01-24-2018 08:10 AM
Hi
My enterprise customer has ISE 1.4 running in their network. The PAN and MnT are VMs and PSNs are hardware appliance 3495.
There are 37 PSNs in one cluster, along with 2 PANs and 2 MnTs. There is another cluster with 2 PAN, 2 MnT and 5 PSNs.
For future enhancement, customer had built 2 PAN and 2 MnT running ISE 2.3 which is currently not in production. Due to various reasons, customer is upgrading the ISE 1.4 to 2.3.
Customer is looking for best way to upgrade, considering all possible aspects not limited to but including the below points:
1. If upgraded, will the Profiling database be affected? If yes, then will ISE be able to re-profile or do we need to reboot the headless devices? How to avoid loosing Profiling database?
2. Node-groups are configured currently with ISE 1.4 among local PSNs. How to approach Node-group while upgrading? Do we need to upgrade both nodes in Node-groups together?
3. Currently there are 250,000 Base license in this cluster. Is it possible to split this license into a pair of 125,000?
Current plan with my customer is - Choose a location on a downtime window and upgrade all ISE nodes in that location and point them to the currently available PAN in 2.3 version.
Please share your guidance in proceeding with the right approach of ISE upgrade.
Thanks and Regards
V Vinodh.
Solved! Go to Solution.
01-24-2018 01:00 PM
As I have previously stated I don't use Cisco's GUI or CLI upgrade method. Manually doing an upgrade is much safer and more predictable. I would:
Assuming you are using load balancers you should be able to do this upgrade with minimal to no downtime seen by the clients. I just did a 20 node upgrade over the course of two days using the method above with no downtime. We did the whole thing during the day not during any maintenance windows.
01-24-2018 08:37 AM
This will guide you through the steps required:
Upgrading to Identity Services Engine 2.1 in a Distributed Environment
Just remember that v1.4 can upgrade directly to v2.1 and then can be upgraded to v2.3
01-24-2018 01:00 PM
As I have previously stated I don't use Cisco's GUI or CLI upgrade method. Manually doing an upgrade is much safer and more predictable. I would:
Assuming you are using load balancers you should be able to do this upgrade with minimal to no downtime seen by the clients. I just did a 20 node upgrade over the course of two days using the method above with no downtime. We did the whole thing during the day not during any maintenance windows.
01-24-2018 02:26 PM
Is there any special attention we need to pay to posture assessment and profiling?
01-24-2018 02:47 PM
Posture and profiling are enhanced in these releases. If you’re wondering around what please look at the release notes.
Also unless there is a specific feature you’re needing in 2.3 we are recommending that you install 2.2 with the latest patch
01-24-2018 03:07 PM
The main thing we're looking for to the upgrade from 1.4 to 2.2 or 2.3 is the new "posture with no redirect" flow.
01-25-2018 05:33 PM
You might want to take a look at the lab exercise 2 of [ISE Lab Guide] ISE 2.2 Update.
04-09-2018 03:17 PM
Hi Paul,
After restoring config, did you have to reconfigure ip address/hostnam of 2.3 nodes to match with the existing ISE? Or did you reconfigure the NADs and point them to the new PSNs? Thanks.
04-10-2018 10:18 PM
Assuming that you are not using load balancer and that you are either testing the first node or your deployment is standalone, then yes, you would need either change the IP address to match that configured on NADs or update the NADs to use the new IP address.
In case you have multiple nodes, then the restore is done on the primary ISE node only and the 2nd nodes can be de-registere from the deployment of the older ISE release, fresh installed with the same hostname and IP address info, and then join to the new deployment.
02-18-2019 09:49 PM
Hi Paul,
I have to upgrade our 14 node deployment and everything is all hardware. What will be your suggested approach for this? Thanks in advance.
02-18-2019 09:53 PM - edited 02-18-2019 09:54 PM
Create/post a new discussion detailing your hardware and if you intend to replace/reuse hardware or use virtual nodes. We can help you with the path forward.
Include your current version and patch, hardware appliance types, future state plans (reuse or replace hardware), or moving to VM's.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide