cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
557
Views
30
Helpful
2
Replies

ISE Upgrade 2.2 -> 2.6 and backup/restore to pre-prod environment

slevesqu
Cisco Employee
Cisco Employee

Hi team,

 

Customer, a large bank, is preparing to upgrade his 12-node SNS3595 deployment from 2.2 to 2.6 with our partner and they want to test out the upgrade process in their pre-production VM environment.

 

They want to backup/restore the production to the pre-production with current 2.2 version to have the same database and run the URT tool to get a preview of the upgrade readiness. They would then re-image the nodes with 2.6 (start new OVAs) and restore the 2.2 DB to 2.6 and test out as well the go-back procedure. If this all works they will do the same in production and get an estimate also of the time required.

 

The pre-production environment however has a few minor differences vs the production: different AD join point, SAML config and log destinations. Will this cause the URT tool to fail?

 

Is there also a firmware dependency for the SNS-3595 for this upgrade?

 

Thanks

 

 

2 Accepted Solutions

Accepted Solutions

Damien Miller
VIP Advisor VIP Advisor
VIP Advisor
I would still recommend running the URT on the production secondary PAN. Because there are differences between the lab and production, it would be a good additional step. Doing so will not cause an impact to the production deployment. There is very little chance that it will fail if it passes in the lab, but it's one of those check twice, do once type of scenarios.

There is one other slight difference between the lab and production when it comes to time. I have found that no matter how you purge the operational data from MNT's, it's never as fast to upgrade as a lab node. Consider reimaging MNT's from the 2.6 ISO, I have found it worthwhile.

View solution in original post

As always, @Damien Miller is right on the money regarding this topic. I would add, that the UCS firmware on the SNS server is not a dependency for ISE 2.6 to work. Be careful when updating the ISE SNS firmware. There is a limited set of firmware versions that are allowed to be used on an ISE server (due to the SecureBoot that ISE enforces). 

If your CIMC is already html based (versus the awful Java stuff in older version) then I would not bother too much upgrading the CIMC. The html interface is great - but that's about it. Unless you're getting audited for Security compliance, upgrading the firmware is a luxury that I would spare myself. I have never read the firmware release notes and thought "oh I must have that ..." :-) - and similarly, I have not had the misfortune of experiencing any firmware bugs

View solution in original post

2 Replies 2

Damien Miller
VIP Advisor VIP Advisor
VIP Advisor
I would still recommend running the URT on the production secondary PAN. Because there are differences between the lab and production, it would be a good additional step. Doing so will not cause an impact to the production deployment. There is very little chance that it will fail if it passes in the lab, but it's one of those check twice, do once type of scenarios.

There is one other slight difference between the lab and production when it comes to time. I have found that no matter how you purge the operational data from MNT's, it's never as fast to upgrade as a lab node. Consider reimaging MNT's from the 2.6 ISO, I have found it worthwhile.

As always, @Damien Miller is right on the money regarding this topic. I would add, that the UCS firmware on the SNS server is not a dependency for ISE 2.6 to work. Be careful when updating the ISE SNS firmware. There is a limited set of firmware versions that are allowed to be used on an ISE server (due to the SecureBoot that ISE enforces). 

If your CIMC is already html based (versus the awful Java stuff in older version) then I would not bother too much upgrading the CIMC. The html interface is great - but that's about it. Unless you're getting audited for Security compliance, upgrading the firmware is a luxury that I would spare myself. I have never read the firmware release notes and thought "oh I must have that ..." :-) - and similarly, I have not had the misfortune of experiencing any firmware bugs

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers