 
					
				
		
06-23-2023 06:48 AM
Hello,
I have 2 clusters, with two nodes each (PAN, MNT, PSN) in version 2.6 and I will upgrade it to version 3.1 using Backup and Restore method, smart licensing is currently in use.
the licenses are:
cluster1: Tacacs (2), VM Small (2)
cluster2: VM Small (2)
I read the solution proposed by @Arne Bier , very clear thanks 
https://community.cisco.com/t5/network-access-control/easiest-way-to-upgrade-a-two-node-deployment-2-4-to-3-0/td-p/4596302
My questions :
a- should I use the ISE-3.1.0.518b-virtual-SNS3615-SNS3655-600.ova (for Small or Medium) ova?
b- can I install the other ova, example: for Medium or Large, or for Large? or am I limited by the VM Small license?
c- once the installation is complete, is there an action to do so that the licenses work or is it automatically recognized?
Many thanks
Solved! Go to Solution.
 
					
				
		
06-23-2023 01:57 PM
The -600.ova is a good choice for a small or medium all in one node type. It creates a 600GB thick provisioned disk. The ova import will also guide you and prompt you. Unless you have a very long log retention policy, 600GB should be fine. 
The VM licensing is based on the SNS type you selected when you import the ova. The wizard will ask you. After install you have 90 day eval license. 
You have to configure smart licensing in the ISE gui and paste in a key from the smart licensing portal. That activates Smart Licensing. 
06-26-2023 01:42 AM - edited 06-26-2023 01:44 AM
Yes you would deploy the new nodes with different IP addresses, and then you would restore the configuration from the normal primary configuration backup. If you restore the backup without including the "include-adeos" option ISE will only restore the application configuration backup, so it won't restore the hostname, IP addresses etc. However, if you want to restore everything including those low level configs then you can drop "include-adeos" at the very end of the restore command line. In that case you would need to shut down or disconnect the old node that you are restoring from the network before the restore to avoid duplicated IP addresses on the network.
 
					
				
		
06-23-2023 01:57 PM
The -600.ova is a good choice for a small or medium all in one node type. It creates a 600GB thick provisioned disk. The ova import will also guide you and prompt you. Unless you have a very long log retention policy, 600GB should be fine. 
The VM licensing is based on the SNS type you selected when you import the ova. The wizard will ask you. After install you have 90 day eval license. 
You have to configure smart licensing in the ISE gui and paste in a key from the smart licensing portal. That activates Smart Licensing. 
 
					
				
		
06-23-2023 02:25 PM
Thank you @Arne Bier
SNS type, it's what ? do you have documentation please?
so I can activate the licenses (Tacacs, VM) before the shutdown of the old VM?
Thanks a lot
06-23-2023 06:52 PM
SNS stands for Secure Network Server and it refers to ISE hardware appliances. Each appliance model has a different resources set. The .ova images are based on those hardware appliances, check out this link please:
Regarding the smart licenses, you have to work with Cisco licensing team asking them to convert the existing licenses to the new licenses model which is required for ISE 3.1. The conversion would affect the existing base, plus, and apex licenses, TACACS licenses don't need to be converted. The licenses conversion can be done in advance or after the upgrade is completed, the recommendation would be to raise the case with Cisco ahead of the upgrade and let them know when you need the licenses to be converted, you can also call them right after the upgrade is done to convert the licenses.
You would need to do the same for the VM licenses, the new model is now called VM Common which doesn't look at the VM size anymore.
Not doing the VM licenses conversion in time wouldn't affect the deployment functionality, you would only get some warnings about it, however the features licenses will. Although you might run your deployment in eval mode which give you 90 days, but I think that is still gonna be for 100 nodes only.
 
					
				
		
06-24-2023 11:38 AM
Hello,
Thank you @Arne Bier @Aref Alsouqi 
So if I understood, when installing the ova: ISE-3.1.0.518b-virtual-SNS3615-SNS3655-600.ova, I can choose SNS3655 if the resources of my ESX (CPU, RAM, Disk ..) allows it?
Ok for my licenses? the resource of 3615 which corresponds to the Small model, and the resources of SNS 3655 corresponds to the Medium model
Table 2. OVA Template Reservations: https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/install_guide/b_ise_InstallationGuide31/b_ise_InstallationGuide31_chapter_2.html#vmwarevmrequirements
Cisco ISE Hardware Appliances: https://www.cisco.com/c/en/us/td/docs/security/ise/performance_and_scalability/b_ise_perf_and_scale.html#reference_mry_drh_m5b Thank you.
Thank you
06-24-2023 01:36 PM
If you ask Cisco licensing team to convert your existing VM licenses to the new model (VM Common) then you can use them on a small, medium, or large VM, in the other words the new VM licenses don't look at the VM resources any longer.
06-25-2023 09:41 PM
one small addition, your base license which is perpetual (permanent) now will change to essential (term based) and that term expires on oct 31 2023 I think, and you may need to invest in your license term renewal. verify that with licensing before hand and make sure you account of upcoming cost before upgrade. you may want to keep your cisco AM/SE involved.
 
					
				
		
06-24-2023 02:21 PM
Hello,
In this case I will choose SNS3655 (better performance) since I have the required resources on my ESX
Thanks.
06-25-2023 04:54 PM
That makes sense.
 
					
				
		
06-25-2023 08:49 PM
Hello,
Regarding the upgrade "Backup and Restore method" should I generate a backup file on the secondary node (when I deregister my secondary node) and restore it on the future secondary node or I use the backup primary one for both nodes?
at the beginning of the operation to avoid IP address duplication, you use a temporary IP?
Thank you.
06-26-2023 01:42 AM - edited 06-26-2023 01:44 AM
Yes you would deploy the new nodes with different IP addresses, and then you would restore the configuration from the normal primary configuration backup. If you restore the backup without including the "include-adeos" option ISE will only restore the application configuration backup, so it won't restore the hostname, IP addresses etc. However, if you want to restore everything including those low level configs then you can drop "include-adeos" at the very end of the restore command line. In that case you would need to shut down or disconnect the old node that you are restoring from the network before the restore to avoid duplicated IP addresses on the network.
 
					
				
		
06-26-2023 02:45 AM
Thank you very much for your help
 
					
				
		
06-26-2023 09:55 AM
Hi, it's me again 
when did I choose SNS3655? I just imported the ova: ISE-3.1.0.518b-virtual-SNS3615-SNS3655-600.ova, and I see "Small" or "Medium", is it "Medium"? or do I have to choose when configuring the basic parameters in CLI?
No problem when I import a configuration sns3615 (old deployment) in new deployment sns3655 ?
Thank you !
06-26-2023 10:26 AM
That will depend on how many vCPUs and RAM you will be assigning. The small deployment recommendation would be 16x vCPU with 32 GB of RAM, and the medium is 24x vCPU with 96 GB of RAM. The hard disk requirement changes based on the roles that ISE will be running and how many endpoints that node will be serving. One thing I would keep in mind is that the hard disk size can't be changed after ISE is deployed, and to increase it you have to redeploy the image from the scratch. For the backup restore you should be good to go to restore the old backup on the new deployment.
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide