Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2237
Views
15
Helpful
12
Replies

ISE 2.7 on BE7M-M5-K9?

Go to solution
lisacoody
Level 1
Level 1

‎03-31-2022 05:49 AM

I have a two-node VM ISE deployment on version 2.7.0.356 that is running into IO read / write issues and need to move them to different hardware. I have two new BE7M-M5-K9 servers with enough available resources. Can I do a cold migration from the ISE nodes current VMware environment to the new UCS servers?  

Thanks in advance!

Lisa

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎03-31-2022 02:31 PM

As long as all of the hypervisor, resources, and network connectivity (on the same VLAN) are configured, you can cold vMotion the ISE VMs to another host. There are no restrictions on what type of bare metal is supported as long as the VMware layer is supported and configured properly.

View solution in original post

12 Replies 12

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎03-31-2022 02:31 PM

As long as all of the hypervisor, resources, and network connectivity (on the same VLAN) are configured, you can cold vMotion the ISE VMs to another host. There are no restrictions on what type of bare metal is supported as long as the VMware layer is supported and configured properly.

Go to solution
Damien Miller
VIP Alumni
VIP Alumni

‎04-01-2022 12:06 AM

I would double check the resources too since the recommendation is to use reservations for both memory and CPU on the ISE VMs. BE7M's have 96 GB of memory, the minimum resources for ISE will soon be 32 GB of memory (3615 spec) since this is what 3.1 dictates. You can get away with 16 GB for a 3515 with 2.7, so if gives you a small window of support. 

 

The CPU on the BE7M is a single Intel 6132. This is 14 cores running at 2.6 GHz, so a total of 36.4 GHz available. 3515 = 12 GHz reservation, 3615 = 16 GHz reservation. This doesn't leave too much for the Voice VM's if being used to host Call Manager services. 

Go to solution
lisacoody
Level 1
Level 1
In response to Damien Miller

‎04-01-2022 05:51 AM

Thank you Damien. Your reply is very helpful to me. 

I have two new BE7M's. Each one is running a CER, CUCM, and CUC server (2 nodes in each cluster). Each of these VMs are using 2 vCPUs and 4 GB of memory.

My two ISE nodes are small, with 600 GB storage, 16 vCPU, and 32 GB memory. My hope was to move one node to each BE7M. 

I have a Cisco TAC case open for this issue, but I haven't had a reply yet. I will certainly update this thread once I know what TAC recommends and will support. 

0 Helpful

Go to solution
lisacoody
Level 1
Level 1

‎04-05-2022 07:42 AM

I was told by Cisco TAC that it is OK to have ISE on BE7M hardware. Thanks for all the input! I appreciate your assistance!

0 Helpful

Go to solution
fatalXerror
Level 5
Level 5

‎04-06-2022 06:59 PM

Hi @Damien Miller @Greg Gibbs @lisacoody ,

I have the same concerns now. What could be the best method do a cold migration or just provision a new VM in the new server then restore the full backup to the new VM server?

If I do a cold migration for a large ISE environment, may I know how long will it take?

Also, what steps should be done for the ISE VM cold migration?

Thanks for you inputs.

0 Helpful

Go to solution
Marcelo Morais
VIP
VIP
In response to fatalXerror

‎04-06-2022 08:30 PM

Hi @fatalXerror ,

 Cold vMotion and New VM (via Restore) are both good methods.

 Remember that:

Disk size affects the timing of a Cold vMotion ... to have an idea of "How long it takes?", my recommendation is to create a LAB environment for a more accurate value.

. for Cold vMotion please take a look at Hot and Cold Migrations.

 

Hope this helps !!!

0 Helpful

Go to solution
fatalXerror
Level 5
Level 5
In response to Marcelo Morais

‎04-12-2022 04:55 AM

Hi @Marcelo Morais ,

Thanks for the feedback, appreciated it.

After so many meetings and planning, we are now bound for rebuild of every ISE node per phases.

I would like to ask, if rebuild will be done with the same ISE version, the backup configuration of ISE can be just restored to the newly rebuilt ISE node, correct?

For the certificates, I need to manually back it up with the private keys then import it one-by-one to the new ISE node, right?

Thanks

0 Helpful

Go to solution
Marcelo Morais
VIP
VIP
In response to fatalXerror

‎04-12-2022 04:03 PM

Hi @fatalXerror ,

 yes, the backup configuration of ISE can be just restored to the newly rebuilt ISE Node.

 Remember that:
. ISE 3.1 supports restore from backups obtained from Release 2.6 and later.
. ISE 3.0 supports restore from backups obtained from Release 2.4 and later.
. ISE 2.7 supports restore from backups obtained from Release 2.2 and later.
. restoring the ADE-OS configuration would generate an exact duplicate of the ISE server the Backup was taken from.

For your Certificate question, please take a look at: Import and Export Certificates in ISE., special attention to:

"...When you take the configuration backup, the backup of configuration data and certificate of the Admin Node is taken. However, for other nodes, the backup of certificates is taken individually..."

Note: if you have more than one Node, please consider the possibility to deregister the Node from the Cluster, generate a Backup, rebuild ISE on the new VM, restore the Backup and register again to the Cluster.

 

Hope this helps !!!

Go to solution
fatalXerror
Level 5
Level 5
In response to Marcelo Morais

‎07-21-2022 05:02 AM

Hi @Marcelo Morais ,

Just a follow up question.

I will be having 2 phase rebuild, the first phase will be the SAN and a PSN in which I will just re-register the newly provisioned SAN to the existing PAN and same method will be done on the PSN so that the configuration of the existing PAN will be replicated to the new SAN and PSN.

The question now is, since the SAN is a newly provisioned SAN, the license currently installed in the existing PAN will be having a discrepancy because of the new SAN's serial number, am I correct? How can I resolve this issue, by requesting a license re-host to Cisco licensing team?

Thank you 

0 Helpful

Go to solution
Marcelo Morais
VIP
VIP
In response to fatalXerror

‎07-21-2022 07:06 AM

Hi @fatalXerror ,

 yes, the new SPAN with a new Serial Number causes a "License Warning", to solve this please:

1. contact TAC

or

2. if you are using Smart Licensing, then regenerate the License with the new info

 

Hope this helps !!!

0 Helpful

Go to solution
fatalXerror
Level 5
Level 5
In response to Marcelo Morais

‎07-21-2022 07:13 AM

Hi @Marcelo Morais ,

Thank you very much for the feedback. This means that I need to re-import the new license with the new SAN serial number to the existing PAN, correct? Sorry, I forgot to mention that I am using a traditional licensing.

Then when the time I need to migrate the existing PAN, I need to re-host again with the new serial number of the PAN, am I right to say that?

Thank you so much.

0 Helpful

Go to solution
Marcelo Morais
VIP
VIP
In response to fatalXerror

‎07-21-2022 07:37 AM

Hi @fatalXerror ,

 yes, if a SPAN is configured, the SPAN UDI is required during License Registration to be used if the PPAN is not available.

Hope this helps !!!

0 Helpful
Customers Also Viewed These Support Documents