no concept of backing up an MnT or a PSN.

Operation Backup - this is the data that is found on the MnT and relates to AAA events (i.e. authentication records) - you only need this if you care about restoring all the AAA records after losing an MnT node (or both MnT nodes). E.g. imagine you rebuilt your ISE deployment and then your new Admin node becomes operation - then add in a new MnT node - you will have no records from your previous ISE deployment unless you restore the Operational Backup - suddenly your Live Logs and Reports will have data to look at. If you have sent all your AAA to an external SYSLOG server (e.g. Splunk/Graylog) then strictly speaking you don't need to restore the Operational Backup - save yourself that hassle.

I would not worry about the ADE-OS backups either - just make a copy and save the show run somewhere in your documentation in case of disaster recovery