Solved: Re: ISE policy service node to VM machine

ade5 · ‎04-19-2019

Good afternoon,

Hello everyone just want to see what you all think . I am trying to migrate our PSN nodes to VM so we can upgrade from version 2.1 to version 2.4 as it requires at least SNS 3500s . I am thinking that moving it to VM rather than buying new appliances would save us some money (correct me if i am wrong).

Currently my deployment looks like this.

VM - Primary (admin/MnT)

VM - Secondary (admin/MnT)

appliance (3495) - PSN node

appliance (3495) - PSN node (dr)

I am trying to see if I can migrate one of the PSN node to vm to test this out. I am unsure how I will be able to do this.

Being that both primary and secondary admin/mnt nodes are already VM machines and got all licenses installed .

I am thinking of the following:

1.) Build a new vm machine

2.) install ISE and match configurations to one of the PSN node and assign it as Policy service node

3.) add node to deployment.

4.) remove one of the appliance PSN node

sounds simple. What are other considerations i need to know?

Damien Miller · ‎04-19-2019

I wouldn't look at it as necessarily cheaper, since you still need the compute resources on the VMware side. But I do perfer VM's due to their flexibility (easy resize for upgrades) and ease of management.

The steps you go through here vary slightly if you will be reusing the IP/hostname of the physical appliance. The process you wrote will work fine if you are going new IP/dns/hostname. Keep in mind that if you use new IP's for the PSN's, then you probably have to change the configuration on the NADs.

If you reuse the IP/hostname of the physical appliance you replace, just deregister it from the deployment, shut the node down, then run the ISE setup on the new VM. This way you would avoid NAD changes and don't have to make new DNS entries.

Also remember that if you have shared certificates for your deployment, you would have to reissue that with new SANs if you change/add hostnames.

View solution in original post

Damien Miller · ‎04-19-2019

I wouldn't look at it as necessarily cheaper, since you still need the compute resources on the VMware side. But I do perfer VM's due to their flexibility (easy resize for upgrades) and ease of management.

The steps you go through here vary slightly if you will be reusing the IP/hostname of the physical appliance. The process you wrote will work fine if you are going new IP/dns/hostname. Keep in mind that if you use new IP's for the PSN's, then you probably have to change the configuration on the NADs.

If you reuse the IP/hostname of the physical appliance you replace, just deregister it from the deployment, shut the node down, then run the ISE setup on the new VM. This way you would avoid NAD changes and don't have to make new DNS entries.

Also remember that if you have shared certificates for your deployment, you would have to reissue that with new SANs if you change/add hostnames.

kthiruve · ‎04-22-2019

Please remember do it one PSN at a time. With the new PSN, make sure your production users are good and services are up. Test before moving on. If you are using different IP, it is easy to test with a test network device, endpoint. In any case, when the new PSN comes up it syncs up with PAN and gets the configuration. If you are using public certs, make sure you have the CA certs imported, if not the registering will do the trick.