04-08-2020 02:50 AM
Hi all
Please help, my customer has a production ISE implementation running on version 2.3 P4. We are currently running a POV for SDA and they have bought ISE VM licenses to test this. they have installed version 2.6 (not sure on the patch) on the VM, however; they would like to import all of their policies (4 years worth) from their production 2.3 implementation.
TAC has come back and said this cannot be done, is there any hack / trick / anything that could help them do this, even if they have to modify their exported 2.3 XML policy file and copy back to the correct directory?
They really don't want to trash their 2.6 VM installation.
Thanks in advance for the help!
Regards
Rob
Solved! Go to Solution.
04-08-2020 03:39 PM
The Policy Export is mainly intended to be provided to Cisco TAC to assist in troubleshooting and analysis of the policy elements. None of the current ISE versions provide any function to import the exported policy.
As per the Admin Guide, ISE 2.6 supports restore from backups obtained from Release 2.1 and later. The only option to prevent manual reconfiguration of the old 2.3 Policy Elements would be to restore the 2.3 backup to the 2.6 cluster and reconfigure the DNAC/SDA integration.
AFAIK, DNAC uses some pretty basic AuthC/AuthZ Policies in the Default Policy Set so this would also give you the ability to configure some more efficient policies to be used by the SDA fabric.
04-08-2020 03:24 AM
- This sure is not going to work and the xml will be incompatible with a 2.6 installation. The straight-path forward is to build a 2.6-ready environment by having an 'offline'-upgrade process on the to-be production environment.
M.
04-08-2020 11:54 PM
Thank you
04-08-2020 03:39 PM
The Policy Export is mainly intended to be provided to Cisco TAC to assist in troubleshooting and analysis of the policy elements. None of the current ISE versions provide any function to import the exported policy.
As per the Admin Guide, ISE 2.6 supports restore from backups obtained from Release 2.1 and later. The only option to prevent manual reconfiguration of the old 2.3 Policy Elements would be to restore the 2.3 backup to the 2.6 cluster and reconfigure the DNAC/SDA integration.
AFAIK, DNAC uses some pretty basic AuthC/AuthZ Policies in the Default Policy Set so this would also give you the ability to configure some more efficient policies to be used by the SDA fabric.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide