cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
418
Views
0
Helpful
2
Replies

ISE via CDP concern switch upgrade

Hi, please forgive me if this is not the right forum section, but it brought to me a concern.

 

We have to upgrade the WS-C3650-24PD that is connected to "both ISEs"

 

 

 

when I do the show interfaces status, I can see both ports are up according to the description

 

ISE2.PNG

I have the following PANs set up, 

 

 

switchdiagram.PNG

but when I do the show cdp nei on the switch, I can only see the primary ISE, 

 

 

 

cdp.PNG

 

and when I trace the MAC address from each ISE 1 and ISE 2, I can only see it that it says is connected to the port  5 for the primary ISE but not the secondary ISE

 

connection.PNG

So, as I stated, Im planning to make the IOS upgrade of this switch connected to both ISEs, but

 

How come I can only see one ISE?

Is there any soft of configuration applied on ISE to make it appear as one cluster? perhaps Im missing that?

Assuming that I go for the IOS upgrade, how can I ensure that the primary will take the primary role and the secondary the secondary role?

 

Not sure why I see both interfaces up as you saw above, but cannot identify the port as where it should be connected, 

 

is this normal?

 

has anyone experienced something like this and have you done it in the past?

what should I take into consideration before upgrading the IOS switch?

 

1 Accepted Solution

Accepted Solutions

hslai
Cisco Employee
Cisco Employee

How come I can only see one ISE?

The CDP info from ISE is not always shown correctly and can vary by ISE releases.

 

Is there any soft of configuration applied on ISE to make it appear as one cluster? perhaps Im missing that?

ISE deployment relies on its jGroup replications but not on CDP. See Set Up Cisco ISE in a Distributed Environment

 

Assuming that I go for the IOS upgrade, how can I ensure that the primary will take the primary role and the secondary the secondary role?

Assuming you asking about how Cisco IOS will treat an ISE PSN as the primary RADIUS and another as the secondary RADIUS server, then it depends on the switch configuration on RADIUS. See ISE Secure Wired Access Prescriptive Deployment Guide or the older Demystifying RADIUS Server Configurations

 

Not sure why I see both interfaces up as you saw above, but cannot identify the port as where it should be connected, 

 

is this normal?

 

has anyone experienced something like this and have you done it in the past?

what should I take into consideration before upgrading the IOS switch?

 


We do not usually rely on CDP to tell how ISE connecting to a switch. If you would like our team to address your issue, please open a Cisco TAC case with info on your ISE release number and patch level.

View solution in original post

2 Replies 2

hslai
Cisco Employee
Cisco Employee

How come I can only see one ISE?

The CDP info from ISE is not always shown correctly and can vary by ISE releases.

 

Is there any soft of configuration applied on ISE to make it appear as one cluster? perhaps Im missing that?

ISE deployment relies on its jGroup replications but not on CDP. See Set Up Cisco ISE in a Distributed Environment

 

Assuming that I go for the IOS upgrade, how can I ensure that the primary will take the primary role and the secondary the secondary role?

Assuming you asking about how Cisco IOS will treat an ISE PSN as the primary RADIUS and another as the secondary RADIUS server, then it depends on the switch configuration on RADIUS. See ISE Secure Wired Access Prescriptive Deployment Guide or the older Demystifying RADIUS Server Configurations

 

Not sure why I see both interfaces up as you saw above, but cannot identify the port as where it should be connected, 

 

is this normal?

 

has anyone experienced something like this and have you done it in the past?

what should I take into consideration before upgrading the IOS switch?

 


We do not usually rely on CDP to tell how ISE connecting to a switch. If you would like our team to address your issue, please open a Cisco TAC case with info on your ISE release number and patch level.

Understood,
I will submit on Monday, surely that got me curious cause I want to make less impact as possible on the operations since we run a global solutions with multiple PSNs

Thanks for your support and time,
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: