Solved: ISE backup/restore upgrade

bgoulet00 · ‎08-21-2024

looking at the official instructions as well as some user examples, it appears the process is supposed to consist of pealing the secondary pan off the existing deployment, re-imaging/re-creating it with new ISE OS version, presumably with the same IP address. then doing backup/restore from old primary to reimaged secondary, then start pealing off, rebuilding, and joining psns and finally the old primary. the key here is the process seems to be rebuilding each node using the same IP it had in the old deployment.

is it possible to stand up a whole new deployment in parallel using different hostnames and IPs? i tested exporting/importing to a new node with different name/ip and from what i can tell everything came over except the node registration with AD. is this a viable option? export/import to new node, change new node from standalone to primary, add other new nodes to the deployment and then finally register them all with AD?

Arne Bier · ‎08-21-2024

Yes of course you can stand up a parallel deployment (with its own IP addresses that don't clash with the existing ISE deployment) using the config backup of the other deployment. it's tempting for sure, because there is no stress in getting it stood up. However, the real work is then touching all your NAS's to point them to the new PSN IPs. And in most cases, customers have firewall rules and DNS entries etc. that must be adjusted to make it all fit with the new deployment. Weigh up the work involved (i.e. the number of NAS's to change) vs the work of rebuilding your deployment one node at a time.

View solution in original post

Arne Bier · ‎08-21-2024

Yes of course you can stand up a parallel deployment (with its own IP addresses that don't clash with the existing ISE deployment) using the config backup of the other deployment. it's tempting for sure, because there is no stress in getting it stood up. However, the real work is then touching all your NAS's to point them to the new PSN IPs. And in most cases, customers have firewall rules and DNS entries etc. that must be adjusted to make it all fit with the new deployment. Weigh up the work involved (i.e. the number of NAS's to change) vs the work of rebuilding your deployment one node at a time.

marce1000 · ‎08-22-2024

@Arne Bier >...the real work is then touching all your NAS's to point them to the new PSN IPs
- True but I wrote a script for that based on the CISCO-COPY-CONFIG-MIB , I can switch radius
servers on for instance 100 switches in a minute!

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Arne Bier · ‎08-22-2024

that might be a nice script to share !

marce1000 · ‎08-22-2024

@Arne Bier >...that might be a nice script to share !
Indeed , but it was used at a previous company , for legal reasons I could not take it with me ,

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

bgoulet00 · ‎08-21-2024

Thanks Arne! my PSNs are all behind load balancers so we would just swap the old/new in the pool

Arne Bier · ‎08-21-2024

Load balancers - Smart move.