cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2097
Views
2
Helpful
13
Replies

ISE upgrade question

cisco.13
Level 1
Level 1

Hello,

I have 2 clusters, with two nodes each (PAN, MNT, PSN) in version 2.6 and I will upgrade it to version 3.1 using Backup and Restore method, smart licensing is currently in use.
the licenses are:
cluster1: Tacacs (2), VM Small (2)
cluster2: VM Small (2)

I read the solution proposed by @Arne Bier , very clear thanks
https://community.cisco.com/t5/network-access-control/easiest-way-to-upgrade-a-two-node-deployment-2-4-to-3-0/td-p/4596302

My questions :
a- should I use the ISE-3.1.0.518b-virtual-SNS3615-SNS3655-600.ova (for Small or Medium) ova?
b- can I install the other ova, example: for Medium or Large, or for Large? or am I limited by the VM Small license?
c- once the installation is complete, is there an action to do so that the licenses work or is it automatically recognized?

Many thanks

 

2 Accepted Solutions

Accepted Solutions

Arne Bier
VIP
VIP

The -600.ova is a good choice for a small or medium all in one node type. It creates a 600GB thick provisioned disk. The ova import will also guide you and prompt you. Unless you have a very long log retention policy, 600GB should be fine. 
The VM licensing is based on the SNS type you selected when you import the ova. The wizard will ask you. After install you have 90 day eval license. 
You have to configure smart licensing in the ISE gui and paste in a key from the smart licensing portal. That activates Smart Licensing. 

View solution in original post

Yes you would deploy the new nodes with different IP addresses, and then you would restore the configuration from the normal primary configuration backup. If you restore the backup without including the "include-adeos" option ISE will only restore the application configuration backup, so it won't restore the hostname, IP addresses etc. However, if you want to restore everything including those low level configs then you can drop "include-adeos" at the very end of the restore command line. In that case you would need to shut down or disconnect the old node that you are restoring from the network before the restore to avoid duplicated IP addresses on the network.

View solution in original post

13 Replies 13

Arne Bier
VIP
VIP

The -600.ova is a good choice for a small or medium all in one node type. It creates a 600GB thick provisioned disk. The ova import will also guide you and prompt you. Unless you have a very long log retention policy, 600GB should be fine. 
The VM licensing is based on the SNS type you selected when you import the ova. The wizard will ask you. After install you have 90 day eval license. 
You have to configure smart licensing in the ISE gui and paste in a key from the smart licensing portal. That activates Smart Licensing. 

Thank you @Arne Bier

SNS type, it's what ? do you have documentation please?
so I can activate the licenses (Tacacs, VM) before the shutdown of the old VM?

Thanks a lot

SNS stands for Secure Network Server and it refers to ISE hardware appliances. Each appliance model has a different resources set. The .ova images are based on those hardware appliances, check out this link please:

https://www.cisco.com/c/en/us/td/docs/security/ise/sns3600hig/b_sns_3600_install/b_sns_3600_install_chapter_00.html

Regarding the smart licenses, you have to work with Cisco licensing team asking them to convert the existing licenses to the new licenses model which is required for ISE 3.1. The conversion would affect the existing base, plus, and apex licenses, TACACS licenses don't need to be converted. The licenses conversion can be done in advance or after the upgrade is completed, the recommendation would be to raise the case with Cisco ahead of the upgrade and let them know when you need the licenses to be converted, you can also call them right after the upgrade is done to convert the licenses.

You would need to do the same for the VM licenses, the new model is now called VM Common which doesn't look at the VM size anymore.

Not doing the VM licenses conversion in time wouldn't affect the deployment functionality, you would only get some warnings about it, however the features licenses will. Although you might run your deployment in eval mode which give you 90 days, but I think that is still gonna be for 100 nodes only.

cisco.13
Level 1
Level 1

Hello,

Thank you @Arne Bier @Aref Alsouqi 

So if I understood, when installing the ova: ISE-3.1.0.518b-virtual-SNS3615-SNS3655-600.ova, I can choose SNS3655 if the resources of my ESX (CPU, RAM, Disk ..) allows it?

Ok for my licenses? the resource of 3615 which corresponds to the Small model, and the resources of SNS 3655 corresponds to the Medium model

Table 2. OVA Template Reservations: https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/install_guide/b_ise_InstallationGuide31/b_ise_InstallationGuide31_chapter_2.html#vmwarevmrequirements

Cisco ISE Hardware Appliances: https://www.cisco.com/c/en/us/td/docs/security/ise/performance_and_scalability/b_ise_perf_and_scale.html#reference_mry_drh_m5b Thank you.

Thank you

If you ask Cisco licensing team to convert your existing VM licenses to the new model (VM Common) then you can use them on a small, medium, or large VM, in the other words the new VM licenses don't look at the VM resources any longer.

one small addition, your base license which is perpetual (permanent) now will change to essential (term based) and that term expires on oct 31 2023 I think, and you may need to invest in your license term renewal. verify that with licensing before hand and make sure you account of upcoming cost before upgrade. you may want to keep your cisco AM/SE involved. 

-hope this helps-

cisco.13
Level 1
Level 1

Hello, 

In this case I will choose SNS3655 (better performance) since I have the required resources on my ESX 

Thanks. 

That makes sense.

Hello,

Regarding the upgrade "Backup and Restore method" should I generate a backup file on the secondary node (when I deregister my secondary node) and restore it on the future secondary node or I use the backup primary one for both nodes?

at the beginning of the operation to avoid IP address duplication, you use a temporary IP?

Thank you.

 

Yes you would deploy the new nodes with different IP addresses, and then you would restore the configuration from the normal primary configuration backup. If you restore the backup without including the "include-adeos" option ISE will only restore the application configuration backup, so it won't restore the hostname, IP addresses etc. However, if you want to restore everything including those low level configs then you can drop "include-adeos" at the very end of the restore command line. In that case you would need to shut down or disconnect the old node that you are restoring from the network before the restore to avoid duplicated IP addresses on the network.

cisco.13
Level 1
Level 1

Thank you very much for your help

cisco.13
Level 1
Level 1

Hi, it's me again

when did I choose SNS3655? I just imported the ova: ISE-3.1.0.518b-virtual-SNS3615-SNS3655-600.ova, and I see "Small" or "Medium", is it "Medium"? or do I have to choose when configuring the basic parameters in CLI?

No problem when I import a configuration sns3615 (old deployment) in new deployment sns3655 ?

Thank you !

That will depend on how many vCPUs and RAM you will be assigning. The small deployment recommendation would be 16x vCPU with 32 GB of RAM, and the medium is 24x vCPU with 96 GB of RAM. The hard disk requirement changes based on the roles that ISE will be running and how many endpoints that node will be serving. One thing I would keep in mind is that the hard disk size can't be changed after ISE is deployed, and to increase it you have to redeploy the image from the scratch. For the backup restore you should be good to go to restore the old backup on the new deployment.

ArefAlsouqi_0-1687800119139.png

ArefAlsouqi_1-1687800145468.png

https://www.cisco.com/c/en/us/td/docs/security/ise/3-1/install_guide/b_ise_InstallationGuide31/b_ise_InstallationGuide31_chapter_2.html